Pull to refresh
914.08

Information Security *

Data protection

Show first
Rating limit
Level of difficulty

How Protonmail is getting censored by FSB in Russia

Reading time10 min
Views8.6K

A completely routine tech support ticket has uncovered unexpected bans of IP addresses of Protonmail — a very useful service for people valuing their Internet freedoms — in several regions of Russia. I seriously didn’t want to sensationalize the headline, but the story is so strange and inexplicable I couldn’t resist.


TL;DR


Disclaimer: the situation is still developing. There might not be anything malicious, but most likely there is. I will update the post once new information comes through.


MTS and Rostelecom — two of the biggest Russian ISPs — started to block traffic to SMTP servers of the encrypted email service Protonmail according to an FSB request, with no regard for the official government registry of restricted websites. It seems like it’s been happening for a while, but no one paid special attention to it. Until now.


All involved parties have received relevant requests for information which they’re obligated to reply.


UPD: MTS has provided a scan of the FSB letter, which is the basis for restricting the access. Justification: the ongoing Universiade in Krasnoyarsk and “phone terrorism”. It’s supposed to prevent ProtonMail emails from going to emergency addresses of security services and schools.


UPD: Protonmail was surprised by “these strange Russians” and their methods for battling fraud abuse, as well as suggested a more effective way to do it — via abuse mailbox.


UPD: FSB’s justification doesn’t appear to be true: the bans broke ProtonMail’s incoming mail, rather than outgoing.


UPD: Protonmail shrugged and changed the IP addresses of their MXs taking them out of the blocking after that particular FSB letter. What will happen next is open ended question.


UPD: Apparently, such letter was not the only one and there is still a set of IP addresses of VOIP-services which are blocked without appropriate records in the official registry of restricted websites.

Total votes 66: ↑64 and ↓2+62
Comments4

Writing a wasm loader for Ghidra. Part 1: Problem statement and setting up environment

Reading time7 min
Views12K

This week, NSA (National Security Agency) all of a sudden made a gift to humanity, opening sources of their software reverse engineering framework. Community of the reverse engineers and security experts with great enthusiasm started to explore the new toy. According to the feedback, it’s really amazing tool, able to compete with existing solutions, such as IDA Pro, R2 and JEB. The tool is called Ghidra and professional resources are full of impressions from researchers. Actually, they had a good reason: not every day government organizations provide access to their internal tools. Myself as a professional reverse engineer and malware analyst couldn’t pass by as well. I decided to spend a weekend or two and get a first impression of the tool. I had played a bit with disassembly and decided to check extensibility of the tool. In this series of articles, I'll explain the development of Ghidra add-on, which loads custom format, used to solve CTF task. As it’s a large framework and I've chosen quite complicated task, I’ll break the article into several parts.

By the end of this part I hope to setup development environment and build minimal module, which will be able to recognize format of the WebAssembly file and will suggest the right disassembler to process it.
Read more →
Total votes 18: ↑17 and ↓1+16
Comments1

Crystal Blockchain Analytics: Investigating the Hacks and Theft Cases

Reading time8 min
Views2.9K
In this report, Bitfury shares analysis completed by its Crystal Blockchain Analytics engineering team on the movement of bitcoin from the Zaif exchange, Bithumb exchange and Electrum wallets.

Read more →
Total votes 15: ↑13 and ↓2+11
Comments0

How to Discover MongoDB and Elasticsearch Open Databases

Reading time3 min
Views17K

Some time ago among security researchers, it was very “fashionable” to find improperly configured AWS cloud storages with various kinds of confidential information. At that time, I even published a small note about how Amazon S3 open cloud storage is discovered.


However, time passes and the focus in research has shifted to the search for unsecured and exposed public domain databases. More than half of the known cases of large data leaks over the past year are leaks from open databases.



Today we will try to figure out how such databases are discovered by security researchers...

Read more →
Total votes 20: ↑18 and ↓2+16
Comments0

Digital Forensics Tips&Tricks: How to Find Active VPN Connection in the Memory Dump

Reading time2 min
Views8.8K
Sometimes you can meet a case when a cyber-attacker uses VPN to establish a reliable channel between C2 server and infected IT-infrastructure. And, as Threat Intelligence experts say, attackers often use native Windows VPN connection tools and Windows .pbk (phonebook) files. Lets find out how we can detect it using a memory dump.

What is .pbk file and how does it look inside? It's just a text file with a lot of different parameters using when VPN connection is establishing.

image

Read more →
Total votes 23: ↑20 and ↓3+17
Comments0

DoT for RPZ distribution

Reading time2 min
Views1.4K
Just a few months ago there were a lot of buzz because IETF in expedited time frame (about one year) accepted DNS over HTTPS (DoH) as a standard (RFC-8484). The discussions about that are still going on because of its controversy. My personal opinion is that DoH is good for personal privacy (if you know how to use it and trust your DNS provider) but it is a security risk for enterprises. DNS over TLS (DoT) is a better alternative for enterprise customers only because it uses a well-defined TCP port but for personal privacy it is not good because of the same reason (easy to block).
Read more →
Total votes 14: ↑14 and ↓0+14
Comments0

Eliminating opportunities for traffic hijacking

Reading time8 min
Views4.2K

Beautiful scheme for BGP connection to Qrator filtering network

A little historical overview


  • BGP hijacks — when an ISP originates an advertisement of address space that does not belong to it;
  • BGP route leaks — when an ISP advertises prefixes received from one provider or peer to another provider or peer.

This week it has been 11 years since the memorable YouTube BGP incident, provoked by the global propagation of a more specific prefix announce, originated by the Pakistan Telecom, leading to an almost 2 hour in duration traffic disruption in the form of redirecting traffic from legitimate path to the bogus one. We could guess if that event was intentional, and even a correct answer wouldn’t help us completely prevent such incidents from happening today. While you read this, a route leak or a hijack is spreading over the networks. Why? Because BGP is not easy, and configuring a correct and secure setup is even harder (yet).

In these eleven years, BGP hijacking became quite damaging attack vector due to the BGP emplacement in the architecture of modern internet. Thanks to BGP, routers not only acquire peer information, and therefore all the Internet routes — they are able of calculating the best path for traffic to its destination through many intermediate (transit) networks, each representing an individual AS. A single AS is just a group of IPv4 and/or IPv6 networks operating under a single external routing policy.
Read more →
Total votes 18: ↑18 and ↓0+18
Comments0

You Do Not Need Blockchain: Eight Well-Known Use Cases And Why They Do Not Work

Reading time9 min
Views3.7K

image


People are resorting to blockchain for all kinds of reasons these days. Ever since I started doing smart contract security audits in mid-2017, I’ve seen it all. A special category of cases is ‘blockchain use’ that seems logical and beneficial, but actually contains a problem that then spreads from one startup to another. I am going to give some examples of such problems and ineffective solutions so that you (developer/customer/investor) know what to do when somebody offers you to use blockchain this way.


Disclaimers


  • The described use cases and problems occur at the initial stage. I am not saying these problems are impossible to solve. However, it is important to understand which solutions system creators offer for particular problems.
  • Even though the term ‘blockchain use’ looks strange and I am not sure that blockchain can be used for anything other than money (Bitcoin), I am going to use it without quotes.

1. Supply chain management


Let’s say you ordered some goods, and a carrier guarantees to maintain certain transportation conditions, such as keeping your goods cold. A proposed solution is to install a sensor in a truck that will monitor fridge temperature and regularly transmit the data to the blockchain. This way, you can make sure that the promised conditions are met along the entire route.

Read more →
Total votes 24: ↑23 and ↓1+22
Comments0

Detecting Web Attacks with a Seq2Seq Autoencoder

Reading time7 min
Views5.6K
image

Attack detection has been a part of information security for decades. The first known intrusion detection system (IDS) implementations date back to the early 1980s.

Nowadays, an entire attack detection industry exists. There are a number of kinds of products—such as IDS, IPS, WAF, and firewall solutions—most of which offer rule-based attack detection. The idea of using some kind of statistical anomaly detection to identify attacks in production doesn’t seem as realistic as it used to. But is that assumption justified?
Read more →
Total votes 23: ↑22 and ↓1+21
Comments0

Internet Issues & Availability Report 2018–2019

Reading time16 min
Views1.5K
image

While working on the annual report this year we have decided to avoid retelling the news headlines of the previous year and, though it is almost impossible to ignore memories absolutely, we want to share with you the result of a clear thought and a strategic view to the point where we all are going to arrive in the nearest time — the present.

Leaving introduction words behind, here are our key findings:

  • Average DDoS attack duration dropped to 2.5 hours;
  • During 2018, the capability appeared for attacks at hundreds of gigabits-per-second within a country or region, bringing us to the verge of “quantum theory of bandwidth relativity”;
  • The frequency of DDoS attacks continues to grow;
  • The continuing growth of HTTPS-enabled (SSL) attacks;
  • PC is dead: most of the legitimate traffic today comes from smartphones, which is a challenge for DDoS actors today and would be the next challenge for DDoS mitigation companies;
  • BGP finally became an attack vector, 2 years later than we expected;
  • DNS manipulation has become the most damaging attack vector;
  • Other new amplification vectors are possible, like memcached & CoAP;
  • There are no more “safe industries” that are invulnerable to cyberattacks of any kind.

In this article we have tried to cherry-pick all the most interesting parts of our report, though if you would like read the full version in English, the PDF is available.
Read more →
Total votes 27: ↑25 and ↓2+23
Comments0

How to prevent targeted cyber attacks? 10 best network sandboxes

Reading time10 min
Views3.1K


Targeted attacks are the most dangerous among the multitude of modern cyber threats. They are also known as ATP (an abbreviation which stands for Advanced Persistent Threat). Those are not viruses that can accidentally get into the computer due to user's carelessness. Neither it is an attempt to replace the address of a popular site in order to cheat billing information from credulous users. Targeted cyber attacks are prepared and thought out carefully and pose a particular threat.
Read more →
Total votes 17: ↑17 and ↓0+17
Comments0

Why pentesting is important to your Business?

Reading time3 min
Views1.2K
image

In today’s world, it is almost impossible to imagine a business without some type of connection to the Internet — a website, email, employee training, CRM (Customer-relationship management), CMS (Content management system), etc. It simplifies and speeds up the ordering process, search for new clients, records search and keeping, and such.
Read more →
Total votes 19: ↑17 and ↓2+15
Comments0

How to crack a self-service terminal and why 80% of them are under threat

Reading time2 min
Views3K
Author of the original post in Russian: frsamara

I always loved playing with things and testing them under all sorts of wacky conditions as a kid and even considered getting a job as a tester, but I never did. Nevertheless, I still like taking things made by someone else and poking them for vulnerabilities.

I remember, when first self-service payment terminals started popping around town, I saw one of them put up a browser window while updating, and the game was on — I broke it almost immediately. There’s been a lot of discussion about it since then and developers have started to pay a lot more attention towards security in these machines.

Recently, fast-food joints have started installing these terminals. Obviously, it’s quite convenient: just tap a couple of virtual buttons, place an order, pay with a bank card and wait for your number to show on the screen.

Also, nearly every big mall has these interactive boards with floor plans and information on various sales and discounts.

How secure are they?
Read more →
Total votes 13: ↑13 and ↓0+13
Comments1
12 ...
8

Authors' contribution