What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-04-29 11:04:11 | Blackout d'Espagne: Cyber ou pas? Une analyse technique impartiale Spain\\'s blackout: Cyber or Not? An unbiased technical analysis (lien direct) |
 IntroductionYesterday afternoon, I was writing what should have been the regular newsletter when the power suddenly went out. I wasn\'t alarmed at all because I live in a mountain area, and power outages like this happen several times a year. It was a slightly windy day, so I assumed that maybe a tree had cracked and hit a low-voltage line or something similar. But, as it turns out, that wasn\'t the case. Instead, something unprecedented occurred, a \'zero energy\' event: the power grid in Spain and Portugal went down completely.As we can see from the following graph coming from Red Eléctrica Española (transmission system operator responsible for managing the Spanish electricity system), at 12:35pm suddenly 15 GW of generation power went \'missing\'. As the prime minister would explain during a press release: "in 5 seconds, 60% of the country\'s demand disappeared from the system". The interconnected power system is one of the most complex systems ever built. It is beyond the scope of this article to provide a detailed technical assessment of all possible non-cyber scenarios that could contribute to a \'black swan\' event. In fact, investigations into large-scale power outages typically take months to reach reliable conclusions. Therefore, I will leave this task to the experts, who have access to the necessary data to conduct such a complex analysis.However, there is specific information suggesting that a potential cyber attack could be behind this. For example:https://www.larazon.es/economia/cni-apunta-ciberataque-como-posible-causa-apagon_20250428680f7e19319ae75da4ba8c32.htmlThe President of the regional government of Andalusia (Spain) claims that, after consulting with cybersecurity experts, the massive power outage is likely the result of a cyber attack.https://www.eleconomista.es/energia/noticias/13337515/04/25/juanma-moreno-apunta-a-un-ciberataque-como-posible-causa-del-gran-apagon-en-espana.htmlMeanwhile, top European figures such as the European Council p |
Ransomware Malware Threat Studies Prediction Technical | APT 44 | ★★★ |
|
2025-04-01 16:18:36 | Analyse cyber-physique des armes des systèmes de détection de destruction massive: Partie 1 - Darpa \\ 's Sigma Cyber-Physical Analysis of Weapons of Mass Destruction Detection Systems: Part 1 - DARPA\\'s SIGMA (lien direct) |
Index1. Introduction2. Practical Gamma Spectroscopy for Security Researchers3. SIGMA Network4. ConclusionsDisclaimerTo avoid any misunderstandings, I want to clarify that all the information in this post is based on open-source intelligence, publicly available documents, and reverse engineering. I have not attempted to compromise or replicate any potential attacks on internet-facing SIGMA systems. Instead, I conducted a simple, non-invasive reconnaissance phase, which involved accessing public websites, reviewing their source code, and examining generic endpoints to gather general information, such as system versions. A month before publishing this post, I gave a heads-up about it to those who needed to be informed.Introduction  This is the first part of a series on the cyber-physical analysis of weapons of mass destruction detection systems, focusing on technologies like CBRN networks and nuclear safeguards. These posts will cover how these systems integrate physical methods with cyber capabilities to counter potential threats. By analyzing both the hardware and software components, I aim to highlight the challenges and advancements in ensuring these systems function effectively in real-world scenarios, as well as some of the vulnerabilities, exploits, and security-related issues discovered during the research. Above all, the goal is to contribute to a better understanding of these systems and encourage critical thinking, especially in these challenging times.Thirty years ago, the Japanese apocalyptic cult \'Aum Shinrikyo\' managed to fabricate sarin gas in-house and released it in multiple trains during rush hour on the Tokyo subway system. The deadly nerve agent killed 14 people, injured over 1000, and caused severe health issues for thousands more. Initial reports only mentioned \'an explosion in the subway,\' causing the first 30 police officers who arrived at the scene to overlook the possibility of a chemical attack. As a result, they were exposed to and harmed by the sarin gas, which also delayed their ability to provide a timely and proper response to the other victims.Could a similar event happen today in a modern city? Probably yes, but at least in theory, it would be orders of magnitude harder for the perpetrators to achieve their goals. Even if they succeeded, the immediate aftermath (essentially the ability to mitigate the consequences), would (is expected to) be managed much more effectively, due to technological progress in countering Chemical, Biological, Radiological, |
Tool Vulnerability Threat General Information Legislation Mobile Prediction Cloud Commercial | ★★ | |
|
2025-01-22 14:43:46 | La cyber-dimension de l'occupation du NPP Zaporizhzhia The Cyber Dimension of the Zaporizhzhia NPP Occupation (lien direct) |
 The war that began with Russia\'s full-scale invasion of Ukraine has led to a series of unprecedented nuclear-related situations. During the first 48 hours, Chernobyl-a symbol of the deep-seated fear of nuclear disaster, especially within Europe-was taken by Russian troops.This was accompanied by reports of radiation spikes, various plots involving dirty bombs and nuclear materials, and Russian soldiers allegedly killed by acute radiation syndrome. In the end, all of it was proven to be as fictitious as the reported radiation levels.We should view these mutual accusations between Ukraine and Russia as part of the information war, which likely didn\'t come as a complete surprise to those in the know. For instance, in an insightful piece Politico published documenting the \'first-ever oral history of how top U.S. and Western officials saw the warning signs of a European land war,\' John Kirby stated the following: Without time to recover from the shock caused by the events in the Chernobyl Exclusion Zone, just a few days later, Russia attacked and eventually occupied Europe\'s largest nuclear power plant: Zaporizhzhia. Four weeks later, Russian forces withdrew from Chernobyl, but they did not withdraw from Zaporizhzhia NPP, which remains occupied to this day. With a new administration taking over the U.S. government, likely to have a significant influence on the conditions and terms for ending this armed conflict-if it ends at all-now seems like the right moment to address a gap in the existing coverage of the Zaporizhzhia NPP occupation: its cyber dimension.Ukraine: From Non-Proliferation to the Modernization of Its Nuclear Power PlantsAfter the Soviet Union\'s collapse in 1991, Ukraine agreed to give up its nuclear weapons under the Budapest Memorandum (1994), in exchange for security assurances from Russia, the U.S., and the UK. Some might argue that this move has not aged well, |
Tool Vulnerability Studies Industrial Technical | ★★★ | |
|
2025-01-08 18:35:29 | Aborder l'exploitation de la peur du rayonnement: un guide d'auto-évaluation pour contrer la désinformation Addressing the Exploitation of Radiation Fear: A Self-Assessment Guide to Counter Disinformation (lien direct) |
In December 2024, two events -drone sightings in the US and Israel\'s strike on Syria\'s weapon depots- were followed by orchestrated reports of detected radiation spikes. Some media outlets took these dubious reports (with millions of views) that originated from social media , and published pieces based on them. In one of these cases, the actors behind the disinformation campaign exploited a real-time radiation map, which is maintained by a private company that manufactures personal dosimeters, to sustain the narrative.Kim Zetter has recently published "Anatomy of a Nuclear Scare", an article that covers this issue.This trend does not come as a surprise, as radioactivity is one of those few things that can collectively trigger significant levels of societal anxiety and emotional, rather than rational, response, which is often disproportionate to the actual physical risks it poses. This radiation fear has been shaped during years by a mix of cultural, historical, and media-driven narratives. In recent years, increasing geopolitical instability, the ever-growing influence of social media, the return of magical thinking and the precariousness and discrediting of traditional sources of information have resulted in a constant flow of misinformation.. It\'s no coincidence that successful campaigns can be executed with limited resources, compared to traditional manipulation activities, and still have the potential to go viral, maximizing ROI.Despite the fact that these campaigns explicitly exploited-or leveraged-publicly available online resources providing real-time radiation levels, in most cases, the actions were simplistic and carried out without the need for specialized \'cyber\' skills or expertise. So far, the only exception to this trend can be found in Chernobyl\'s post-invasion radiation spikes from 2022.I see no reason to believe that we won\'t likely see similar campaigns in the near future. I also acknowledge that this topic is not everyone\'s cup of tea. You may not have the time or interest to go through detailed technical explanations of radioactivity from both physics and cybersecurity perspectives. However, for those who are really interested in that kind of in-depth reading, I\'ve published comprehensive research papers on this topic.So, I thought it might be useful to put together this publication, which is merely intended to serve as an \'emergency guide\' to quickly grasp a set of simple yet sound principles that hopefully can help everyone, regardless of their background, to approach radioactivity-related reports with a critical eye. Armed with these fundamentals of radiation monitoring, we\'ll learn how to quickly discern between stories that make sense and those that don\'t hold water.An Emergency Guide to Understanding Radioactivity and Radiation MonitoringLet\'s say that you want to build a simple cabin in a small plot of land you have in the woods. The foundations should be stable enough to ensure the structure does not collapse just right after finishing it. However, you have an unusual constraint: the only material you can use is balloons. Common sense suggests that, although balloons are not the ideal material, the best way to use them would be to keep them completely deflated. Anything built using inflated balloons will not last long; it depends on the quality of the material the balloon is made of, but everybody acknowl | Tool Threat Industrial Prediction Technical | ★★★ | |
|
2024-10-01 12:10:41 | Une analyse pratique des attaques cyber-physiques contre les réacteurs nucléaires A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors (lien direct) |
il y a un an, peu de temps après avoir présenté le Chernobyl Research , j'ai été surpris pour découvrir que A Plethora of Brand-Nwi (2e génération) Des composants étaient disponibles sur eBay. Framatome\'s Teleperm XS (TXS) is a digital Instrumentation & Control platform designed specifically for use in safety systems in Nuclear power plants, as a replacement pour ou améliorent leurs homologues analogiques. C'est l'une des plates-formes I&C de sécurité numérique les plus utilisées, soutenant la principale ligne de défense (système de protection des réacteurs, système d'actionnement des caractéristiques de sécurité conçue) dans des dizaines de réacteurs nucléaires à l'échelle mondiale, y compris l'Europe, les États-Unis, la Russie et la Chine. Évidemment, qui a été une bonne opportunité pour conférer à la plus grande importance des modernes de sécurité numérique, donc j'ai acheté des modernes TX sur le monde. C'était le point de départ de la recherche que je libère aujourd'hui: " une analyse pratique des attaques cyber-physiques contre les réacteurs nucléaires ". | Tool Technical Commercial | ★★★★ | |
|
2024-06-05 14:00:23 | Le régulateur nucléaire de l'Ukraine confirme les pointes de rayonnement post-invasion de Chernobyl \\ avait une origine anormale \\ '. Ukraine\\'s nuclear regulator confirms Chernobyl\\'s post-invasion radiation spikes had an \\'abnormal origin\\'. (lien direct) |
First off I would like to provide some context for those readers who are not familiar with this topic.In 2023 I presented at BlackHat USA \'Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication\'. Kim Zetter also wrote an investigative piece. The research materials are publicly available.As I casually discovered a few days ago, around the date I received the acceptance notification from BlackHat, the paper \'Preliminary assessment of the radiological consequences of the hostile military occupation of the Chornobyl Exclusion Zone\' was submitted to the \'Journal of Radiological Protection\'. This paper would be eventually approved and then published in September. So it seems that both investigations were being performed in parallel, but unfortunately we never crossed our paths. There is also a significant detail: this investigation doesn\'t come from a random guy like me, but from official entities. The authors of this paper belong to an international mission led by the "State Nuclear Regulatory Inspectorate of Ukraine" (SNRIU) and its technical support organization, the "Scientific and Technical Centre for Nuclear and Radiation Safety", with funds from Norway\'s nuclear authority (DSA).This international group of experts carried out a comprehensive radiation survey over different areas (with a risk for their lives due to the mines left behind by the Russian occupation forces), including the Chernobyl Exclusion Zone, and specifically in those spots where some of the radiation monitoring devices (GammaTRACER) reported radiation spikes during the beginning of the Russian invasion.  The outcome of the survey is that they didn\'t find any trace of contamination, the radiation levels were basically the same&nb |
Technical | ★★★★ | |
|
2024-01-28 15:16:46 | Finding vulnerabilities in Swiss Post\'s e-voting system: part 3 (lien direct) | Exactly two years ago I brought my blog back to life, after many years of hiatus, with "Finding vulnerabilities in Swiss Post's future e-voting system - Part 1". That was the first of a series of blog posts covering that system. During these two years I've been periodically assessing the security posture of this e-voting solution, as part of their Bug Bounty program, which I personally recommend. Since the first time I reviewed their codebase a lot of things have changed, for good, as many areas have been dramatically improved. To be honest, from a security perspective the codebase back then was kind of a mess. When the first Swiss Post e-voting platform was published, back in 2019, it faced some public scrutiny, mostly from the academic community. As a result, some significant issues were uncovered, so eventually Swiss Post decided to suspend the deployment of the system. That first version had been developed by Scytl, Spanish company specialized in electronic voting systems. After that fiasco, Swiss Post changed their approach, thus acquiring the source code from Scytl and moving to a transparent, open-source focused, in-house development process, which is where they are at now.I've already expressed my thoughts about e-voting, which is a thorny issue for many in the security community. Obviously, bearing in mind what is at stake, all kind of concerns are expected, understandable, and actually, needed. That said, I think that it is also our, we security people, responsibility to properly raise legitimate concerns, while keeping a technically accurate position. For me, this means properly understanding the scope, extent and context for both the e-voting solution and the threats it may face.This can be achieved by carefully studying the 'Protocol of the Swiss Post Voting System' document, which includes their threat model.  The trust assumptions are a key concept to understanding Swiss Post's e-voting system. |
★★★ | ||
|
2024-01-15 16:59:43 | Que s'est-il vraiment passé à Tchernobyl au début de l'invasion russe? What Really Happened in Chernobyl During the Beginning of the Russian Invasion? (lien direct) |
This blog post contains the web version of my research paper: "Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication", which was unveiled at BlackHat USA 2023. It is intended to ease the indexing and dissemination of the information collected during this research. In a few days, I\'ll be in Brussels presenting this research. The original paper (PDF) can be downloaded here.Additional references:https://www.wired.com/story/chernobyl-radiation-spike-mystery/ (Kim Zetter)https://www.zetter-zeroday.com/p/radiation-spikes-at-chernobyl-a-mystery (Kim Zetter)https://medium.com/war-notes/chornobyl-3-92216d21b223 (Olegh Bondarenko) INDEXForeword Executive summary Introduction 1. Physical 1986 Resuspension Transport Humidity Traffic 2. Cyber |
Malware Vulnerability Mobile Industrial Prediction Cloud Conference Technical Commercial | ★★★ | |
|
2024-01-15 16:59:25 | "Voir à travers l'invisible" - Matériaux de recherche "Seeing Through the Invisible" - research materials (lien direct) |
Voyant à travers les pointes invisibles: rayonnement détectées à Chernobyl pendant l'invasion russe montrent des preuves possibles de la fabrication  Après plusieurs mois de recherches intenses, je libère enfin l'article qui contient des détails techniques complets et des preuves collectées. J'ai présenté ces recherches sur
Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication  After many months of intense research, I\'m finally releasing the paper that contains full technical details and collected evidence. I presented this research at BlackHat USA 2023 a few days ago.Kim Zetter published on |
Technical | ★★★ | |
|
2023-10-20 17:13:53 | Quelques réflexions sur les vulnérabilités de vote électronique. Some thoughts on e-Voting vulnerabilities. (lien direct) |
i \\ 'm a un peu surpris par le blog de Schneier d'aujourd'hui " | Malware Vulnerability | ★★★ | |
|
2023-10-08 11:35:58 | Inversion \\ 'France Identité \\': le nouvel ID numérique français. Reversing \\'France Identité\\': the new French digital ID. (lien direct) |
--------------Update from 06/10/2023 : following my publication, I\'ve been in contact with France Identité CISO and they could provide more information on the measures they have taken in the light of these findings:We would like to thank you for your in-depth technical research work on “France Identite” app that was launched in beta a year ago and for which you were rewarded. As you know, the app is now generally available on iOS and Android through their respective app stores.Your work, alongside French cybersecurity agency (ANSSI) research, made us update and modify deeply the E2EE Secure Channel used between the app and our backend. It is now mostly based on TLS1.3. Those modifications were released only a few weeks after you submitted your work through our private BugBounty program with YesWeHack. That released version also fixes the three other vulnerabilities you submitted.From the beginning of “France Identite” program, it was decided to implicate cybersecurity community, launching first a private BugBounty program. We are now happy to announce the BugBounty program will soon be publicly available, and the source code published in early 2024. You and all security researchers are welcome to participate.--------------More than a year ago I was invited to a private bug bounty with an unusual target: \'France Identité\', the new french digital ID. The bug bounty program itself was disappointing to me so I\'d say that, likely, it wasn\'t necessarily worth my efforts, although I\'ve been rewarded with some bounties for the reports. On the other hand, the scope was very interesting so for me, the technical part eventually made up for the negative aspects.It was a pure black-box approach against the preproduction version. I received a \'specimen\' French ID card (carte d\'identité), which obviously did not correspond to any actual citizen. However, I didn\'t get a PIN, so I couldn\'t fully cover all the functionalities implemented in the \'France Identité\' system. Now let\'s see what I found. IntroductionA relatively common approach to designing cost effective, user-friendly, chip-to-cloud solutions is to leverage the communication capabilities of the user\'s mobile phone. As a result, instead of endowing the smart device (e.g., digital ID Card) with all the required electronics and software that would enable it to autonomously transmit and receive data from the internet, the product is developed to use a short-range communication stack such as Bluetooth/NFC (something any modern mobile phone supports by default) and then, an App in the phone will create a communication channel with the backend, thus acting as a bridge for both worlds. |
Vulnerability Mobile Technical | ★★★ | |
|
2023-04-11 16:14:08 | Perdre le contrôle de l'expert du contrôle de l'écostruxure de Schneider \\ Losing control over Schneider\\'s EcoStruxure Control Expert (lien direct) |
Au cours du Q2 2022, compte tenu de la situation géopolitique qui s'est déroulée après l'invasion russe de l'Ukraine, j'ai décidé qu'il ne ferait aucun mal à tuer certains bugs dans certains des principaux acteurs de l'arène ICS. Je me suis concentré dans les cadres logiciels qui s'exécutent sur les postes de travail d'ingénierie, donc, s'ils sont compromis, les attaquants seraient en position privilégiée pour manipuler la logique des contrôleurs, permettant ainsi des attaques sophistiquées avec un impact physique potentiel (c'est-à-dire Triton). J'ai signalé de manière responsable un groupe de vendeurs non authentifiés à peu de temps à dissolution aux vendeurs correspondants. Dans un cas, après avoir été ignoré pendant des mois, j'ai dû recourir au \\ 'Twitter, faire votre approche magique et tweeter que je divulguerais les problèmes si la situation persistait. Il n'a fallu que quelques heures pour que le vendeur me revienne. Le côté positif est qu'ils ont trouvé les bugs intéressants et que tout ce désordre s'est retrouvé dans un travail payant. Ce billet de blog couvre un scénario similaire dans un autre fournisseur: j'ai signalé ces problèmes à Schneider le 20 juin (2022) qui ont ensuite été largement ignorés pendant 9 mois jusqu'à ce que je devais, une fois de plus, à utiliser la menace \\ '0day \' afin d'obtenir cette situation \\ 'fixé \'. poste de travailRunning Schneider Electric \\ 's Ecostrutuxure Control Expert . CVE-2023-27976 CVSS V3.1 Score de base 8.8 | Haut | CVSS: 3.1 / AV: N / AC: L / PR: N / UI: R / S: U / C: H / I: H / A: H Il s'agit principalement d'un problème de conception dansLe bus de périphérique orienté vers le service (SE.SODB.HOST.EXE). Ce composant est une partie fondamentale de l'architecture d'experts de contrôle, prenant en charge sa fonctionnalité \\ 'topology \' qui permet d'interfacer avec différents types de dispositifs industriels, y compris les contrôleurs de sécurité. \\ 'SE.SODB.HOST.EXE \' expose un ensemble spécifique de services Web, construit sur un | Vulnerability Threat Industrial | ★★★★ | |
|
2023-03-31 20:35:32 | Méfiez-vous de la chaîne de java \\. Beware of Java\\'s String.getBytes (lien direct) |
Parfois, il y a des bogues subtils dont l'origine peut être trouvée dans certaines bizarreries du langage sous-jacent utilisé pour construire le logiciel. Ce billet de blog décrit l'un de ces cas afin de permettre aux collègues chercheurs et développeurs de sécurité, qui ne le connaissent pas, prennent conscience de ce modèle vulnérable potentiel. En fait, je suis presque sûr que des bogues similaires à celui décrit ici affectent probablement un tas de produits / bases de code. dans Précédent Posts , i \\ 'a déjà décrit certains bogues dans le système électronique Swiss post \\ de Swiss. Tout en lisant leur Crypto-Primitifs Spécification , qui, parmi les autres choses, décrit l'algorithme de plan de perfectionnement Swiss Swiss,,, parmi d'autres choses remarqué quelque chose de potentiellement intéressant.  Fondamentalement, il existe 4 types différents qui sont pris en charge: des tableaux d'octets, des chaînes, des entiers et des vecteurs. Avant d'être haché, les chaînes sont converties en un tableau d'octets via l'algorithme \\ ' stringToByTearray \'  Cependant, en comparant \\ ' stringToByTearray \' et \\ ' bytearraytostring \', nous pouvons trouver une différence significative: les séquences UTF-8 invalides sont considérées que dans le second. Soit \\ voir comment cela a été mis en œuvre dans le code: Fichier: crypto-primitive-master / src / main / java / ch / post / it / evoting / cryptoprimitive / interne / utils / conversioninternal.java |
Vulnerability | ★★★ | |
|
2023-02-14 14:58:31 | Trouver des vulnérabilités dans le futur système de vote électronique Swiss Post \\ Finding vulnerabilities in Swiss Post\\'s future e-voting system - Part 1 (lien direct) |
In September \'21, I came across this story "Swiss Post Offers up to €230,000 for Critical Vulnerabilities in e-Voting System" while catching up with the security news. The headline certainly caught my attention as it looked like an outlier from the regular bug bounty programs or well-known exploit contests, not only for the announced rewards but mainly because of the target. So essentially Swiss Post, the national postal service of Switzerland, was opening to the general public a bug bounty program, using the YesWeHack platform, intended to uncover vulnerabilities in its future e-voting system.The first part of this blog post series will detail the approach used to analyze the Swiss Post e-voting system, as well as the first round of vulnerabilities that I reported during September/October \'21.IndexIntroductionApproachAttack SurfaceVulnerabilities 1. Insecure USB file handling during \'importOperation\' 2. Insecure \'ReturnCodeGenerationInput\' signature generation allows vote manipulation 3. Lack of consistency check allows an adversary to forge the verificationCardId in SecureLog entries 4. Improper parsing of the request body when validating signatures for secure requestsIntroductionE-voting systems immediately raise concerns in a significant part of the security community. Not in vain, we are talking about systems that should be considered a critical infrastructure, as they are intended to support a democratic election process. Therefore, this kind of systems should provide the same guarantees regarding confidentiality, integrity and availability that current, let\'s oversimplify and say \'analog\', election processes provide. However, security people usually don\'t trust computers and everyday we see examples that certainly do not facilitate changing your mind on this aspect. That said, we implicitly trust the outcome of safety-critical computer operations happening everyday in our life: from the state estimator that guarantees we have a stable power-grid, the train control systems providing a safe commute, or the avionics systems that keep you alive while flying. It doesn\'t mean those systems can\'t be hacked but supposedly they are being supported to keep up with the attacks they may face, while still successfully performing the tasks modern societies rely on. I know, it\'s not a perfect scenario but it\'s what it is.Although e-voting may not be suitable for every country, Switzerland seems to have a long tradition on referendums, and actually, they have been already using e-voting for many years. However, when the Swiss Post e-voting platform was published, back in 2019, it faced some public scrutiny, mostly from the academic community. As a result, some significant issues were uncovered, so eventually Swiss Post decided to suspend the deployment of the system. The first version had been developed by | Vulnerability Threat | ★★★ | |
|
2023-02-14 12:57:29 | Trouver des vulnérabilités dans le futur système de vote électronique Swiss Post \\ - Partie 2 Finding vulnerabilities in Swiss Post\\'s future e-voting system - Part 2 (lien direct) |
Earlier this year I published the Part I of this series of blog posts on vulnerabilities in Swiss Post\'s future e-voting system. That publication comprehensively explains the context, methodology and attack surface for the Swiss Post e-voting system, so it is highly recommended to go through it before reading this post, if you\'re really interested in getting the whole picture.This second round of bugs (reported during December \'21 and January \'22 ) includes multiple cryptographic vulnerabilities and a deserialization issue. For me, the most interesting issue is \'#YWH-PGM2323-65\', not only because it would have prevented ballot boxes from being decrypted during the tally phase, but also due to the potential design weaknesses that I\'m coming across as a result of its analysis. Let\'s briefly discuss the reported issues before going into detail:IDTitleReward (€)Attack Surface Areas*CVSS#YWH-PGM2323-53Multiple unchecked length values during SafeStreamDeserialization may crash Control Components35003 & 4 | Ransomware Vulnerability | ★★★ | |
|
2023-02-10 11:06:16 | Terminaux de Satcom attaqués en Europe: une analyse plausible. SATCOM terminals under attack in Europe: a plausible analysis. (lien direct) |
------Update 03/12/2022Reuters has published new information on this incident, which initially matches the proposed scenario. You can find the update at the bottom of this post.------February 24th: at the same time Russia initiated a full-scale attack on Ukraine, tens of thousands of KA-SAT SATCOM terminals suddenly stopped working in several european countries: Germany, Ukraine, Greece, Hungary, Poland...Germany\'s Enercon moved forward and acknowledged that approximately 5800 of its wind turbines, presumably those remotely operated via a SATCOM link in central Europe, had lost contact with their SCADA server. In the affected countries, a significant part of the customers of Eutelsat\'s domestic broadband service were also unable to access Internet. From the very beginning Eutelsat and its parent company Viasat, stated that the issue was being investigated as a cyberattack. Since then, details have been scarcely provided but few days ago I came across a really interesting video in the following tweet.In the video, the Commander General Michel Friedling confirms that the incident was originated by a cyberattack. However, he also provides a key detail that has the potential to turn a boring DDoS scenario, as some initially pointed out, into something much more interesting: "the terminals have been damaged, made inoperable and probably cannot be repaired" Based on the information publicly available and my experience researching into SATCOM terminals I\'ll try to present a plausible explanation for such a destructive attack. IntroductionPlease note that this is merely a speculative exercise, although backed by a realistic technical reasoning...anyway probably I\'m totally wrong.Back in 2014 and then in 2018 I presented at BlackHat USA two different papers mainly focused on evaluating the security posture of multiple SATCOM terminals, by uncovering a plethora of vulnerabilities and real-world scenarios across different sectors. Within these papers the reader can find an introduction to the SATCOM architecture, threat scenarios and some technical terms that will be used during this blog post.2014 - A Wake-Up call for SATCOM Security |
Vulnerability Threat Technical Commercial | ★★★★ | |
|
2022-08-03 12:05:12 | J'ai un gamma frappuccino, s'il vous plaît. I\\'ll have a Gamma Frappuccino, please. (lien direct) |
A recent story has been making the rounds: "Hundreds of Nuclear Radiation Monitors Were Allegedly Hacked by Former Repairmen". Basically, it seems that more than a year ago two disgruntled employees sabotaged +300 radiation monitoring devices, which were part of a nation-wide civil radiation monitoring network (RAR) in Spain. On top of that, they were apparently using the free WiFi of a Starbucks to carry out their activities. Obviously not being the sharpest tool in the box they were eventually caught.In this story there is a boring part, which is everything related to these guys and their motivations, and a slightly more interesting part which is the underlying technology behind Radiation Monitoring Networks (RMN).In 2017 I presented at BlackHat USA \'Go Nuclear: Breaking Radiation Monitoring Devices", so I thought it could be interesting to write a brief post to provide some context.The NeverEnding storyAs in most \'disgruntled employee\' attacks, the initial motivation behind the sabotage seems to be a \'poorly assessed\' reaction to a troubled employment relationship. According to the information publicly released by the police the attacks started on March 2021. Coincidentally, by using the public procurement portal of the Spanish State, we can find that, in 2020, a public contract to support and maintain the RAR network was announced, as the valid one at that time was about to expire in Feb 2021. Anyway, if you\'re interested in the technology, public procurement documents always provide a lot of information when you are researching into nation-wide systems. As expected, it is possible to find some interesting bits of information about the RAR network, including its topology, devices, deployments... The radiation monitoring devices are provided by Envinet. Indra seems to have developed some Data Acquisition Units as well as the Control System. |
Tool Legislation Industrial Commercial | ★★★ | |
|
2022-06-08 17:36:48 | Attaques de désanonymisation contre les services de proton De-Anonymization attacks against Proton services (lien direct) |
En novembre 2021 Yeswehack m'a invité à participer à un programme privé Bounty organisé par bodke Suisse au nom de Proton Ag. La portée du programme était assez intéressante et hétérogène, car elle couvrait la plupart des applications et services offerts par Proton, tels que ProtonMail et ProtonVPN. En conséquence, plusieurs technologies et bases de code étaient dans la portée, allant de TypeScript, dans la partie open source de ProtonMail, à .NET / SWIFT utilisé par les applications protonvpn pour Windows et MacOS respectivement. | Vulnerability Threat Legislation Industrial Technical | ★★★ | |
|
2022-04-21 12:59:05 | Le gars avec des outils rudimentaires qui ont excité des choses The guy with rudimentary tools who hyped things (lien direct) |
I\'ve just released a new research that describes in detail the reverse engineering methodology and vulnerabilities found in a DAL-A, safety-critical, certified avionics component: Collins\' Pro Line Fusion - AFD-3700, a LynxOS-178 based system deployed in both commercial and military aircraft. At the time of writing this I don\'t know exactly what will happen after the disclosure. However, this time, I certainly know what will not happen. I understand this statement does sound a little bit cryptic, so you should keep reading to understand the context; from where this situation is coming and why this point has been reached. Right, the title is probably more suited for a cheap sequel of Stieg Larsson\'s "Millenium" trilogy rather than for the usual technical contents I publish over here, so for the fans of that saga I would kindly ask you to forgive the liberty of giving myself that license. You\'ll understand that title afterwards.This post contains traces of a \'plot\' spanning several years now. As a compulsive fiction reader I didn\'t want to miss this opportunity to follow a dramatic structure, thus having a little bit of fun out of situation that, for me, has been everything but fun. That said, I\'ve learnt a lot along the way, which is probably the only thing that paid off.In this story there are no evil or good characters, I guess it\'s just people doing their job the best they can. Obviously there has to be some kind of conflict, which emerges from the fact that the nature of their jobs, although theoretically pursuing the same objectives, usually makes them clash. There is also an escalation on the action over the years, some plot twists included, until reaching a high tension moment that determines how the conflict will be resolved. The resolution is yet to be written...As one would have expected I\'ll write this story from my perspective, others may have a different one. Let\'s start.Index1. 20182. 20193. 20204. 20215. 20226. Paper7. Personal Statement2018.During a flight to Copenhagen, aboard a Norwegian Boeing 737, I noticed something weird in the In-Flight WiFi, which was provided by a satellite network. Once at the hotel I found out it was possible to reach, over the internet through a misconfigured SATCOM infrastructure, tens of in-flight aircraft from different airlines. We coordinated |
Hack Tool Vulnerability Threat Studies Industrial Conference Technical Commercial | ★★★ | |
|
2022-04-05 20:09:00 | Incident du Viasat: de la spéculation aux détails techniques. VIASAT incident: from speculation to technical details. (lien direct) |
34 days after the incident, yesterday Viasat published a statement providing some technical details about the attack that affected tens of thousands of its SATCOM terminals. Also yesterday, I eventually had access to two Surfbeam2 modems: one was targeted during the attack and the other was in a working condition. Thank you so much to the person who disinterestedly donated the attacked modem. I\'ve been closely covering this issue since the beginning, providing a plausible theory based on the information that was available at that time, and my experience in this field. Actually, it seems that this theory was pretty close to what really happened. Fortunately, now we can move from just pure speculation into something more tangible, so I dumped the flash memory for both modems (Spansion S29GL256P90TFCR2) and the differences were pretty clear. In the following picture you can see \'attacked1.bin\', which belongs to the targeted modem and \'fw_fixed.bin\', coming from the modem in working conditions. A destructive pattern, that corrupted the flash memory rendering the SATCOM modems inoperable, can be observed on the left, confirming what Viasat stated yesterday. After verifying the destructive attack, I\'m now statically analyzing the firmware extracted from the \'clean\' modem. Firmware version is 3.7.3.10.9, which seems to date back to late 2017.Besides talking about a \'management network\' and \'legitimate management commands\', Viasat did not provide any specific details about this. In my previous blog post I introduced the |
Malware Vulnerability Threat Technical | ★★★ |
1
We have: 20 articles.
We have: 20 articles.
To see everything:
Our RSS (filtrered)
