Public Report – Keyfork Implementation Review
In April 2024, Distrust engaged NCC Group’s Cryptography Services team to perform a cryptographic security assessment of keyfork, described as “an opinionated and modular toolchain for generating and managing a wide range of cryptographic keys offline and on smartcards from a shared mnemonic phrase”. The tool is intended to be run on an air-gapped system […]
Public Report – AWS Nitro System API & Security Claims Italian
In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. The Public Report in Italian this review may be downloaded below: The original Public Report […]
Public Report – AWS Nitro System API & Security Claims French
In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. The Public Report in French this review may be downloaded below: The original Public Report […]
Public Report – AWS Nitro System API & Security Claims Spanish
In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. The Public Report in Spanish for this review may be downloaded below: The original Public […]
Public Report – AWS Nitro System API & Security Claims German
In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. The Public Report in German for this review may be downloaded below: The original Public […]
Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
Authored by: Jesús Miguel Calderón Marín Introduction Two years ago I carried out research into online casino games specifically focusing on roulette. As a result, I composed a detailed guide with information on classification of online roulette, potential vulnerabilities and the ways to detect them[1]. Although this guideline was particularly well-received by the security community, […]
Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
Vendor: Eclipse MosquittoVendor URL: https://mosquitto.org/Versions affected: <= 1.4.15Systems Affected: Mosquitto BrokerAuthor: Daniel Romero – daniel.romero[at]nccgroup[dot]trustAdvisory URL / CVE Identifier: CVE-2017-7654Risk: High (The memory leak vulnerability can lead to a Denial of Service) Summary A Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial […]
Symantec Messaging Gateway Out of band stored XSS delivered by email
Summary Name: Symantec Messaging Gateway – Out-of-band stored-XSS delivered by emailRelease Date: 30 November 2012Reference: NGS00268Discoverer: Ben WilliamsVendor: SymantecVendor Reference:Systems Affected: Symantec Messaging Gateway 9.5.3-3Risk: CriticalStatus: Published TimeLine Discovered: 17 April 2012Released: 17 April 2012Approved: 29 April 2012Reported: 30 April 2012Fixed: 27 August 2012Published: 30 November 2012 Description I. VULNERABILITY Symantec Messaging Gateway 9.5.3-3 – […]
Time Trial: Racing Towards Practical Remote Timing Attacks
Daniel Mayer (daniel@matasano.com)Joel Sandin (jsandin@matasano.com)August 7, 2014