We use many different applications, various portals and social networks on a daily basis and for many of them we choose (or are forced) to have an account. In order to reduce the risk of account getting hacked and personal information being leaked, everyone can start with an ordinary thing – credential security. The best way to protect your personal information is to use physical keys such as Titan Security Key, YubiKey or Latvian eID card, or usage of specific authentication apps on smartphones such as Microsoft Authenticator, andOTP, Smart-ID, Authy, etc. Backup codes should also be stored securely so that access is recoverable in case the authenticator is lost or breaks down. If the usage of physical keys or applications is not possible and we use the basic password for identity confirmation, we can protect our accounts and profiles by creating a strong password and changing it from time to time.
Continue readingCategory Archives: Security
Dynamic content in secure digital signatures
One of essential functions of digital signatures is to guarantee the integrity of the signed data. That is achieved by encrypting the data (its checksum) with one of the asymmetric cryptography algorithms. When you make changes to the signed data, the checksum no longer corresponds to the value included in the signature, so the signature can be identified as invalid.
However, in real life, the data to be signed is often far more complicated than plain-text strings. When digitally signing document files, it is only guaranteed that the binary content of the document file is exactly as it was at the time of signing. However, it does not say anything about whether the visual representation or the document contents in the applications displaying these documents is the same.
We are demonstrating a number of ways in which, by using various functions available in .docx and .odt formats, it is possible to create documents whose file contents are unchanged and thus are not raising any doubts about the validity of the digital signature, but in which the actual content displayed to the user may vary.
Continue readingVulnerabilities of Milesight IP security cameras
Internet of Things is becoming ever more popular, and vendors seek to capitalize on that: nowadays the manufacturing process of some security cameras is more alike to that of an Internet of Things device, rather than a security device. This reckless attitude undoubtedly leads to security vulnerabilities in critical systems.
Our lead researcher Kirils Solovjovs participated in IT security conference “Cyberchess 2016” jointly organised by CERT.LV and ISACA Latvia, where he presented his research on the security of Milesight IP security cameras. Multiple major security vulnerabilities were presented (CVE-2016-2356, CVE-2016-2357, CVE-2016-2358, CVE-2016-2359, CVE-2016-2360). The presence of vulnerabilities in the wild was verified in cooperation with CERT.LV by testing a Latvian public institution with more than 100 products by this vendor.
Given that vendor is located outside EU, Kirils initiated an international responsible disclosure process, working with the vendor, CERT.LV, the public institution, the installer, HackerOne Inc., and CERT/CC.
The presentation covers the technical aspects of vulnerabilities (presented publicly for the first time), lessons learned, and recommendations to security officers and policy makers. Video recording is also available.