En Febrero de 2017 se reportó la vulnerabilidad conocida como Return of Coppersmith’s Attack (ROCA) con CVE-2017-15361 y que afectó entre otros dispositivos a una gran cantidad de DNIs electrónicos con chip gemalto. La solución aplicada en el caso de los DNIs fue revocar (impedir uso futuro) las claves afectadas y expedir nuevas claves de […]
Continue readingCategory: Seguridad
Some notes on cipher choices and TLS1.3
After some discussion about TLS1.3 and ciphers with a few colleagues, I have decided to write a short summary of “the basics” you need to know as a developer. Here I will also explain shortly a bit which niche each of the 5 ciphers aims for and what the hash function they contain is actually […]
Continue readingWeaponizing squirrels (or why I can’t recommend SQRL)
After seeing Steve Gibson’s talk about SQRL today it just occured to me how easy it would be to weaponize SQRL to effectively attain permanency on systems. Below I’ll present a few attack scenarios that can give an idea of some of the vulnerabilities of the system that make me uncomfortable.
Continue readingSecurity Fest CTF *-bit challenges, organizer writeup
I wrote the 128-bit, 512-bit and 1024-bit challenges for the Security Fest CTF, this year’s topic was Swordfish so the challenges follow the idea of the quotes being used in the movie regarding 128-bit, 512-bit and 1024-bit ciphers. Sadly, neither of the challenges were solved despite my best attempts. In this post I’ll explain how […]
Continue readingAssured MQTT challenge write-up
In this write-up I’ll cover my solution to Assured’s MQTT challenge, I’ll also explain what their intended solution was.
Continue readingPaF||STFU
If you have been working in the IT security industry, you have probably heard CISOs (Chief Information Security Officers) complain about how companies fail at improving their security and pentesters complain about how their findings are ignored by companies. Whilst there is clearly no one-size fits-all solution to such problems, in this post I will […]
Continue readingA way to improve control flow security on existing ISAs
I have though of a reasonably simple way to improve control flow security with an already existing ISA. I’m noting it down for my own future reference.
Continue readingChallenge writer Write Up: Security Fest 2018 CTF challs
Hi! In this post I will note down my procedure for coming up with the challenges for SecurityFest CTF. The idea is explaining my side of the creative process in the hope that it can be useful to other people organizing CTFs. I will finish sharing some personal experience on the other stages of the […]
Continue readingDescifrando las bases de datos del referéndum catalán
A través del enlace de un amigo he acabado en una página dónde se muestra a los votantes del referéndum catalán la ubicación de la urna dónde se debe votar. Como de costumbre, me ha podido la curiosidad y me he puesto a analizar como funcionaba el sistema. La verdad es que usan un sistema […]
Continue readingUsing secure pseudonymous identifiers to protect identification numbers
By now you probably have read of the Equifax data leakage. This reminded me of the idea of secure pseudonymous identifiers I had been thinking on for some time. Secure pseudonymous identifiers make use of cryptography to make it hard or impossible to recover the original identifiers representing a specific person. To be sincere, I […]
Continue reading