As the enterprise architecture becomes more and more complex, the task of the Chief Security Information Office (CISO) becomes overwhelming. CISOs have a tough time to find talented cybersecurity professionals to support their job. In an interesting article in VentureBeat, Nir Donitza and Gal Ringel wrote about the cybersecurity landscape of Israel in 2018, and what it might predict from the global cybersecurity. A few of their findings point to some interesting trends:
You’ve probably read about the Equifax breach in NY Times, in Bloomberg or somewhere else. The breach resulted in the leakage of 143 million user profiles, including Social Security numbers, birthdates and addresses. Needless to say that these are very sensitive resources in the hands of identity thieves, so many Equifax users are really unhappy now. The breach has serious consequences as almost half of the US population is affected. As a result, the CEO, CIO and CSO had to go. Some claim that it was not only their fault, the reason was also the lack of skilled staff.
In this post, we will have a look at the technical details of the Equifax breach and learn how this could have been prevented.
We are writing millions of lines of code day by day, but only a few of us take security into account. We exactly know that it’s really easy to put security aside as it takes more investment than just inserting the very first working answer from Stackoverflow. Time pressure of an approaching deadline is a good excuse to go fast when establishing the quality and security of the produced software. Everybody says that security is important, but the reality is that we’ll always find a good reason to neglect it, if it is not built in entirely into our Software Development Life Cycle (SDLC).
Thinking with the mindset of a security guy does not come instantly, we have to train ourselves to design and implement something which is fairly good as a software and does not expose too many low-hanging vulnerabilities (here is an advice from Parisa Tabriz, security expert at Google). I want to share with you some takeaways that we experienced while developing our avatao platform.
We are more than happy to welcome Tamás Koczka (aka “KT”) who is one of the key members of the CrySyS Student Core so that of the !SpamAndHex team also. As the captain of !SpamAndHex and the main player of the team he participated at approximately 80 CTF events (including 7 finals abroad) solving hundreds of challenges from various topics in information security. He currently works as a security engineer at Tresorit, a CrySyS spin-off. As one of the earliest coworkers at Tresorit, he helped providing real security and keeping their privacy to hundreds of thousands of users.
Here is his story.
This is the final part of this blog series. If you haven’t done already so, you can read the first and second part of our story also. It was early 2013, in the middle of my PhD studies when two master students (András Gazdag and Levente Fritz) asked me to talk about memory corruption vulnerabilities. It seemed to be a good idea, as there weren’t any lectures about it on our university (Budapest University of Technology and Economics) at that time.
In our previous blog, we gave you a small introduction to Cross-site Scripting (XSS) attacks and added some easy challenges to get a taste of web security. It seems, however, that XSS is still one of the top vulnerabilites on the web. An attack against Yahoo Mail and various sandbox escape techniques keep this this topic hot.
We took the opportunity to prepare a small XSS gift for you for Christmas :)
Binary analysis starts with the understanding of different file formats. Fortunately, there are several tools (e.g., CFF explorer, FileAlyzer) which help you to understand their internal structure, however, most of these tools are not generic enough and do not expose APIs or SDKs. As a result, when automated analyis is required you have to implement your own scripts to parse those binaries. It may bring you some joyful moments at the beginning, but after your third parser you realize that this is not necessarily the thing you would like to spend your RE hours with.
We are more than happy to welcome Chris Wysopal, (also on Twitter) as the next security expert on our blog. Chris, the CTO of Veracode, is one of the key influencers in IT security today. He is a regular speaker at conferences such as Black Hat or the RSA conference. From 2012 he has been also member of the Black Hat Review Board. He was named one of the Top 25 Disruptors of 2013 by Computer Reseller News and one of the 5 Security Thought Leaders by SC Magazine in 2014.
We welcome Chris to share his story about IT security.
We are more than happy to welcome Zoltán Balázs, (also on Twitter) as the next security expert on our blog. Zoli has long track records in bypassing security defense products. He regularly gives talks on security conferences such as DEFCON, Botconf or Hacktivity. He is now working as the CTO for MRG-Effitas.
Here is his story.
One of the most difficult parts in IT security is to get started. There are zillions of interesting topics all around, but if you are completely new in this area you can easily get lost. Fortunately, there are a massive number of security tools online that help you to solve complex problems faster and easier even if you do not understand all the backgrounds. Distributions like Kali Linux, for example, are heavily armoured by the most recent security tools to help you automatize your daily routines in penetration testing. Such tools, however, are not only for beginners.
The South Korean CTF team CyKor, (also on Facebook) is one of the best CTF teams in the world. Together with other South Korean security experts like Junghoon Lee (aka “lokihardt”) and the members of Raon_ASRT the DEFKOR CTF team was formed which won the DEFCON CTF Finals in 2015 and ranked 3rd in 2016. As team CyKor they ranked 2nd on Belluminar 2016, a top invite-only hacking contest organized by POC and Qihoo 360.
Here is their story.
Charlie Miller, (also on Twitter) is well-known in the security community for his exceptional hacking results. He won the Pwn2Own contest at CanSecWest 4 times by exploiting various Apple products (e.g., Safari, iOS) . Then he surprised the world by performing a remote hack on a Jeep Cherokee. He is now with us to shed light on how he approaches complex systems and finds their weaknesses.
Here is his story.
This is the second part of our !SpamAndHex series. You can read the first part here. Everything starts with a vision. It was in 2009 at the very beginning of my master studies at the Budapest University of Technology and Economics (in short BME) in Hungary when my advisor, Levente Buttyán (head of CrySyS Lab) contacted Engin Kirda who was tenured faculty at Institute Eurecom (Graduate School and Research Center) at that time if there is a project I could work on together with other iSecLab guys.
We are more than happy to welcome Mateusz Jurczyk (aka “j00ru”), (also on Twitter) as the second security expert on our blog. When talking about low-level Windows kernel security, we are unable to avoid his name. He won the Pwnie Award 3 times and was nominated 6 times in various categories. He is one of the key members of the Dragon Sector CTF team which became the best team in the world in 2014 on CTF time.
Here is his story.
So here we are again with your next avatao Tuesday challenge. Today, we are delving a bit into reverse engineering by providing a small tutorial and a challenge to solve.
A decent definition for reverse engineering comes from Eldad Eilam from his Reversing: Secrets of Reverse Engineering book: “In the software world reverse engineering boils down to taking an existing program for which source-code or proper documentation is not available and attempting to recover details regarding its’ design and implementation.”
In this new series we talk to security experts on how they started their journey in this exciting field. The first is Gabor Molnar (aka “mg”), (also on Twitter) who independently co-discovered the infamous Rosetta Flash vulnerability and got nominated for a Pwnie award for the best server-side bug at BlackHat 2014.
Here is his story.
How to get started in computer security? I think this is the first question that people raise when they are about to learn computer security. Here is a good answer from Parisa Tabriz, computer security expert at Google.
Back in time, this was my first question as well, because I was amazed by the huge range of interesting topics I wanted to dig into deeper.
Summer just started in 2011, when Gábor Pék, Buherátor and Bencsáth Boldizsár (aka “Boldi”) decided to do some nice hacking over the summer instead of going to splash in Lake Balaton all summer long. The annual international university hacking competition called iCTF was a big challenge with top competing teams. These guys needed to pull up their socks to have a chance.