Curve9767 and Fast Signature Verification

This post is about elliptic curves as they are used in cryptography, in particular for signatures. There are many ways to define specific elliptic curves that strive to offer a good balance between security and performance; here, I am talking about specific contributions of mine: a new curve definition, and some algorithmic improvements that target … Continue reading Curve9767 and Fast Signature Verification

The Extended AWS Security Ramp-Up Guide

On November 25th, AWS released the Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance. The Security Ramp-Up is a curated list of educational AWS resources. The goal is "to teach in-demand cloud skills and real-world knowledge that you can rely on to keep up with cloud security, governance, and compliance developments and grow … Continue reading The Extended AWS Security Ramp-Up Guide

Code Patterns for API Authorization: Designing for Security

Summary This post describes some of the most common design patterns for authorization checking in web application code. Comparisons are made between the design patterns to help understand when each pattern makes sense as well as the drawbacks of the pattern. For developers and architects, this post helps you to understand what the different code … Continue reading Code Patterns for API Authorization: Designing for Security

How cryptography is used to monitor the spread of COVID-19

On April 10, Apple and Google announced1, 2 that they were joining forces in an effort to help reduce the spread of COVID-19. Their solution leverages Bluetooth technology to trace interactions between individuals. This principle is known as contact tracing and public health agencies are heavily relying on it to monitor and prevent the spread … Continue reading How cryptography is used to monitor the spread of COVID-19

Rise of the Sensors: Securing LoRaWAN Networks

One of the current research priorities for NCC Group is smart cities. We perceive that in the future substantial investment will be made into deploying intelligent sensor systems into our cities: initially the focus being on passive applications, gathering and collecting data, but potentially in future leading to more active applications, integrating systems to automatically … Continue reading Rise of the Sensors: Securing LoRaWAN Networks

CVE-2019-1381 and CVE-2020-0859 – How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability

By Phillip Langlois and Edward Torkington Introduction In November 2019, we published a blog post covering an elevation-of-privilege vulnerability we found in Windows whilst conducting research into Windows Component Object Model (COM) services. During the course of this research, we discovered a number of vulnerabilities in several COM services that we reported to Microsoft. In … Continue reading CVE-2019-1381 and CVE-2020-0859 – How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability

C Language Standards Update – Zero-size Reallocations are Undefined Behavior

[Editor's Note: Robert Seacord of NCC Group is a longstanding member of the C Standards Committee. In this blog post, he outlines a recently adopted change he proposed to the C Language Standard, to help eliminate double-free vulnerabilities being introduced to C code as a result of zero-sized reallocations of memory.] by Robert Seacord The … Continue reading C Language Standards Update – Zero-size Reallocations are Undefined Behavior

Exploring Verifiable Random Functions in Code

Verifiable Random Functions (VRFs) have recently seen a strong surge in popularity due to their usefulness in blockchain applications. Earlier I wrote about what VRFs are, where they can be used, and a few dozen things to consider when reviewing them. In this follow-on blog post, I am pleased to introduce actual working code that … Continue reading Exploring Verifiable Random Functions in Code