Pull to refresh
1055.44

Information Security *

Data protection

Show first
Rating limit
Level of difficulty

Payment Village at PHDays 11: ATM hacking

Reading time 7 min
Views 1.6K

The Positive Hack Days 11 forum, which took place May 18–19, 2022, was truly epic. The bitterly fought ATM hacking contest featured no fewer than 49 participants. How cool is that? The winner of this year's prize fund of 50,000 rubles, with the handle Igor, was the first to hack the virtual machines. And he wasn't even at the event! :)

Besides Igor, eight other participants picked up prizes this year for their VM-hacking skills. They were: drd0cvientvrazovdurcmzxcvcxzas7asg_krdhundred303, and drink_more_water_dude. A big thank-you to everyone who took part, and for those who weren't at PHDays, here are the links to the virtual machines.

Read more
Total votes 5: ↑3 and ↓2 +1
Comments 1

The 2022 National Internet Segment Reliability Research

Reading time 8 min
Views 903

The National Internet Segment Reliability Research explains how the outage of a single Autonomous System might affect the connectivity of the impacted region with the rest of the world. Generally, the most critical AS in the region is the dominant ISP on the market, but not always.

As the number of alternate routes between ASes increases (the "Internet" stands for "interconnected networks" - and each network is an AS), so does the fault-tolerance and stability of the Internet across the globe. Although some paths are more important than others from the beginning, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust network.

The global connectivity of any given AS, whether an international giant or a regional player, depends on the quantity and quality of its path to Tier-1 ISPs.

Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will always be maintained. For many ISPs at all "tiers", losing connection to even one Tier-1 peer would likely render them unreachable from some parts of the world.

Read more
Total votes 9: ↑9 and ↓0 +9
Comments 0

Top 10 incident response mistakes

Reading time 9 min
Views 1.1K

Imagine someone withdrew money from a company's account at night. The next morning panic breaks out, leading to yet more problems. The IT department can reinstall a compromised system from scratch or restore it from backup. Reinstalling from scratch will wipe out all traces left by the attackers, and external investigators will have to search for clues in other systems. Restoring from backup carries the risk of accidentally reinstating a compromised image. In this paper, we will describe common mistakes that experts make when responding to security incidents.

Read more
Rating 0
Comments 0

20 years of payment processing problems

Reading time 12 min
Views 2.1K

Thanks to yarbabin for the logo

Electronic payment systems have existed on the Internet for a long time, and some bugs in them are twenty years old. We've found critical vulnerabilities allowing us to steal money and drive up the balance. Today we will analyze typical implementations of payment processing and related security issues.

Read more →
Total votes 3: ↑3 and ↓0 +3
Comments 2

Blood, sweat and pixels: releasing a mobile game with no experience

Reading time 12 min
Views 3.1K
In January 2022, we, at Kaspersky, released our first mobile game – Disconnected. The game was designed for companies that want to strengthen their employees’ knowledge of cybersecurity basics. Even though game development is not something you would expect from a cybersecurity company, our motivation was quite clear – we wanted to create an appealing, interactive method of teaching cybersecurity.



Over our many years of experience in security awareness and experimentation with learning approaches (e.g. online adaptive platforms, interactive workshops and even VR simulations), we’ve noticed that even if the material is presented in a highly engaging way, people still lack the opportunity to apply the knowledge in practice. This means that although they are taking in the information, it won’t necessarily be applied.
Read more →
Total votes 7: ↑7 and ↓0 +7
Comments 0

IDS Bypass at Positive Hack Days 11: writeup and solutions

Reading time 10 min
Views 1.7K

The IDS Bypass contest was held at the Positive Hack Days conference for the third time (for retrospective, here's . This year we created six game hosts, each with a flag. To get the flag, participants had either to exploit a vulnerability on the server or to fulfill another condition, for example, to enumerate lists of domain users.

The tasks and vulnerabilities themselves were quite straightforward. The difficulty laid in bypassing the IDS: the system inspected network traffic from participants using special rules that look for attacks. If such a rule was triggered, the participant's network request was blocked, and the bot sent them the text of the triggered rule in Telegram.

And yes, this year we tried to move away from the usual CTFd and IDS logs towards a more convenient Telegram bot. All that was needed to take part was to message the bot and pick a username. The bot then sent an OVPN file to connect to the game network, after which all interaction (viewing tasks and the game dashboard, delivering flags) took place solely through the bot. This approach paid off 100%!

Подробнее
Total votes 3: ↑3 and ↓0 +3
Comments 0

Text-based CAPTCHA in 2022

Reading time 7 min
Views 4.6K

The first text-based CAPTCHA ( we’ll call it just CAPTCHA for the sake of brevity ) was used in 1997 by AltaVista search engine. It prevented bots from adding Uniform Resource Locator (URLs) to their web search engine.

Back then it was a decent defense measure. However the progress can't be stopped, and this defense was bypassed using OCR available at those times (for example FineReader).

CAPTCHA became more complex, noise was added to it, along with distortions, so the popular OCRs couldn’t recognize this text. And then OCRs custom made for this task appeared. It costed extra money and knowledge for the attacking side. The CAPTCHA developers were required to understand the challenges the attackers met, what distortions to add, in order to make the automation of the CAPTCHA recognition more complex.

The misunderstanding of the principles the OCRs were based on, some CAPTCHAs were given such distortions, that they were more of a hassle for regular users than for a machine.

OCRs for different types of CAPTCHAs were made using heuristics, and the most complicated part of it was the CAPTCHA segmentation for the stand along symbols, that subsequently could be easily recognized by the CNN (for example LeNet-5), also SVM showed a good result even on the raw pixels.

In this article I’ll try to grasp the whole history of CAPTCHA recognition, from heuristics to the contemporary automated recognition systems. We’ll figure out, if a CAPTCHA is still alive.

I’ll review the yandex.com CAPTCHA. The Russian version of the same CAPTCHA is more complex.

Read more
Total votes 4: ↑3 and ↓1 +2
Comments 0

PHDays 11: bootkit infection, sanitizers for the Linux kernel, the new face of OSINT, and phishing on official websites

Reading time 3 min
Views 1.5K

Positive Hack Days 11 will begin in a matter of weeks. This international forum on practical security will be held on May 18–19 in Moscow.

As per tradition, PHDays will have three big tracks dedicated to countering attacks (defensive), protection through attack (offensive), and the impact of cybersecurity on business. It is our pleasure to present the first talks.

Read more
Total votes 1: ↑0 and ↓1 -1
Comments 0

Why does my app send network requests when I open an SVG file?

Reading time 8 min
Views 2.1K

0923_SVG_XXE_ru/image1.png


You decided to make an app that works with SVG. Encouraged by the enthusiasm, you collected libraries and successfully made the application. But suddenly you find that the app is sending strange network requests. And data is leaking from the host-machine. How so?

Read more →
Total votes 3: ↑3 and ↓0 +3
Comments 0

Vulnerabilities due to XML files processing: XXE in C# applications in theory and in practice

Reading time 16 min
Views 1.2K

How can simple XML files processing turn into a security weakness? How can a blog deployed on your machine cause a data leak? Today we'll find answers to these questions, learn what XXE is and how it looks like.


0918_XXE_BlogEngine/image1.png

Read more →
Total votes 1: ↑1 and ↓0 +1
Comments 0

IT risk management

Reading time 13 min
Views 2.2K

When you have an IT, which supports all aspects of your organization automated performance and you have a firm confidence that IT executes well, there is always a chance that something could go wrong in technology or in related IT processes. Depending on complexity of IT environment varieties of risks scenarios could arise. This article as a summary of different faithworthy sources aims to help you in getting high level understanding on what could go wrong and how you can predict it in a more conscious way.

My name is Maxim Tornov and I have been working in various IT areas for a long period of time. Since then, for over 14 years I am working in the area of IT/IS risk management with focus on in IT/IS audits, internal control implementation and assessment.

I am sure that at the present the topic of Information Technologies risk management became more vital. Organization’s efficiency in IT risk management directly affects the achievement of various organization’s goals, goals which have dependency on IT, those goals may include reliability and efficiency of business processes, the organization's compliance with regulatory requirements, the integrity of financial reporting, and many others.

I sincerely hope that this material will be useful to you and may give you some new ideas that you can contribute to the benefit of your personal development and the development of your organization's risk management culture.

Read more
Total votes 2: ↑2 and ↓0 +2
Comments 0

Q4 2021 DDoS attacks and BGP incidents

Reading time 6 min
Views 990

2021 was an action-packed year for Qrator Labs.

It started with the official celebration of our tenth year anniversary, continued with massive routing incidents, and ended with the infamous Meris botnet we reported back in September.

Now it is time to look at the events of the last quarter of 2021. There are interesting details in the BGP section, like the new records in route leaks and hijacking ASes, but first things first, as we start with the DDoS attacks statistics.

Read more
Total votes 13: ↑13 and ↓0 +13
Comments 0

ACME-client for Tarantool

Reading time 4 min
Views 1.1K

Link to GitHub. More details about the operation of the algorithm and the module can be found here.

The ACME protocol client is used to automatically obtain a security certificate for your site. Basically everyone uses Let's Encrypt to get a free certificate and auto-renewal. But there are other services, such as Zero SSL. It also supports the ACME protocol.

I relied on two articles from Habr (this and this), as well as RFC8555. But the information in them was not enough to implement their own version of the modulation. At least several times higher than several implementations of the module [at another level]. The tests were conducted on a live service, so there are no autotests yet. You can write and init pull request.

The module is written under Linux. Only the second version of the protocol is considered.

More...
Rating 0
Comments 0

Let’s deal with WeChat — the second most popular messenger in the world

Reading time 5 min
Views 2.3K


  • A short excursion into WeChat;
  • About the platform, the version of the application, the utilities used and the decryption of the executable file;
  • • About two protocols (old one and new one);
  • About serialization of objects;
  • Used cryptography and key exchange;
  • About headers and hash-functions;
  • About the exposures found.

Read more →
Total votes 5: ↑5 and ↓0 +5
Comments 1

API security design best practices for enterprise and public cloud

Reading time 9 min
Views 4.8K

Application Programming Interfaces or API’s are responsible for majority of system integration and functional components of modern computing landscape in both consumer and enterprise environments.

Properly constructed secure API’s provide significant benefits during initial build, integration with other systems and during entire application lifecycle while protecting sensitive information stored in business systems.

Based on author's experience designing and implementing API’s for variety of clients in financial, insurance, telecom and public sectors, security is often overlooked in favor of simplistic, vendor/product specific solutions.

This article addresses best practices for API security design in product neutral manner to help architects to plan and build easy to work with and secure API's.

Recommended approach is to separate API security from its business functionality and allow back-end developers to concentrate only on business functions. Once business logic for an API is ready, it can be published using common security components described in this article.

This article does not provide any product specific recommendations, but any modern API security/governance platform will be able to satisfy majority of suggested requirements using out-of-the-box functionality.

Read more
Rating 0
Comments 1

New botnet with lots of cameras and some routers

Reading time 3 min
Views 1.8K

DDoS attacks send ripples on the ocean of the Internet, produced by creations of various sizes - botnets. Some of them feed at the top of the ocean, but there also exists a category of huge, deep water monstrosities that are rare and dangerous enough they could be seen only once in a very long time.

November 2021 we encountered, and mitigated, several attacks from a botnet, that seems to be unrelated to one described and/or well-known, like variants of Mirai, Bashlite, Hajime or Brickerbot.

Although our findings are reminiscent of Mirai, we suppose this botnet is not based purely on propagating Linux malware, but a combination of brute forcing and exploiting already patched CVEs in unpatched devices to grow the size of it. Either way, to confirm how exactly this botnet operates, we need to have a sample device to analyze, which isn’t our area of expertise.

This time, we won’t give it a name. It is not 100% clear what we are looking at, what are the exact characteristics of it, and how big this thing actually is. But there are some numbers, and where possible, we have made additional reconnaissance in order to better understand what we’re dealing with.

But let us first show you the data we’ve gathered, and leave conclusions closer to the end of this post.

Read more
Total votes 12: ↑12 and ↓0 +12
Comments 0

On the recent vulnerability in Diebold Nixdorf ATMs

Reading time 8 min
Views 3.9K

Hi there! A while ago, Positive Technologies published the news that ATMs manufactured by Diebold Nixdorf (previously known as Wincor), or more specifically, the RM3 and CMDv5 cash dispensers, contained a vulnerability which allowed attackers to withdraw cash and upload modified (vulnerable) firmware. And since my former colleague Alexei Stennikov and I were directly involved in finding this vulnerability, I would like to share some details.

Read more
Total votes 5: ↑5 and ↓0 +5
Comments 2

Authors' contribution