Pull to refresh
760.82
Rating

Information Security *

Data protection

Show first
  • New
  • Top
Rating limit
  • All
  • ≥0
  • ≥10
  • ≥25
  • ≥50
  • ≥100

Developing and deploying Python for secured environments with Kushal Das

Конференции Олега Бунина (Онтико) corporate blog Information Security *Python *Programming *Conferences
Here is the translated Russian version of this interview.

The company of speakers at Moscow Python Conf++ 2020 is great, and it's not a good luck but thorough Program Committee's work. But who cares about achievements, it's much more interesting what the speaker thinks about our own questions. Conferences suits good to find it out, get insider information or advice from an experienced developer. But I got an advantage of being in Program Committee so I already asked our speaker Kushal Das some questions.

A unique feature of Kushal's speeches is that he often unveils «secret» ways to break Python code and then shows how to write code so that the NSA can't hack it. At our conference Kushal will tell you how to safely develop and deploy Python code. Of course I asked him about security.

Read more →
Total votes 4: ↑4 and ↓0 +4
Views 855
Comments 0

Token2 C301-i, the first iOS-compatible programmable TOTP token

Token2.com corporate blog Information Security *
TOKEN2 started manufacturing and selling programmable hardware tokens back in 2015 and we have been constantly asked questions about iPhone support. So far, our burner apps were available only for Android and Windows, as Apple did not allow using the NFC protocol on their devices, even though the hardware supporting NFC was physically present.

iOS 13 — coreNFC


The situation has improved a little bit with the release of iOS v13 when access to more features of coreNFC Developer API was introduced. Unfortunately, we discovered that it is not fully compatible with the NFC chips we are using. As there are little chances that Apple will make an effort to change this to adapt to our NFC chips, we had to do the opposite and develop a new, iOS13 compatible, NFC chip instead.

Token2 C301-i, the first iOS-compatible programmable TOTP token


Our first iOS-compatible token (model reference: “C301-i”) is currently being beta-tested and will start selling in a couple of months. Pre-orders are available here.
Read more →
Total votes 1: ↑1 and ↓0 +1
Views 461
Comments 0

Are my open-source libraries vulnerable? (2 min reading to make your life more secure)

Information Security *IT systems testing *Web services testing *Mobile applications testing *DevOps *

The explosion of open source and issues related to it


The amount of open source or other third party code used in a software project is estimated as 60-90% of a codebase. Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defences and enable a range of possible attacks and impacts.



Conclusion: even if you perform constant security code reviews, you still might be vulnerable because of third-party components.

Some have tried to do this manually, but the sheer amount of work and data is growing and is time consuming, difficult, and error prone to manage. It would require several full time employees and skilled security analysts to constantly monitor all sources to stay on top.
Read more →
Total votes 6: ↑5 and ↓1 +4
Views 1.6K
Comments 2

Full disclosure: 0day vulnerability (backdoor) in firmware for Xiaongmai-based DVRs, NVRs and IP cameras

Information Security *Cryptography *IT Infrastructure *Reverse engineering *Video equipment

This is a full disclosure of recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC with Xiaongmai firmware. Described vulnerability allows attacker to gain root shell access and full control of device. Full disclosure format for this report has been chosen due to lack of trust to vendor. Proof of concept code is presented below.
Read more →
Total votes 19: ↑18 and ↓1 +17
Views 73K
Comments 15

Authenticate me. If you can…

red_mad_robot corporate blog Information Security *Development for Android *
Tutorial


I frequently hear questions like "How to implement authentication in an Android app?", "Where to store a PIN?", "Hey man, will I be secure if I implement an authentication feature in such a way?" and a lot of the kind. I got really tired answering these questions so I decided to write all my thoughts about it once to share with all questioners.

Read more →
Total votes 13: ↑10 and ↓3 +7
Views 3.9K
Comments 0

How elliptic curve cryptography works in TLS 1.3

Qrator Labs corporate blog Information Security *Cryptography *Algorithms *Mathematics *
image

A couple of reader alerts:

In order to (somewhat) simplify the description process and tighten the volume of the article we are going to write, it is essential to make a significant remark and state the primary constraint right away — everything we are going to tell you today on the practical side of the problematics is viable only in terms of TLS 1.3. Meaning that while your ECDSA certificate would still work in TLS 1.2 if you wish it worked, providing backwards compatibility, the description of the actual handshake process, cipher suits and client-server benchmarks covers TLS 1.3 only. Of course, this does not relate to the mathematical description of algorithms behind modern encryption systems.

This article was written by neither a mathematician nor an engineer — although those helped to find a way around scary math and reviewed this article. Many thanks to Qrator Labs employees.

(Elliptic Curve) Diffie-Hellman (Ephemeral)

The Diffie–Hellman legacy in the 21 century

Of course, this has started with neither Diffie nor Hellman. But to provide a correct timeline, we need to point out main dates and events.

There were several major personas in the development of modern cryptography. Most notably, Alan Turing and Claud Shannon both laid an incredible amount of work over the field of theory of computation and information theory as well as general cryptanalysis, and both Diffie and Hellman, are officially credited for coming up with the idea of public-key (or so-called asymmetric) cryptography (although it is known that in the UK there were made serious advances in cryptography that stayed under secrecy for a very long time), making those two gentlemen pioneers.

In what exactly?
Read more →
Total votes 21: ↑21 and ↓0 +21
Views 14K
Comments 0

PKI Decentralization: Proposed Approaches to Security Improvement

Decentralized networks Information Security *Cryptography *Network technologies *
The practical means of applying public key cryptography to secure network communications were introduced by Loren Kohnfelder in his MIT S.B. (BSCSE) thesis written in May 1978. After that, the public key infrastructure (PKI) has gone through several iterations of changes and updates, but it still preserves its traditional methodology. PKI requires implicit trust from a single entity or entities chain called a certificate authority (CA). This approach has led to a breakdown in confidence. However, through the years, having one root entity to control the way public key certificates are issued has shown that it can cause major complications with transparency and security.

In this article, we will once again dive deeper into the problems of PKI and consider the solutions being developed that can overcome existing shortcomings.
Read more →
Total votes 3: ↑3 and ↓0 +3
Views 1.6K
Comments 0

Technical analysis of the checkm8 exploit

Digital Security corporate blog Information Security *Reverse engineering *

Most likely you've already heard about the famous exploit checkm8, which uses an unfixable vulnerability in the BootROM of most iDevices, including iPhone X. In this article, we'll provide a technical analysis of this exploit and figure out what causes the vulnerability.

Read more →
Total votes 22: ↑22 and ↓0 +22
Views 73K
Comments 4

Digital Forensics Tips&Tricks: «Your Phone» app Forensics

Information Security *
Recently I've received the Announcing Windows 10 Insider Preview Build 18999 including an update for «Your Phone» app, and my first thing was — is there something useful for digital forensics?

So, I've immediately installed this app on my test workstation and connected it with my Android phone. On the same time I was checking for all system activities with Process Monitor to understand where all Your Phone app files are stored.

image
Read more →
Total votes 5: ↑3 and ↓2 +1
Views 1.4K
Comments 0

Digital Forensics Tips&Tricks: Telegram IM-based RAT — Part II

Information Security *
Hello again, guys!

After I published my article about Telegram IM-based RAT, I've received some messages with one common point — what additional evidences can be found if a workstation being infected with Telegram IM-based RAT?

Ok, I thought, let's continue this investigation, moreover the theme had attracted such interest.

image
Read more →
Total votes 10: ↑8 and ↓2 +6
Views 1.2K
Comments 0

Positive Technologies Brings ‘Hackable City’ to Life in The Standoff Cyberbattle at HITB+ CyberWeek

Positive Technologies corporate blog Information Security *Sport programming *
Attackers and defenders to face off in digital metropolis security challenge featuring real-world critical infrastructure and technologies.



Cybersecurity experts at Positive Technologies and Hack In The Box are inviting red and blue team security specialists to test their skills attacking and defending a full-scale modern city at The Standoff Cyberbattle held during HITB+ CyberWeek. This mock digital metropolis with full IT and OT infrastructure including traffic systems, electrical plants, and transportation networks will feature all the latest technologies used in actual critical infrastructure installations, allowing players to expose security issues and the impact they might have on the real world.
Read more →
Total votes 15: ↑14 and ↓1 +13
Views 765
Comments 0

Digital Forensics Tips&Tricks: Telegram IM-based RAT — Part I

Information Security *
Did you know that Telegram IM becomes more and more popular as a toolkit to make some illegal do's?
There are a lot of hidden channels and bots with different illegal and piracy content. I can suggest you an article where some of these points are described deeply.

But my point of interest is using Telegram as Remote Access Toolkit (RAT).

image
Read more →
Total votes 6: ↑6 and ↓0 +6
Views 1.7K
Comments 2

DPKI: Addressing the Disadvantages of Centralized PKI by Means of Blockchain

ENCRY corporate blog Decentralized networks Information Security *Cryptography *Network technologies *


Digital certificates are one of the most commonly known auxiliary tools that help protect data across public networks. However, the key disadvantage of this technology is also commonly known: users are forced to implicitly trust certification authorities which issue digital certificates. Andrey Chmora, Technology and Innovations Director at ENCRY, suggested a new approach for building a Public Key Infrastructure (PKI) to eliminate the existing disadvantages using the distributed ledger (blockchain) technology.
Let's begin with the basics.
Read more →
Total votes 4: ↑3 and ↓1 +2
Views 1.8K
Comments 0

SOAP Routing Detours Vulnerability

Information Security *XML *Web services testing *CTF *

Description


The WS-Routing Protocol is a protocol for exchanging SOAP messages from an initial message sender to receiver, typically via a set of intermediaries. The WS-Routing protocol is implemented as a SOAP extension, and is embedded in the SOAP Header. WS-Routing is often used to provide a way to direct XML traffic through complex environments and transactions by allowing interim way stations in the XML path to assign routing instructions to an XML document.

Taking a minimalist approach, WS-Routing encapsulates a message path within a SOAP message, so that the message contains enough information to be sent across the Internet using transports like TCP and UDP while supporting:

  • The SOAP message path model,
  • Full-duplex, one-way message patterns,
  • Full-duplex, request-response message patterns, and
  • Message correlation.

Routing Detours are a type of «Man in the Middle» attack where Intermediaries can be injected or «hijacked» to route sensitive messages to an outside location. Routing information (either in the HTTP header or in WS-Routing header) can be modified en route and traces of the routing can be removed from the header and message such that the receiving application none the wiser that a routing detour has occurred. 
Read more →
Rating 0
Views 772
Comments 0

TOKEN2 Molto-1, world's first multi-profile TOTP hardware token

Token2.com corporate blog Information Security *Computer hardware
[Update 15/09/2020: Molto2 is coming]

imageOur new product currently being finalized, the Token2 Molto-1, will expand on our technology by now supporting up to 10 Time based One-Time Password (TOTP) profiles. Earlier this year, with the miniOTP-2, miniOTP-3, and C301 we introduced the world’s first programmable TOTP tokens with time sync. The aim of these products was to provide a solution to the time drift that affects hardware tokens. We didn’t want to stop there, though! We also recognize the desire for multiple profiles which is why our latest product is a programmable multi-profile hardware token, called Token2 Molto-1. The clue is in the name, at least for anyone who understands Italian — “molto” is “many” in Italian. Having a multi-profile programmable hardware token means you can have only one device for up to 10 of your accounts.
Read more →
Total votes 4: ↑3 and ↓1 +2
Views 935
Comments 6

How-to: Important Factors To Review When Choosing a Free VPN For Web Browsing

Information Security *


Image credit: Unsplash

Virtual Private Networks (VPNs) are very good tools for online enhancement, censorship avoidance, anonymous file sharing, and more. But nowadays there are literally hundreds of such services, so it may be a bit tricky to pick the one that will suit you. Today we will share three practical tips that will help to solve this task.
Read more →
Total votes 10: ↑9 and ↓1 +8
Views 911
Comments 0

An Easy Way to Make Money on Bug Bounty

PVS-Studio corporate blog Information Security *Open source *Programming *Lifehacks for geeks

Рисунок 2


Surely you've heard the expression «bug hunting» many times. I dare to assume, you won't mind earning one or two hundred (or even thousand) dollars by finding a potential vulnerability in someone's program. In this article, I'll tell you about a trick that will help analyzing open source projects in order to find such vulnerabilities.
Read more →
Total votes 24: ↑20 and ↓4 +16
Views 3.5K
Comments 0

Authors' contribution