Check out our new Microcorruption challenges!

New Microcorruption challenges created by Nick Galloway and Davee Morgan Today we are releasing several new challenges for the embedded security CTF, Microcorruption. These challenges highlight types of vulnerabilities that NCC Group’s Hardware and Embedded Systems practice have discovered in real products. The new challenges provide a simple interface to explore these vulnerabilities without having … Continue reading Check out our new Microcorruption challenges!

Public Report – IOV Labs powHSM Security Assessment

In June 2022, IOV Labs engaged NCC Group to perform a review of powHSM. Per the project documentation: "Its main role is to safekeep and prevent the unauthorized usage of each of the powPeg's members' private keys. powHSM is implemented as a pair of applications for the Ledger Nano S, namely a UI and a Signer, … Continue reading Public Report – IOV Labs powHSM Security Assessment

Whitepaper – Project Triforce: Run AFL On Everything (2017)

Six years ago, NCC Group researchers Tim Newsham and Jesse Hertz released TriforceAFL - an extension of the American Fuzzy Lop (AFL) fuzzer which supports full-system fuzzing using QEMU - but unfortunately the associated whitepaper for this work was never published. Today, we’re releasing it for the curious reader and historical archives alike. While fuzzing … Continue reading Whitepaper – Project Triforce: Run AFL On Everything (2017)

Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review

During the summer of 2022, Penumbra Labs, Inc. engaged NCC Group to conduct a cryptographic security assessment of two items: (i) the specification and two implementations of the decaf377 group, and (ii) a methodology and implementation of parameter generation for the Poseidon hash function. Decaf377 is a prime-order group obtained by applying the Decaf construction … Continue reading Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review

Tool Release – Monkey365

by Juan GarridoEditor's note: This tool was originally released at Black Hat USA 2022 (Arsenal) in August 2022, and was created by Juan Garrido (GitHub: @silverhack, Twitter: @tr1ana). Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security … Continue reading Tool Release – Monkey365

Sharkbot is back in Google Play 

Authored by Alberto Segura (main author) and Mike Stokkel (co-author) Editor's note: This post was originally published on the Fox-IT blog. Introduction  After we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus and cleaner, now we have detected a new version of this dropper active in the Google … Continue reading Sharkbot is back in Google Play 

Conference Talks – September/October 2022

Throughout September and October, members of NCC Group will be presenting their work at SANS CyberThreat, 44CON, ResponderCon, BSides St John's, ICMC, DevOps World, RootCon, Hexacon, and Hardwear.io NL. Ollie Whitehouse & Eric Shamper, "Enterprise IR:Live Free, live large" to be presented at Sans CyberThreat (September 12-13 2022) NCC Group, "Mastering Container Security," training to … Continue reading Conference Talks – September/October 2022

NCC Group Research at Black Hat USA 2022 and DEF CON 30

This year, NCC Group researchers will be presenting at least five presentations at Black Hat USA and DEF CON 30. A guide to these presentations (abstracts, dates, and links) is included below. We will also update this post with any additional presentations as they are accepted and announced. Virtually or in-person, we hope you will … Continue reading NCC Group Research at Black Hat USA 2022 and DEF CON 30

Whitepaper – Practical Attacks on Machine Learning Systems

This paper collects a set of notes and research projects conducted by NCC Group on the topic of the security of Machine Learning (ML) systems. The objective is to provide some industry perspective to the academic community, while collating helpful references for security practitioners, to enable more effective security auditing and security-focused code review of ML systems. Details of specific practical attacks and common security problems are described. Some general background information on the broader subject of ML is also included, mostly for context, to ensure that explanations of attack scenarios are clear, and some notes on frameworks and development processes are provided.