One of our readers recommended paying heed to the Espressif IoT Development Framework. He found an error in the project code and asked if the PVS-Studio static analyzer could find it. The analyzer can't detect this specific error so far, but it managed to spot many others. Based on this story and the errors found, we decided to write a classic article about checking an open source project. Enjoy exploring what IoT devices can do to shoot you in the foot.
Information Security *
ONLYOFFICE Community Server: how bugs contribute to the emergence of security problems
Server-side network applications rarely get the chance to join the ranks of our reviews of errors found in open source software. This is probably due to their popularity. After all, we try to pay attention to the projects that readers themselves offer us. At the same time, servers often perform very important functions, but their performance and benefits remain invisible to most users. So, by chance, the code of ONLYOFFICE Community Server was checked. It turned out to be a very fun review.
Russian microcontroller K1986BK025 based on the RISC-V processor core for smart electricity meters
Solutions based on the open standard instruction set architecture RISC-V are currently increasing their presence on the market. Microcontrollers from Chinese colleagues are already in serial production; Microchip is offering interesting solutions with FPGA on board. The ecosystem of software and design tools for this architecture are also growing. Seeming previously unshaken leaders have more often found themselves in resale ads, while young startups attract multi-million investments. Milandr also got involved in this race and today began supplying interested companies with samples of its new K1986BK025 microcontroller based on the RISC-V processor core for electricity meters. Well here we go, pictures, characteristics and other information, as well as a little bit of hype under the cut.
Unicorns on Guard for Your Safety: Exploring the Bouncy Castle Code
Would you like to see a new batch of errors found by the PVS-Studio static analyzer for Java? Then keep reading the article! This time the Bouncy Castle project is to be checked. The most interesting code snippets, as usual, are waiting for you below.
SIEM Solutions Overview (Security Information and Event Management)
Modern corporate IT infrastructure consists of many systems and components. And monitoring their work individually can be quite difficult — the larger the enterprise is, the more burdensome these tasks are. But there are the tools, which collect reports on the work of the entire corporate infrastructure — SIEM (Security Information and Event Management) system in one place. Read the best of such products according to Gartner experts in our review, and learn about the main features from our comparison table.
Checking Clang 11 with PVS-Studio
Every now and then, we have to write articles about how we've checked another fresh version of some compiler. That's not really much fun. However, as practice shows, if we stop doing that for a while, folks start doubting whether PVS-Studio is worth its title of a good catcher of bugs and vulnerabilities. What if the new compiler can do that too? Sure, compilers evolve, but so does PVS-Studio – and it proves, again and again, its ability to catch bugs even in high-quality projects such as compilers.
Why code reviews are good, but not enough
Code reviews are definitely necessary and useful. It's a way to impart knowledge, educate, control a task, improve code quality and formatting, fix bugs. Moreover, you can notice high-level errors related to the architecture and algorithms used. So it's a must-have practice, except that people get tired quickly. Therefore, static analysis perfectly complements reviews and helps to detect a variety of inconspicuous errors and typos. Let's look at a decent example on this topic.
Molto-2 — a USB programmable multi-profile TOTP hardware token
About a year ago, we released Token2 Molto-1, the world's first programmable multi-profile hardware token. While Molto-1 is still the only solution of its kind currently available on the market, we will be soon releasing a new variation of a multi-profile hardware token, in a different form-factor and with a different set of features available.
While Molto-1 has its advantages, there were some shortcomings that we wanted to address, for example, it can only hold up to ten TOTP profiles, which is not enough for many users. Also, using NFC to program the device does not look very convenient for some users. There were also requests to have a backlight for the screen of the token, so it can be used in the dark. With Molto-2 we tried to address this and a few other concerns. So, we hereby present our new device model, Token2 Molto-2 with the following specifications:
TOKEN2 MOLTO-2 multi-profile programmable TOTP hardware token:
▣ RFC 6238 compliant
▣ supports up to 50 accounts/profiles
▣ USB-programmable with a Windows app
▣ RTC battery life: 8 years
▣ LCD screen battery: 3-4 months (rechargeable)
The table below shows the comparison between Molto-1 and Molto-2
Transatlantic privacy is over
In July 2020, the European Court of Justice invalidated an exchange of the personal data between the European Union and the United States. The times of the Safe Harbor and the Privacy Shield are over. Now what?
The 2020 National Internet Segment Reliability Research
The National Internet Segment Reliability Research explains how the outage of a single Autonomous System might affect the connectivity of the impacted region with the rest of the world. Most of the time, the most critical AS in the region is the dominant ISP on the market, but not always.
As the number of alternate routes between AS’s increases (and do not forget that the Internet stands for “interconnected network” — and each network is an AS), so does the fault-tolerance and stability of the Internet across the globe. Although some paths are from the beginning more important than others, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust network.
The global connectivity of any given AS, regardless of whether it is an international giant or regional player, depends on the quantity and quality of its path to Tier-1 ISPs.
Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will be maintained all the time. For many ISPs at all “tiers”, losing connection to just one Tier-1 peer would likely render them unreachable from some parts of the world.
The hunt for vulnerability: executing arbitrary code on NVIDIA GeForce NOW virtual machines
Against the backdrop of the coronavirus pandemic, the demand for cloud gaming services has noticeably increased. These services provide computing power to launch video games and stream gameplay to user devices in real-time. The most obvious advantage of this gaming type is that gamers do not need to have high-end hardware. An inexpensive computer is enough to run the client, spending time in self-isolation while the remote server carries out all calculations.
NVIDIA GeForce NOW is one of these cloud-based game streaming services. According to Google Trends, worldwide search queries for GeForce NOW peaked in February 2020. This correlates with the beginning of quarantine restrictions in many Asian, European, and North and South American countries, as well as other world regions. At the same time in Russia, where the self-isolation regime began in March, we see a similar picture with a corresponding delay.
Given the high interest in GeForce NOW, we decided to explore this service from an information security standpoint.
The world is sick: mass surveillance
How much does your privacy cost? Your medical information, your home address? How much is your browsing and search history? You might have never thought about that.
Dive into Email Security: MTA-STS Policies
In a nutshell: MTA-STS is a way to protect emails against interception (man-in-the-middle aka MitM attacks) between email servers. It partially resolves architectural issues in email protocols and is described in a recent RFC 8461 standard.
Static code analysis of the PMDK library collection by Intel and errors that are not actual errors
We were asked to check a collection of open source PMDK libraries for developing and debugging applications with NVRAM support by PVS-Studio. Well, why not? Moreover, this is a small project in C and C++ with a total code base size of about 170 KLOC without comments. Which means, the results review won't take much energy and time. Let's go.
EVVIS-QR1 USB Programmable TOTP hardware token
What is EVVIS-QR1?
EVVIS-QR1 is a hardware device developed primarily for Electronic visit verification (EVV) information systems (hence the name). It is a standards-based TOTP hardware token that can also be programmed over USB. The OTP generated is shown on the display both as regular digits as well as a QR image. Both features (OTP shown as QR code and HID keyboard emulation) are intended to make it possible to minimize typos when entering the OTP.
Y messenger Manifesto
We are a team of independent developers. We have created a new messenger, the purpose of which is to solve the critical problems of the modern Internet and the modes of communication it provides. We see users become hostages to the services they have grown accustomed to and we see corporations exploiting their users and controlling them. And we don’t like it. We believe the Internet should be different.
In this Manifesto, we disclose our vision of the Internet and describe what we have done to make it better. If you share our ideas — join us. Together we can achieve more than each of us can alone.
Looking back at 3 months of the global traffic shapeshifting
There would be no TL;DR in this article, sorry.
Those have been three months that genuinely changed the world. An entire lifeline passed from February, 1, when the coronavirus pandemics just started to spread outside of China and European countries were about to react, to April, 30, when nations were locked down in quarantine measures almost all over the entire world. We want to take a look at the repercussions, cyclic nature of the reaction and, of course, provide DDoS attacks and BGP incidents overview on a timeframe of three months.
In general, there seems to be an objective pattern in almost every country’s shift into the quarantine lockdown.
Safe-enough linux server, a quick security tuning
The case: You fire up a professionally prepared Linux image at a cloud platform provider (Amazon, DO, Google, Azure, etc.) and it will run a kind of production level service moderately exposed to hacking attacks (non-targeted, non-advanced threats).
What would be the standard quick security related tuning to configure before you install the meat?
release: 2005, Ubuntu + CentOS (supposed to work with Amazon Linux, Fedora, Debian, RHEL as well)
This is how you deal with route leaks
Here’s the beginning: for approximately an hour, starting at 19:28 UTC on April 1, 2020, the largest Russian ISP — Rostelecom (AS12389) — was announcing prefixes belonging to prominent internet players: Akamai, Cloudflare, Hetzner, Digital Ocean, Amazon AWS, and other famous names.
Before the issue was resolved, paths between the largest cloud networks were somewhat disrupted — the Internet blinked. The route leak was distributed quite well through Rascom (AS20764), then Cogent (AS174) and in a couple of minutes through Level3 (AS3356) to the world. The issue suddenly became bad enough that it saturated the route decision-making process for a few Tier-1 ISPs.
It looked like this:
SLAE — SecurityTube Linux Assembly Exam
SecurityTube Linux Assembly Exam (SLAE) — is a final part of course:
This course focuses on teaching the basics of 32-bit assembly language for the Intel Architecture (IA-32) family of processors on the Linux platform and applying it to Infosec and can be useful for security engineers, penetrations testers and everyone who wants to understand how to write simple shellcodes.
This blog post have been created for completing requirements of the Security Tube Linux Assembly Expert certification.
Exam consists of 7 tasks:
1. TCP Bind Shell
2. Reverse TCP Shell
4. Custom encoder
5. Analysis of 3 msfvenom generated shellcodes with GDB/ndisasm/libemu
6. Modifying 3 shellcodes from shell-storm
7. Creating custom encryptor