Insource instead of outsourcing your cybersecurity operations

Written on February 2, 2018 by Mark Felegyhazi

As the enterprise architecture becomes more and more complex, the task of the Chief Security Information Office (CISO) becomes overwhelming. CISOs have a tough time to find talented cybersecurity professionals to support their job. In an interesting article in VentureBeat, Nir Donitza and Gal Ringel wrote about the cybersecurity landscape of Israel in 2018, and what it might predict from the global cybersecurity. A few of their findings point to some interesting trends:

Read More

Deep dive into the Equifax breach and the Apache Struts vulnerability

Written on September 27, 2017 by Gergo Turcsanyi

You’ve probably read about the Equifax breach in NY Times, in Bloomberg or somewhere else. The breach resulted in the leakage of 143 million user profiles, including Social Security numbers, birthdates and addresses. Needless to say that these are very sensitive resources in the hands of identity thieves, so many Equifax users are really unhappy now. The breach has serious consequences as almost half of the US population is affected. As a result, the CEO, CIO and CSO had to go. Some claim that it was not only their fault, the reason was also the lack of skilled staff.

In this post, we will have a look at the technical details of the Equifax breach and learn how this could have been prevented.

Read More

Learn to build secure software

Written on April 6, 2017 by Gabor Pek

We are writing millions of lines of code day by day, but only a few of us take security into account. We exactly know that it’s really easy to put security aside as it takes more investment than just inserting the very first working answer from Stackoverflow. Time pressure of an approaching deadline is a good excuse to go fast when establishing the quality and security of the produced software. Everybody says that security is important, but the reality is that we’ll always find a good reason to neglect it, if it is not built in entirely into our Software Development Life Cycle (SDLC).

Thinking with the mindset of a security guy does not come instantly, we have to train ourselves to design and implement something which is fairly good as a software and does not expose too many low-hanging vulnerabilities (here is an advice from Parisa Tabriz, security expert at Google). I want to share with you some takeaways that we experienced while developing our avatao platform.

Read More

Interview with Tamás "KT" Koczka from !SpamAndHex

Written on February 21, 2017 by Gabor Pek

We are more than happy to welcome Tamás Koczka (aka “KT”) who is one of the key members of the CrySyS Student Core so that of the !SpamAndHex team also. As the captain of !SpamAndHex and the main player of the team he participated at approximately 80 CTF events (including 7 finals abroad) solving hundreds of challenges from various topics in information security. He currently works as a security engineer at Tresorit, a CrySyS spin-off. As one of the earliest coworkers at Tresorit, he helped providing real security and keeping their privacy to hundreds of thousands of users.

Here is his story.

Read More

How !SpamAndHex became a top hacker team in the world. The final part.

Written on February 14, 2017 by Gabor Pek

This is the final part of this blog series. If you haven’t done already so, you can read the first and second part of our story also. It was early 2013, in the middle of my PhD studies when two master students (András Gazdag and Levente Fritz) asked me to talk about memory corruption vulnerabilities. It seemed to be a good idea, as there weren’t any lectures about it on our university (Budapest University of Technology and Economics) at that time.

Read More

Three major XSS issues in 2016 (plus an avatao XMaSS challenge)

Written on December 20, 2016 by Gabor Pek

In our previous blog, we gave you a small introduction to Cross-site Scripting (XSS) attacks and added some easy challenges to get a taste of web security. It seems, however, that XSS is still one of the top vulnerabilites on the web. An attack against Yahoo Mail and various sandbox escape techniques keep this this topic hot.

We took the opportunity to prepare a small XSS gift for you for Christmas :)

Read More

Parse your binaries with Kaitai WebIDE

Written on November 29, 2016 by Gabor Pek

Binary analysis starts with the understanding of different file formats. Fortunately, there are several tools (e.g., CFF explorer, FileAlyzer) which help you to understand their internal structure, however, most of these tools are not generic enough and do not expose APIs or SDKs. As a result, when automated analyis is required you have to implement your own scripts to parse those binaries. It may bring you some joyful moments at the beginning, but after your third parser you realize that this is not necessarily the thing you would like to spend your RE hours with.

Read More

Interview with Chris Wysopal, CTO of Veracode

Written on November 22, 2016 by Gabor Pek

We are more than happy to welcome Chris Wysopal, (also on Twitter) as the next security expert on our blog. Chris, the CTO of Veracode, is one of the key influencers in IT security today. He is a regular speaker at conferences such as Black Hat or the RSA conference. From 2012 he has been also member of the Black Hat Review Board. He was named one of the Top 25 Disruptors of 2013 by Computer Reseller News and one of the 5 Security Thought Leaders by SC Magazine in 2014.

We welcome Chris to share his story about IT security.

Read More

Interview with Zoltán Balázs, security expert

Written on November 16, 2016 by Mark Felegyhazi

We are more than happy to welcome Zoltán Balázs, (also on Twitter) as the next security expert on our blog. Zoli has long track records in bypassing security defense products. He regularly gives talks on security conferences such as DEFCON, Botconf or Hacktivity. He is now working as the CTO for MRG-Effitas.

Here is his story.

Read More

avataoTools introduces popular security tools

Written on October 25, 2016 by Gabor Pek

One of the most difficult parts in IT security is to get started. There are zillions of interesting topics all around, but if you are completely new in this area you can easily get lost. Fortunately, there are a massive number of security tools online that help you to solve complex problems faster and easier even if you do not understand all the backgrounds. Distributions like Kali Linux, for example, are heavily armoured by the most recent security tools to help you automatize your daily routines in penetration testing. Such tools, however, are not only for beginners.

Read More

Interview with the CyKor CTF team

Written on October 18, 2016 by Gabor Pek

The South Korean CTF team CyKor, (also on Facebook) is one of the best CTF teams in the world. Together with other South Korean security experts like Junghoon Lee (aka “lokihardt”) and the members of Raon_ASRT the DEFKOR CTF team was formed which won the DEFCON CTF Finals in 2015 and ranked 3rd in 2016. As team CyKor they ranked 2nd on Belluminar 2016, a top invite-only hacking contest organized by POC and Qihoo 360.

Here is their story.

Read More

Interview with Charlie Miller, security researcher

Written on September 28, 2016 by Gabor Pek

Charlie Miller, (also on Twitter) is well-known in the security community for his exceptional hacking results. He won the Pwn2Own contest at CanSecWest 4 times by exploiting various Apple products (e.g., Safari, iOS) . Then he surprised the world by performing a remote hack on a Jeep Cherokee. He is now with us to shed light on how he approaches complex systems and finds their weaknesses.

Here is his story.

Read More

How !SpamAndHex became a top hacker team (part 2)

Written on September 23, 2016 by Gabor Pek

This is the second part of our !SpamAndHex series. You can read the first part here. Everything starts with a vision. It was in 2009 at the very beginning of my master studies at the Budapest University of Technology and Economics (in short BME) in Hungary when my advisor, Levente Buttyán (head of CrySyS Lab) contacted Engin Kirda who was tenured faculty at Institute Eurecom (Graduate School and Research Center) at that time if there is a project I could work on together with other iSecLab guys.

Read More

Interview with Mateusz "j00ru" Jurczyk, security expert

Written on September 13, 2016 by Gabor Pek

We are more than happy to welcome Mateusz Jurczyk (aka “j00ru”), (also on Twitter) as the second security expert on our blog. When talking about low-level Windows kernel security, we are unable to avoid his name. He won the Pwnie Award 3 times and was nominated 6 times in various categories. He is one of the key members of the Dragon Sector CTF team which became the best team in the world in 2014 on CTF time.

Here is his story.

Read More

Reverse engineering tutorial and challenge

Written on September 6, 2016 by Gabor Pek

So here we are again with your next avatao Tuesday challenge. Today, we are delving a bit into reverse engineering by providing a small tutorial and a challenge to solve.

A decent definition for reverse engineering comes from Eldad Eilam from his Reversing: Secrets of Reverse Engineering book: “In the software world reverse engineering boils down to taking an existing program for which source-code or proper documentation is not available and attempting to recover details regarding its’ design and implementation.”

Read More

Interview with Gabor Molnar, security expert, who co-discovered Rosetta Flash

Written on August 30, 2016 by Gabor Pek

In this new series we talk to security experts on how they started their journey in this exciting field. The first is Gabor Molnar (aka “mg”), (also on Twitter) who independently co-discovered the infamous Rosetta Flash vulnerability and got nominated for a Pwnie award for the best server-side bug at BlackHat 2014.

Here is his story.

Read More

Your first avatao Tuesday

Written on August 23, 2016 by Gabor Pek

How to get started in computer security? I think this is the first question that people raise when they are about to learn computer security. Here is a good answer from Parisa Tabriz, computer security expert at Google.

Back in time, this was my first question as well, because I was amazed by the huge range of interesting topics I wanted to dig into deeper.

Read More

How !SpamAndHex became a top hacker team (part 1)

Written on July 14, 2016 by Mark Felegyhazi

Summer just started in 2011, when Gábor Pék, Buherátor and Bencsáth Boldizsár (aka “Boldi”) decided to do some nice hacking over the summer instead of going to splash in Lake Balaton all summer long. The annual international university hacking competition called iCTF was a big challenge with top competing teams. These guys needed to pull up their socks to have a chance.

Read More