Announcing NCC Group’s Cryptopals Guided Tour: Set 2

Hello and welcome to NCC Group’s Cryptopals guided tour! This post is the second in a series of eight installments (previously) covering the solutions to the Cryptopals Crypto Challenges. For those who don’t know, Cryptopals is a series of eight sets of challenges covering common cryptographic constructs and common attacks on them. You can read … Continue reading Announcing NCC Group’s Cryptopals Guided Tour: Set 2

Replicating CVEs with KLEE

This blog post details the steps taken to replicate a udhcpc process crash on BusyBox 1.24.2 using NVD - CVE-2016-2147 (nist.gov), and to produce a working denial of service exploit. We will be using the symbolic execution engine called KLEE to help identify parameters that can cause the specific crash we are interested in. This … Continue reading Replicating CVEs with KLEE

A Guide to Improving Security Through Infrastructure-as-Code

Modern organizations evolved and took the next step when they became digital. Organizations are using cloud and automation to build a dynamic infrastructure to support more frequent product release and faster innovation. This puts pressure on the IT department to do more and deliver faster. Automated cloud infrastructure also requires a new mindset, a change … Continue reading A Guide to Improving Security Through Infrastructure-as-Code

Five Essential Machine Learning Security Papers

We recently published "Practical Attacks on Machine Learning Systems", which has a very large references section - possibly too large - so we've boiled down the list to five papers that are absolutely essential in this area. If you're beginning your journey in ML security, and have the very basics down, these papers are a … Continue reading Five Essential Machine Learning Security Papers

Announcing NCC Group’s Cryptopals Guided Tour!

Hello and welcome to NCC Group's Cryptopals guided tour! This post is the first in a series of eight installments covering the solutions to the Cryptopals Crypto Challenges. These have been a long time coming, and we're excited to finally start bringing them to you. For those who don't know, Cryptopals is a series of … Continue reading Announcing NCC Group’s Cryptopals Guided Tour!

Why IoT Security Matters

Introduction Internet of Things security can mean any number of things for your product and its users. This will depend largely on the context of the product and its deployment, and can include specific requirements, such as integrity, confidentiality, availability, safety, privacy, consent, authenticity, and more. Understanding how security fits into the product’s threat modelling … Continue reading Why IoT Security Matters

An Illustrated Guide to Elliptic Curve Cryptography Validation

Elliptic Curve Cryptography (ECC) has become the de facto standard for protecting modern communications. ECC is widely used to perform asymmetric cryptography operations, such as to establish shared secrets or for digital signatures. However, insufficient validation of public keys and parameters is still a frequent cause of confusion, leading to serious vulnerabilities, such as leakage … Continue reading An Illustrated Guide to Elliptic Curve Cryptography Validation

Lending a hand to the community – Covenant v0.7 Updates

Introduction Covenant [1] is an open source .NET command and control framework to support Red Team operations, similar in many ways to the well-known Cobalt Strike threat emulation software. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration. It has two main agents/payloads: The Grunt, which is … Continue reading Lending a hand to the community – Covenant v0.7 Updates

Cryptopals: Exploiting CBC Padding Oracles

This is a write-up of the classic padding oracle attack on CBC-mode block ciphers. If you've done the Cryptopals cryptography challenges, you'll remember it as challenge 17. This is a famous and elegant attack. With it, we will see how even a small data leak (in this case, the presence of a "padding oracle" - … Continue reading Cryptopals: Exploiting CBC Padding Oracles

Domestic IoT Nightmares: Smart Doorbells

Preface Half way through 2020, UK independent consumer champion Which? magazine reached out to us and asked if we could assist investigating the security of a series of domestic IoT devices and to perform a vulnerability assessment of each device. The assessments included smart plugs and smart/connected doorbells. We also worked on a number of … Continue reading Domestic IoT Nightmares: Smart Doorbells