Pull to refresh
1059.79

Information Security *

Data protection

Show first
Rating limit
Level of difficulty

Physical unclonable functions: protection for electronics against illegal copying

Reading time 7 min
Views 5K

Source: The online counterfeit economy: consumer electronics, a report made by CSC in 2017

Over the past 10 years, the number of fake goods in the world has doubled. This data has been published in the latest Year-End Intellectual Property Rights Review by the US Department of Homeland Security in 2016 (the most current year tracked). A lot of the counterfeiting comes from China (56%), Hong Kong (36%) and Singapore (2%). The manufacturers of original goods suffer serious losses, some of which occur on the electronics market.

Many modern products contain electronic components: clothes, shoes, watches, jewellery, cars.
Last year, direct losses from the illegal copying of consumer electronics and electronic components in the composition of other goods were about $0.5 trillion.

How to solve this problem?
Read more →
Total votes 14: ↑14 and ↓0 +14
Comments 0

Exploiting signed bootloaders to circumvent UEFI Secure Boot

Reading time 6 min
Views 40K
Русская версия этой статьи.
Modern PC motherboards' firmware follow UEFI specification since 2010. In 2013, a new technology called Secure Boot appeared, intended to prevent bootkits from being installed and run. Secure Boot prevents the execution of unsigned or untrusted program code (.efi programs and operating system boot loaders, additional hardware firmware like video card and network adapter OPROMs).
Secure Boot can be disabled on any retail motherboard, but a mandatory requirement for changing its state is physical presence of the user at the computer. It is necessary to enter UEFI settings when the computer boots, and only then it's possible to change Secure Boot settings.

Most motherboards include only Microsoft keys as trusted, which forces bootable software vendors to ask Microsoft to sign their bootloaders. This process include code audit procedure and justification for the need to sign their file with globally trusted key if they want the disk or USB flash to work in Secure Boot mode without adding their key on each computer manually.
Linux distributions, hypervisors, antivirus boot disks, computer recovery software authors all have to sign their bootloaders in Microsoft.

I wanted to make a bootable USB flash drive with various computer recovery software that would boot without disabling Secure Boot. Let's see how this can be achieved.
Read more →
Total votes 25: ↑24 and ↓1 +23
Comments 3

Digital Forensics Tips&Tricks: How to Connect an Encase Image to the Virtual Machine

Reading time 1 min
Views 13K
I pretty often meet the question: how to attach an Encase image (.e01) to the virtual machine as a primary bootable disk? Sometimes a digital forensics experts need to boot up the image of the researching machine. It's not so hard actually, but this task has it's hidden stones which ones must be counted.

For this case I'll use a VMware Workstation for Windows and VirtualBox for Linux as a virtualization platforms.

Windows Part

1. Open FTK Imager and mount the .e01 image as a physical (only) device in Writable mode


Read more →
Total votes 6: ↑5 and ↓1 +4
Comments 0

Digital Forensics Tips&Tricks: How to Detect an Intruder-driven Group Policy Changes

Reading time 2 min
Views 6.1K
First of all let's remember a standart group policy precedence: Local — Site — Domain — Organisation Unit (LSDOU). From less specific level to more specific. It means that Local GPO settings will apply first, then Site-level, Domain-level etc. And the last applied (OU GPO) settings have the highest precedence on the resulting system. However, if a domain administrator didn't set some settings in the higher-level GPOs (e.g. Enable/Disable Windows Defender service) but the same settings have been configured on the Local-level GPO — the last ones will be apply. Yes, even the machine is a domain member.

The Local GPO files are located in %systemroot%\System32\GroupPolicy hidden folder and, of course, it has two scopes (located in subfolders): for User and for Computer. Any user (here I mean a «bad guy» of course), having access to this folder(s), can copy a Registry.pol file and check/change a Local GPO settings. An intruder can use a third-part apllication, such as a RegPol Viewer:

image

Read more →
Total votes 16: ↑15 and ↓1 +14
Comments 0

How Protonmail is getting censored by FSB in Russia

Reading time 10 min
Views 8.4K

A completely routine tech support ticket has uncovered unexpected bans of IP addresses of Protonmail — a very useful service for people valuing their Internet freedoms — in several regions of Russia. I seriously didn’t want to sensationalize the headline, but the story is so strange and inexplicable I couldn’t resist.


TL;DR


Disclaimer: the situation is still developing. There might not be anything malicious, but most likely there is. I will update the post once new information comes through.


MTS and Rostelecom — two of the biggest Russian ISPs — started to block traffic to SMTP servers of the encrypted email service Protonmail according to an FSB request, with no regard for the official government registry of restricted websites. It seems like it’s been happening for a while, but no one paid special attention to it. Until now.


All involved parties have received relevant requests for information which they’re obligated to reply.


UPD: MTS has provided a scan of the FSB letter, which is the basis for restricting the access. Justification: the ongoing Universiade in Krasnoyarsk and “phone terrorism”. It’s supposed to prevent ProtonMail emails from going to emergency addresses of security services and schools.


UPD: Protonmail was surprised by “these strange Russians” and their methods for battling fraud abuse, as well as suggested a more effective way to do it — via abuse mailbox.


UPD: FSB’s justification doesn’t appear to be true: the bans broke ProtonMail’s incoming mail, rather than outgoing.


UPD: Protonmail shrugged and changed the IP addresses of their MXs taking them out of the blocking after that particular FSB letter. What will happen next is open ended question.


UPD: Apparently, such letter was not the only one and there is still a set of IP addresses of VOIP-services which are blocked without appropriate records in the official registry of restricted websites.

Total votes 66: ↑64 and ↓2 +62
Comments 4

Writing a wasm loader for Ghidra. Part 1: Problem statement and setting up environment

Reading time 7 min
Views 11K

This week, NSA (National Security Agency) all of a sudden made a gift to humanity, opening sources of their software reverse engineering framework. Community of the reverse engineers and security experts with great enthusiasm started to explore the new toy. According to the feedback, it’s really amazing tool, able to compete with existing solutions, such as IDA Pro, R2 and JEB. The tool is called Ghidra and professional resources are full of impressions from researchers. Actually, they had a good reason: not every day government organizations provide access to their internal tools. Myself as a professional reverse engineer and malware analyst couldn’t pass by as well. I decided to spend a weekend or two and get a first impression of the tool. I had played a bit with disassembly and decided to check extensibility of the tool. In this series of articles, I'll explain the development of Ghidra add-on, which loads custom format, used to solve CTF task. As it’s a large framework and I've chosen quite complicated task, I’ll break the article into several parts.

By the end of this part I hope to setup development environment and build minimal module, which will be able to recognize format of the WebAssembly file and will suggest the right disassembler to process it.
Read more →
Total votes 18: ↑17 and ↓1 +16
Comments 1

Crystal Blockchain Analytics: Investigating the Hacks and Theft Cases

Reading time 8 min
Views 2.7K
In this report, Bitfury shares analysis completed by its Crystal Blockchain Analytics engineering team on the movement of bitcoin from the Zaif exchange, Bithumb exchange and Electrum wallets.

Read more →
Total votes 15: ↑13 and ↓2 +11
Comments 0

How to Discover MongoDB and Elasticsearch Open Databases

Reading time 3 min
Views 17K

Some time ago among security researchers, it was very “fashionable” to find improperly configured AWS cloud storages with various kinds of confidential information. At that time, I even published a small note about how Amazon S3 open cloud storage is discovered.


However, time passes and the focus in research has shifted to the search for unsecured and exposed public domain databases. More than half of the known cases of large data leaks over the past year are leaks from open databases.



Today we will try to figure out how such databases are discovered by security researchers...

Read more →
Total votes 20: ↑18 and ↓2 +16
Comments 0

Digital Forensics Tips&Tricks: How to Find Active VPN Connection in the Memory Dump

Reading time 2 min
Views 8.6K
Sometimes you can meet a case when a cyber-attacker uses VPN to establish a reliable channel between C2 server and infected IT-infrastructure. And, as Threat Intelligence experts say, attackers often use native Windows VPN connection tools and Windows .pbk (phonebook) files. Lets find out how we can detect it using a memory dump.

What is .pbk file and how does it look inside? It's just a text file with a lot of different parameters using when VPN connection is establishing.

image

Read more →
Total votes 23: ↑20 and ↓3 +17
Comments 0

DoT for RPZ distribution

Reading time 2 min
Views 1.4K
Just a few months ago there were a lot of buzz because IETF in expedited time frame (about one year) accepted DNS over HTTPS (DoH) as a standard (RFC-8484). The discussions about that are still going on because of its controversy. My personal opinion is that DoH is good for personal privacy (if you know how to use it and trust your DNS provider) but it is a security risk for enterprises. DNS over TLS (DoT) is a better alternative for enterprise customers only because it uses a well-defined TCP port but for personal privacy it is not good because of the same reason (easy to block).
Read more →
Total votes 14: ↑14 and ↓0 +14
Comments 0

Eliminating opportunities for traffic hijacking

Reading time 8 min
Views 4.1K

Beautiful scheme for BGP connection to Qrator filtering network

A little historical overview


  • BGP hijacks — when an ISP originates an advertisement of address space that does not belong to it;
  • BGP route leaks — when an ISP advertises prefixes received from one provider or peer to another provider or peer.

This week it has been 11 years since the memorable YouTube BGP incident, provoked by the global propagation of a more specific prefix announce, originated by the Pakistan Telecom, leading to an almost 2 hour in duration traffic disruption in the form of redirecting traffic from legitimate path to the bogus one. We could guess if that event was intentional, and even a correct answer wouldn’t help us completely prevent such incidents from happening today. While you read this, a route leak or a hijack is spreading over the networks. Why? Because BGP is not easy, and configuring a correct and secure setup is even harder (yet).

In these eleven years, BGP hijacking became quite damaging attack vector due to the BGP emplacement in the architecture of modern internet. Thanks to BGP, routers not only acquire peer information, and therefore all the Internet routes — they are able of calculating the best path for traffic to its destination through many intermediate (transit) networks, each representing an individual AS. A single AS is just a group of IPv4 and/or IPv6 networks operating under a single external routing policy.
Read more →
Total votes 18: ↑18 and ↓0 +18
Comments 0

You Do Not Need Blockchain: Eight Well-Known Use Cases And Why They Do Not Work

Reading time 9 min
Views 3.6K

image


People are resorting to blockchain for all kinds of reasons these days. Ever since I started doing smart contract security audits in mid-2017, I’ve seen it all. A special category of cases is ‘blockchain use’ that seems logical and beneficial, but actually contains a problem that then spreads from one startup to another. I am going to give some examples of such problems and ineffective solutions so that you (developer/customer/investor) know what to do when somebody offers you to use blockchain this way.


Disclaimers


  • The described use cases and problems occur at the initial stage. I am not saying these problems are impossible to solve. However, it is important to understand which solutions system creators offer for particular problems.
  • Even though the term ‘blockchain use’ looks strange and I am not sure that blockchain can be used for anything other than money (Bitcoin), I am going to use it without quotes.

1. Supply chain management


Let’s say you ordered some goods, and a carrier guarantees to maintain certain transportation conditions, such as keeping your goods cold. A proposed solution is to install a sensor in a truck that will monitor fridge temperature and regularly transmit the data to the blockchain. This way, you can make sure that the promised conditions are met along the entire route.

Read more →
Total votes 24: ↑23 and ↓1 +22
Comments 0

Detecting Web Attacks with a Seq2Seq Autoencoder

Reading time 7 min
Views 5.5K
image

Attack detection has been a part of information security for decades. The first known intrusion detection system (IDS) implementations date back to the early 1980s.

Nowadays, an entire attack detection industry exists. There are a number of kinds of products—such as IDS, IPS, WAF, and firewall solutions—most of which offer rule-based attack detection. The idea of using some kind of statistical anomaly detection to identify attacks in production doesn’t seem as realistic as it used to. But is that assumption justified?
Read more →
Total votes 23: ↑22 and ↓1 +21
Comments 0

Internet Issues & Availability Report 2018–2019

Reading time 16 min
Views 1.5K
image

While working on the annual report this year we have decided to avoid retelling the news headlines of the previous year and, though it is almost impossible to ignore memories absolutely, we want to share with you the result of a clear thought and a strategic view to the point where we all are going to arrive in the nearest time — the present.

Leaving introduction words behind, here are our key findings:

  • Average DDoS attack duration dropped to 2.5 hours;
  • During 2018, the capability appeared for attacks at hundreds of gigabits-per-second within a country or region, bringing us to the verge of “quantum theory of bandwidth relativity”;
  • The frequency of DDoS attacks continues to grow;
  • The continuing growth of HTTPS-enabled (SSL) attacks;
  • PC is dead: most of the legitimate traffic today comes from smartphones, which is a challenge for DDoS actors today and would be the next challenge for DDoS mitigation companies;
  • BGP finally became an attack vector, 2 years later than we expected;
  • DNS manipulation has become the most damaging attack vector;
  • Other new amplification vectors are possible, like memcached & CoAP;
  • There are no more “safe industries” that are invulnerable to cyberattacks of any kind.

In this article we have tried to cherry-pick all the most interesting parts of our report, though if you would like read the full version in English, the PDF is available.
Read more →
Total votes 27: ↑25 and ↓2 +23
Comments 0

How to prevent targeted cyber attacks? 10 best network sandboxes

Reading time 10 min
Views 3K


Targeted attacks are the most dangerous among the multitude of modern cyber threats. They are also known as ATP (an abbreviation which stands for Advanced Persistent Threat). Those are not viruses that can accidentally get into the computer due to user's carelessness. Neither it is an attempt to replace the address of a popular site in order to cheat billing information from credulous users. Targeted cyber attacks are prepared and thought out carefully and pose a particular threat.
Read more →
Total votes 17: ↑17 and ↓0 +17
Comments 0

Yet another review of OATH hardware tokens feature in Azure Cloud MFA

Reading time 2 min
Views 1.8K
About three months ago Microsoft has announced the availability of OATH TOTP hardware tokens in Azure MFA. The feature is still in “public preview”, but we see many of our customers using the feature in production already now. As we are testing this for the last couple of months in our lab environment and, in many cases, we are also assisting our customers with the activation of the feature, we have some observations that we believe are worth sharing.

image
Read more →
Total votes 18: ↑17 and ↓1 +16
Comments 0

Why pentesting is important to your Business?

Reading time 3 min
Views 1.1K
image

In today’s world, it is almost impossible to imagine a business without some type of connection to the Internet — a website, email, employee training, CRM (Customer-relationship management), CMS (Content management system), etc. It simplifies and speeds up the ordering process, search for new clients, records search and keeping, and such.
Read more →
Total votes 19: ↑17 and ↓2 +15
Comments 0

Programmable TOTP tokens in a key fob form-factor

Reading time 1 min
Views 4.2K
TOTP tokens are small, easy-to-use devices that generate one-time passcodes. These tamper-evident devices can be used wherever strong authentication is required.

TOKEN2 is selling programmable hardware tokens in credit card format for already a few years now. Token2 miniOTP cards are marketed as a hardware alternative to Google Authenticator or other OATH-compliant software tokens. Having the same functionality extended to tokens in classic keyfob/dongle format was one of the features our customers asked for.

We are hereby announcing our new product, TOKEN2 C300 TOTP hardware token, which is possible to be reseeded for an unlimited number of times via NFC using a special «burner» app.
Читать дальше →
Total votes 22: ↑20 and ↓2 +18
Comments 16

Authors' contribution