Information Security *

Hello, Habr! We continue the series of articles on the innovations of the Tantor Postgres 17.5.0 DBMS, and today we will talk about authorization support via OAuth 2.0 Device Authorization Flow is a modern and secure access method that allows applications to request access to PostgreSQL on behalf of the user through an external identification and access control provider, such as Keycloak, which is especially convenient for cloud environments and microservice architectures (the feature will also be available in PostgreSQL 18). In this article, we'll take a step-by-step look at configuring OAuth authorization in PostgreSQL using Keycloak: configure Keycloak, prepare PostgreSQL, write an OAuth token validator in PostgreSQL, and verify successful authorization via psql using Device Flow.

While researching malware used by attacker groups, we came across a series of unusual attacks that used GitHub repositories to store malicious files and victim data. These campaigns appear targeted rather than large-scale, and it seems the attackers relied heavily on AI during development. The earliest activity we traced was in September 2024, and the most recent in April 2025.

Our Threat Intelligence team investigates complex attacks featuring novel persistence and data collection methods and unique infrastructures. Sometimes we find simple two-line scripts, and other times we run into "bombs" that trigger dozens of different payloads at once. But it's pretty rare for us to come across such long chains of really simple AI-written scripts that still work, tied together in a way that clearly wasn't random. Think of this as an APT-style attack implemented at the "script kiddie" level (a derogatory term in hacker culture for those who rely on scripts or programs written by others).

My name is Ilya and I’m a Core Developer at Bright Security. In Bright we work on a DAST (Dynamic Application Security Testing) solution that helps development teams find and fix vulnerabilities early, straight from CI/CD. My own path began in full-stack engineering, but almost a decade of shipping production code drew me ever deeper into application security. In this article I’m explaining key approaches on what SAML actually is and how we detect it in Bright using DAST.

For people familiar with the term DPI (Deep Packet Inspection), it often carries an unpleasant association: blocking, regulators, censorship, tightening controls. In reality, DPI is simply the name of a technology whose essence lies in the deep analysis of network traffic. Deep traffic analysis involves identifying protocols, extracting the most significant fields and metadata, classifying internet services, and analyzing the nature of network flows. I will explain how such solutions work in this article.

Hi to everyone!

I'm new here. Someone told me that Habr is like russian reddit for developers (and maybe not). And I'm here today to share my story and get opinions from you, part of this community.

In August 2024 I visited Moscow, and got Russian starter pack, even if foregneir :-)
Will be useful later because I'm moving here, Русский язык coming soon, извините!

So let's start with getting a new bank account, make a new mobile number and start to register to some essential service platforms like Metro, Gorod, ВВ, Perekrostak and Yandex for delivery and taxis. And in every service I found something strange. A certain "Ivan" (I've changed the name for privacy) is present in all my accounts where I try to register.
That's it! The phone number that my bank gave me was just.... recyled! So I could start to get personal data through all these existing account on this new phone number of mine but the most shocking thing occured today!

Alarm on 9:00, I woke up and I got a message by Yandex:

The Cisco IOS/IOS-XE operating system is a source of inspiration for many other vendors. The internet is full of guides on how to configure a typical Cisco router for SOHO scenarios. However, unlike consumer-grade routers, configuring something like Cisco IOS requires caution. If you don’t think things through, the router may start "living its own life" and end up, for instance, as a DDoS amplification tool.

Setting up a v3 user on the server-side agent for the default Linux snmpd (net-snmp package). Out of scope: SNMP traps and read-write (rw) users.

SNMP version 3 allows packet transmission in encrypted form, making it safe to transfer telemetry over public networks without the risk of exposing either authentication information (analogous to a community string) or the data stream itself, which is encrypted using a symmetric algorithm with a shared key.

Often at work, I encounter services that provide offerings such as resident proxies. Yet, I have never delved deeply into the topic. I have always simply consumed the product “as is,” as some lazy authors like to say.

I have a general understanding of how this type of service works at a layman’s level, and I became interested in exploring the topic more deeply and attempting to share the conclusions I reached through a deeper understanding of what resident proxies are. Let’s see what comes out of it. No recommendations here—just the subjective, evaluative opinion of yet another “specialist.”

Proxy servers are intermediaries between your device and the internet, allowing you to hide your real IP address and alter the appearance of your connection. Think of it as a white camouflage coat in snowy weather, if we speak in very simplistic terms. Let’s start from that—options for camouflage. However, comparing with camouflage coats would be rather dull; instead, let’s recall animals and insects that use camouflage and try to draw a parallel. In fact, I’ve already done so.

Proxy servers have long become an integral part of the modern network. They are used to enhance anonymity, bypass blocks, balance loads, and control traffic. However, not everyone understands that there is a fundamental difference between HTTP(S) proxies and SOCKS proxies. In this article, I will attempt to examine in detail the technical aspects of both types, review their advantages and limitations, and provide examples of configuration and usage – though this part is more of an elective (optional, if you will, but I really feel like including it).

In today's interconnected development world, secure authentication is not just a luxury—it's a necessity. Whether you're a seasoned DevOps engineer or a junior developer just starting your journey, understanding SSH key pairs is crucial for your daily workflow. They're the unsung heroes that keep our git pushes secure, our server access protected, and our deployments safe from prying eyes.

But let's be honest: SSH keys canbe confusing. With terms like “public key infrastructure,” “cryptographic algorithms,” and “key fingerprints” floating around, it's easy to feel overwhelmed. This guide aims to demystify SSH key pairs, breaking down complex concepts into digestible pieces that will help you make informed decisions about your security setup.

Hey! My name's Kirill Ziborov and I'm a member of the Distributed System Security team at Positive Technologies. In this article, I'll be continuing the discussion of methods and tools for the formal verification of smart contracts and their practical application to prevent vulnerabilities. The main focus will be on the deductive verification method, or more precisely, the ConCert framework for testing and verifying smart contracts.

Hey there, Habr! My name is Alexey Kolesnikov. I am a Malware Detection Specialist at the Positive Technologies Expert Security Center (PT ESC). I recently spoke at the AVAR 2023 international conference in Dubai, where I covered new plugins developed by PT ESC for an open-source dynamic malware analysis system named DRAKVUF and demonstrated how they can be used to detect current Linux threats in sandbox for protection against targeted and mass attacks PT Sandbox.

Read on for a brief overview of popular malware monitoring tools for Linux, a description of how our plugins work in DRAKVUF, and a malware analysis that relies on these plugins.

The identification protocol based on the pairing function, resistant to impersonation and compatible with the instant digital signature (IDS) mode, was studied in this article. This protocol uses prover's and verifier's public keys. As a result, there is no anonymity, since certificates including personal data of their owners are issued for the mentioned keys. This article contains a description and analysis of new anonymous identification protocols for groups.

Introduction

Hello Habr! This is a translation of my first article, which was born due to the fact that I once played with the types of meterpreter payload from the Metasploit Framework and decided to find a way to detect it in the Windows OS family.

Analysis

I will try to present everything in an accessible and compact way without delving into all the work. To begin with, I decided to create the nth number of useful loads (windows/meterpreter/reverse_tcp, shell/bind_tcp, shell_hidden_bind_tcp, vncinject/reverse_tcp, cmd/windows/reverse_powershell) to analyze what will happen in the system after their injection.

 Python, Java, C++, Delphi, PHP—these programming languages were used create a virtual crypto ATM machine to be tested by the participants of the $NATCH contest at Positive Hack Days 12. The entire code was written by ChatGPT and proved to be exceptionally good. This time, we had reviewed the contest concept and decided to use a report system. In addition to standard tasks (kiosk bypass, privilege escalation, and AppLocker bypass), this year's participants faced new unusual tasks. Read on below to find out which ones.

In our previous post, we presented a modified Schnorr protocol compatible with the Instant Digital Signature (IDS) mode and also announced the design of other protocols with this feature. In this post we describe such protocols based on the pairing function.

Picture this: A thriving e-commerce platform faces a constant battle against fake reviews that skew product ratings and mislead customers. In response, the company employs cutting-edge algorithms to detect and prevent fraudulent activities. Solutions like these are crucial in the modern digital landscape, safeguarding businesses from financial losses and ensuring a seamless consumer experience.

The industry has relied on rules-based systems to detect fraud for decades. They remain a vital tool in scenarios where continuous collecting of a training sample is challenging, as retraining methods and metrics can be difficult. However, machine learning outperforms rules-based systems in detecting and identifying attacks when an ongoing training sample is available.

With advancements in machine learning, fraud detection systems have become more efficient, accurate, and adaptable. In this article, I will review several ML methods for preventing fraudulent activities and discuss their weaknesses and advantages.

The article describes the interactive Schnorr identification protocol (hereinafter referred to as the Schnorr protocol) and formulates the problem of compatibility of this protocol with the instant digital signature (IDS) mode. This post shows how to modify the Schnorr protocol to provide such compatibility.

Hello, my reading friends!

My previous post (rus) on Habr was about how the Business Continuity Management function started, as well as about its relations with other corporate functions. In fact, it was quite theoretical.

This time, I’d like to tell you about some practical vectors of procedures and tools implementation as regards to Business Continuity Management, or BCM, along with Operational Resilience, or OpRes. Plus some real initiatives that can follow the BCM & OpRes implementation in a company and the associated with it investigation of the corporate landscape and procedures.

Recently, The BCI, one of the leading institutes working in the field of organizational resilience and business continuity, issued its regular report BCI Operational Resilience Report 2023 in collaboration with Riskonnect, who work with risk management solutions.

One of the questions they asked the respondents was if there was a difference between organizational resilience and operational resilience. As the answers demonstrated, for most respondents (and in most companies) these terms were used as synonyms. Having studied the report, the colleagues brought up another matter – The BCI introduced the new term of "organizational resilience" in addition to "business continuity" and "operational resilience".

If we search Habr for "Business Continuity", "DRP", "BCP", or "BIA", we’ll find quite enough posts by my colleagues (I’ve met some of them face to face and worked with the others) about data system recovery, data system testing, fault-tolerant infrastructure, and some other things. Yet, hardly any of them explain where all of it has come from, how it is changing, where it is heading – and why.

I thought the time has come to change the situation for the better and answer some of the questions like where business continuity provisions and operational resilience has come from, how they are changing, and where this trend is heading and why. To share my thoughts about development of the industry and its current de-facto state in case of a mature (or not too mature) introduction level – some things I’ve stated for my own use.