Conference Talks – June 2022

This month, members of NCC Group will be presenting their technical work & training courses at the following conferences: NCC Group, "Training: Mastering Container Security," to be presented at 44CON (June 13-15 2022) NCC Group, "Training: Google Cloud Platform (GCP) Security Review," to be presented at 44CON (June 13-16 2022)Jennifer Fernick (NCC Group), Christopher Robinson … Continue reading Conference Talks – June 2022

Public Report – Lantern and Replica Security Assessment

Editor's Note: This security assessment was conducted by a team of our consultants, one of whom, Victor Hora, tragically and unexpectedly passed away a few weeks ago. As we publish this report, we miss our dear colleague immensely and celebrate Victor's life and his wonderful influence on the world. He was a talented security consultant, … Continue reading Public Report – Lantern and Replica Security Assessment

NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard

Congratulations to NCC Group researcher Juan Garrido, who was recently named amongst Microsoft's most valuable security researchers on the MSRC 2022 Q1 Security Researcher Leaderboard! This honour, recognized quarterly by the Microsoft Researcher Recognition Program, is offered to security researchers who have discovered and shared security vulnerabilities in Microsoft products under coordinated vulnerability disclosure. Juan … Continue reading NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard

Public Report – go-cose Security Assessment

In April and May 2022, NCC Group Cryptography Services engaged in a security and cryptography assessment reviewing Microsoft's contributions to the go-cose library, a Go library implementing signing and verification for CBOR Object Signing and Encryption (COSE), as specified in RFC 8152. This library focuses on a minimal feature set to enable the signing and verification of … Continue reading Public Report – go-cose Security Assessment

Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Vendor: Bluetooth SIG, Inc. Vendor URL: https://www.bluetooth.com Versions Affected: Specification versions 4.0 to 5.3 Systems Affected: Any systems relying on the presence of a Bluetooth LE connection as confirmation of physical proximity, regardless of whether link layer encryption is used Author: <Sultan Qasim Khan> <sultan.qasimkhan[at]nccgroup[dot]com> Risk: An attacker can falsely indicate the proximity of Bluetooth … Continue reading Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Public Report – Google Enterprise API Security Assessment

During the autumn of 2021, Google engaged NCC Group to perform a review of the Android 12 Enterprise API to evaluate its compliance with the Security Technical Implementation Guides (STIG) matrix provided by Google. This assessment was also performed with reference to the Common Criteria Protection Profile for Mobile Device Fundamentals (PPMDF), from which the … Continue reading Public Report – Google Enterprise API Security Assessment

Conference Talks – March 2022

This month, members of NCC Group will be presenting their work at the following conferences: Juan Garrido, "Microsoft 365 APIs Edge Cases for Fun and Profit," to be presented at RootedCon (March 10-12 2022) Jennifer Fernick (NCC Group), Christopher Robinson (Intel), & Anne Bertucio (Google), "Preparing for Zero-Day: Vulnerability Disclosure in Open Source Software," to … Continue reading Conference Talks – March 2022

Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review

During October 2021, O(1) Labs engaged NCC Group's Cryptography Services team to conduct a cryptography and implementation review of selected components within the main source code repository for the Mina project. Mina implements a cryptocurrency with a lightweight and constant-sized blockchain, where the code is primarily written in OCaml. The selected components involved the client … Continue reading Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review

NCC Group’s 2021 Annual Research Report

Following the popularity of our first Annual Research Report in 2020, we present to you now for the second year, a summary of our public-facing security research findings from across the over 237 conference publications, technical blog posts, advisories, and tool releases published by researchers at NCC Group between January 1 2021 and December 31 … Continue reading NCC Group’s 2021 Annual Research Report

On the malicious use of large language models like GPT-3

(Or, “Can large language models generate exploits?”) While attacking machine learning systems is a hot topic for which attacks have begun to be demonstrated, I believe that there are a number of entirely novel, yet-unexplored attack-types and security risks that are specific to large language models (LMs), that may be intrinsically dependent upon things like … Continue reading On the malicious use of large language models like GPT-3