-
Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
During the summer of 2021, WhatsApp engaged NCC Group’s Cryptography Services team to conduct an independent security assessment of its End-to-End Encrypted Backups project. End-to-End Encrypted Backups is an hardware security module (HSM) based key vault solution that aims to primarily support encrypted backup of WhatsApp user data. This assessment was performed remotely, as a… Read more
-
Cracking RDP NLA Supplied Credentials for Threat Intelligence
In this post, we discuss our work in cracking the hashed passwords being sent over NLA connections to ascertain those supplied by threat actors.
-
Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the Internet
Category: Detection/Reduction/Prevention Overview Remote Desktop Protocol (RDP) is how users of Microsoft Windows systems can get a remote desktop on systems remotely to manage one or more workstations and/or servers. With the increase of organizations opting for remote work, so to has RDP usage over the internet increased. However, RDP was not initially designed with the… Read more
-
Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
NCC Group is offering a new fully Managed Detection and Response (MDR) service for our customers in Azure. This blog post gives a behind the scenes view of some of the automated processes involved in setting up new environments and managing custom analytics for each customer, including details about our scripting and automated build and… Read more
-
Cracking Random Number Generators using Machine Learning – Part 2: Mersenne Twister
Outline 1. Introduction 2. How does MT19937 PRNG work? 3. Using Neural Networks to model the MT19937 PRNG 3.1 Using NN for State Twisting 3.1.1 Data Preparation 3.1.2 Neural Network Model Design 3.1.3 Optimizing the NN Inputs 3.1.4 Model Results 3.1.5 Model Deep Dive 3.1.5.1 Model First Layer Connections 3.1.5.2 The Logic Closed-Form from the State… Read more
-
Cracking Random Number Generators using Machine Learning – Part 1: xorshift128
Outline 1. Introduction 2. How does xorshift128 PRNG work? 3. Neural Networks and XOR gates 4. Using Neural Networks to model the xorshift128 PRNG 4.1 Neural Network Model Design 4.2 Model Results 4.3 Model Deep Dive 5. Creating a machine-learning-resistant version of xorshift128 6. Conclusion 1. Introduction This blog post proposes an approach to crack Pseudo-Random… Read more
-
NCC Group placed first in global 5G Cyber Security Hack competition
In June of this year, Traficom – the Finnish transport and communications agency – along with the Aalto University, Cisco, Ericsson, Nokia, and PwC, organized the 5G Cyber Security Hack competition. A similar event was organised in November 2019 in Oulu, Finland and this hackathon-style event was a follow-up to their successful 2019 event. Due… Read more
-
Paradoxical Compression with Verifiable Delay Functions
We present here a new construction which has no real immediate usefulness, but is a good illustration of a fundamental concept of cryptography, namely that there is a great difference between knowing that some mathematical object exists, and being able to build it in practice. Thus, this construction can be thought of as having some… Read more
-
A Look At Some Real-World Obfuscation Techniques
Among the variety of penetration testing engagements NCC Group delivers, some – often within the gaming industry – require performing the assignment in a blackbox fashion against an obfuscated binary, and the client’s priorities revolve more around evaluating the strength of their obfuscation against content protection violations, rather than exercising the application’s security boundaries. The… Read more
-
SnapMC skips ransomware, steals data
Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the… Read more
-
The Challenges of Fuzzing 5G Protocols
If you have ever looked at fuzzing in any depth you will quickly realize it’s not as trivial as it first appears. There are many different types of fuzzers, but here we are focused on network fuzzers. These fuzzers are of particular interest as they are most suited to fuzzing telecoms products/protocols, where the application… Read more
-
Reverse engineering and decrypting CyberArk vault credential files
Author: Jelle Vergeer This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password. I also provide a python implementation to decrypt the… Read more
-
Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
Summary When connecting to the UPF port for the PFCP protocol (8805) and sending an Association Setup Request followed by a Session Establishment Request with a PDI Network Instance set to ‘internet’, it causes a stack corruption to occur. Impact Exploitation of this vulnerability would lead to denial of service for the subscriber’s equipment. Details… Read more
-
Assessing the security and privacy of Vaccine Passports
There has been a lot of development lately in the field of health credentials, especially in the field of vaccine credentials. This has largely been driven by a perceived need to track and validate an individual’s vaccination status with respect to COVID-19. This post attempts to explore the security and privacy concerns related with vaccine… Read more
-
Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
Summary McAfee’s Complete Data Protection package contained the Drive Encryption (DE) software. This software was used to transparently encrypt the drive contents. The versions prior to 7.3.0 HF1 had a vulnerability in the kernel driver MfeEpePC.sys that could be exploited on certain Windows systems for privilege escalation or DoS. Impact Privilege Escalation vulnerability in a… Read more