Authorization vulnerabilities continue to be one of the largest and most difficult to remediate classes of vulnerabilities that affect web applications. Compared to other vulnerability classes like XSS or SQL injection, there are no frameworks or design patterns which can be used to prevent authorization flaws at a fundamental level (although this is an area … Continue reading Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)
Archive
Public Report – Dell Secured Component Verification
During February 2021, Dell engaged NCC Group to conduct a security assessment of their supply chain security functionality and related and supportive foundational security functionality on 14th and 15th generation Dell servers. Documentation and source code was provided as well as access to a running lab server via network access, with access to both the … Continue reading Public Report – Dell Secured Component Verification
RM3 – Curiosities of the wildest banking malware
by fumik0_ & the RIFT TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany and Italy. We’ll start with an overview of its origins and current operations before providing a deep dive technical analysis … Continue reading RM3 – Curiosities of the wildest banking malware
Conference Talks – May 2021
This month, members of NCC Group will be presenting their work at the following conferences: Sourya Biswas, "Psychology of the Phish: Leveraging the Seven Principles of Influence", to be presented at ISACA Conference North America (Virtual - May 5 2021)Sourya Biswas, "Cybersecurity is War: Lessons from Historical Conflicts", to be presented at Secure360 (Virtual - … Continue reading Conference Talks – May 2021
A Census of Deployed Pulse Connect Secure (PCS) Versions
Today we are releasing some statistics around deployment of Pulse Connect Secure versions in the wild. The hope is that by releasing these statistics we can help to highlight the risk around outdated versions of PCS, which are being actively exploited by malicious actors. We have also shared the raw data with national CIRTs and … Continue reading A Census of Deployed Pulse Connect Secure (PCS) Versions
NCC Group’s Upcoming Trainings at Black Hat USA 2021
NCC Group will be presenting 4 different training courses at Black Hat USA 2021. Below you will find high level details about each course, as well as a link to a detailed course description and course registration details on the Black Hat website. Join us! Mastering Container Security V5 - Black Hat edition (August 2-3 … Continue reading NCC Group’s Upcoming Trainings at Black Hat USA 2021
Public Report – VPN by Google One: Technical Security & Privacy Assessment
During the fourth calendar quarter of 2020 and the first calendar quarter of 2021, NCC Group conducted an in-depth review of the VPN by Google One virtual private network system. The focus of the engagement was to assess the product’s technical security properties and review its associated privacy claims. The public report for this assessment … Continue reading Public Report – VPN by Google One: Technical Security & Privacy Assessment
Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Vendor: ParcelTrack Vendor URL: https://www.parceltrack.de/ Versions affected: ParcelTrack Android Version 3.3, ParcelTrack iOS Version 3.3 Author: Dan Hastings – dan.hastings[at]nccgroup[dot]com Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords … Continue reading Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Tool Release – Principal Mapper v1.1.0 Update
Principal Mapper, or PMapper, is a tool and library for in-depth analysis with AWS Identity and Access Management, as well as AWS Organizations. PMapper stores data about AWS accounts and organizations, then provides options to query, visualize, and analyze that data. The library, written in Python, enables users to extend PMapper's functionality for other use-cases. … Continue reading Tool Release – Principal Mapper v1.1.0 Update
SAML XML Injection
The Single Sign-On (SSO) approach to authentication controls and identity management was quickly adopted by both organizations and large online services for its convenience and added security. The benefits are clear; for end-users, it is far easier to authenticate to a single service and gain access to all required applications. And for administrators, credentials and … Continue reading SAML XML Injection