10 real-world stories of how we’ve compromised CI/CD pipelines

by Aaron Haymore, Iain Smart, Viktor Gazdag, Divya Natesan, and Jennifer Fernick Mainstream appreciation for cyberattacks targeting continuous integration and continuous delivery/continuous deployment (CI/CD) pipelines has been gaining momentum. Attackers and defenders increasingly understand that build pipelines are highly-privileged targets with a substantial attack surface. But what are the potential weak points in a CI/CD … Continue reading 10 real-world stories of how we’ve compromised CI/CD pipelines

Impersonating Gamers With GPT-2

In this blog post, I’m going to recount the story of my quest to train OpenAI’s large language model, GPT-2, to create a virtual doppelganger of myself and my peers. Machine learning is one of those buzzwords that, sometimes, lives up to its reputation. As an information security professional, my go-to hobby has typically been … Continue reading Impersonating Gamers With GPT-2

NCC Group’s 2021 Annual Research Report

Following the popularity of our first Annual Research Report in 2020, we present to you now for the second year, a summary of our public-facing security research findings from across the over 237 conference publications, technical blog posts, advisories, and tool releases published by researchers at NCC Group between January 1 2021 and December 31 … Continue reading NCC Group’s 2021 Annual Research Report

Tool Release – insject: A Linux Namespace Injector

tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters. While … Continue reading Tool Release – insject: A Linux Namespace Injector

On the malicious use of large language models like GPT-3

(Or, “Can large language models generate exploits?”) While attacking machine learning systems is a hot topic for which attacks have begun to be demonstrated, I believe that there are a number of entirely novel, yet-unexplored attack-types and security risks that are specific to large language models (LMs), that may be intrinsically dependent upon things like … Continue reading On the malicious use of large language models like GPT-3

Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination Programs

by Drew Wade, Emily Liu, and Siddarth Adukia TL; DR We studied a range of Canadian provinces' proof-of-vaccination apps to analyze their associated security and privacy properties. In particular, building on prior work in which some of us created an assessment framework for evaluating the security & privacy of vaccine passports, in this post, we … Continue reading Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination Programs

Tool Update – ruby-trace: A Low-Level Tracer for Ruby

We released ruby-trace back in August to coincide with my DEF CON 29 talk on it and parasitic tracing in general. Back then, it supported (c)Ruby 2.6 through 3.0. A few days ago, Ruby 3.1 was released. We have updated ruby-trace to add support for Ruby 3.1 and reorganized our test suite to validate our … Continue reading Tool Update – ruby-trace: A Low-Level Tracer for Ruby

Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches

Background Java Virtual Machines (JVMs) provide a number of mechanisms to inspect and modify the Java applications and the runtime they stand on. These include Java agents, JARs that are capable of modifying Java class files at runtime; and JVMTI agents, native libraries that can perform deep hooking into the innards of the JVM itself. … Continue reading Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches

Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers

The Microcontroller Unit (MCU) is the heart of an embedded device, where the main firmware executes its instructions to carry out the system’s functions. These come in many varieties. Relatively simple microcontrollers with limited-resource processors may bundle only a few IO peripherals, a small amount of memory, and be intended to run a small real-time … Continue reading Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers

FPGAs: Security Through Obscurity?

Background For the uninitiated, an FPGA is a field-programmable array of logic that is typically used to perform or accelerate some specific function (or functions) within a computer system. They are typically paired with a separate traditional microprocessor (or as part of a combined system-on-chip (SoC)) but can operate standalone as well. They can be … Continue reading FPGAs: Security Through Obscurity?