The call for papers for Hardwear.io 2023 in the Netherlands is now open. It will take place November 2nd through the 3rd, 2023 at the Marriott Hotel, The Hague, Netherlands.
ec87fd1f62c43c5094a8b7edcbb92181ee748aea83102c2abf02a405cf32899b
Whitepaper titled Everyone Knows SAP, Everyone Uses SAP, Everyone Uses RFC, No One Knows RFC: From RFC to RCE 16 Years Later.
ec3e058c8f83be6779103d8bb8f9cdbd4b8c1663435f67a9d7c36923c7afe54a
The expressiveness of Turing-complete blockchains implies that verifying a transaction's validity requires executing it on the current blockchain state. Transaction fees are designed to compensate actors for resources expended on transactions, but can only be charged from transactions included in blocks. In this work, the authors show that adversaries can craft malicious transactions that decouple the work imposed on blockchain actors from the compensation offered in return by introducing three attacks.
68b4adbac9a02de43d43f0c0b285dc603d363d3be1f6185ba4fe1c00129c1969
Whitepaper called Bughunter's Life-Style: A DIY guide to become an alone long time bughunter for ordinary people. Written in Spanish.
492728ae51fe482711c11af1be87bba75442f0506b3f42fe800bfc028dd68d50
In this paper, the authors present the efforts behind building a Special Interest Group (SIG) that seeks to develop a completely data-driven exploit scoring system that produces scores for all known vulnerabilities, that is freely available, and which adapts to new information.
8226a3dc718a8972e22524b28b782a704c31078e7997a2ddd07aeb9c9608798f
The Call For Papers for nullcon Goa 2023 is now open. Nullcon is an information security conference held in Goa, India. The focus of the conference is to showcase the next generation of offensive and defensive security technology. It will take place September 23rd through the 24th, 2023 at the Birla Institute of Technology and Science (BITS) Pilani, Goa.
4a4d540392f90a1bf90132873bf5cebdace3aaa1fb17e07615a0a45bb57e9928
In this paper, the authors provide an in-depth analysis of the Not-Too-Safe Boot technique, which has been designed to bypass Endpoint Security Solutions like antivirus (AV), endpoint detection and response (EDR) and anti-tampering mechanisms remotely. This method builds on a local execution technique first published in 2007 and later utilized in a real world scenario by a ransomware in 2019.
4ab12a59151aa94280a3b9d4b96f18a83bea50df9c1d7059e19c8266fbd31001
This whitepaper illustrates different machine learning techniques for anomaly detection relating to bank transactions.
7c0d7aa12a9030c384da45dec3261c2fd038115e1291526f413603a7bf272956
The World Cryptologic Competition (WCC) 2023 is a fully-online and open competition using GitHub. The language of the competition is English. The WCC 2023 has a total duration of 295 days, from Sunday January 1st 2023 to Monday October 23rd 2023. Teams and Judges must complete registration before Wednesday June 1st.
12848db5eecde474ede8125eed53f5c8e8e8198f50e1cd86053ead35891713eb
B-Sides Ljubljana will be held June 16, 2023 in Ljubljana, Slovenia.
a8a7fd33b3af62a91c8455b5929954ee7b0ebda0b1976fcd6027df433714ce33
This paper describes a vulnerability in several implementations of the Secure Hash Algorithm 3 (SHA-3) that have been released by its designers. The vulnerability has been present since the final-round update of Keccak was submitted to the National Institute of Standards and Technology (NIST) SHA-3 hash function competition in January 2011, and is present in the eXtended Keccak Code Package (XKCP) of the Keccak team. It affects all software projects that have integrated this code, such as the scripting languages Python and PHP Hypertext Preprocessor (PHP). The vulnerability is a buffer overflow that allows attacker-controlled values to be eXclusive-ORed (XORed) into memory (without any restrictions on values to be XORed and even far beyond the location of the original buffer), thereby making many standard protection measures against buffer overflows (e.g., canary values) completely ineffective.
e5ce94c802fc96b96a37593074295283819a7abf859a04a1c1cbfcdb566dcdb1
CRYSTALS-Kyber has been selected by the NIST as a public-key encryption and key encapsulation mechanism to be standardized. It is also included in the NSA's suite of cryptographic algorithms recommended for national security systems. This makes it important to evaluate the resistance of CRYSTALS-Kyber’s implementations to side-channel attacks. The unprotected and first-order masked software implementations have been already analysed. In this paper, they present deep learning-based message recovery attacks on the ω-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU for ω ≤ 5. The main contribution is a new neural network training method called recursive learning. In the attack on an ω-order masked implementation, they start training from an artificially constructed neural network M ω whose weights are partly copied from a model M ω−1 trained on the (ω − 1)-order masked implementation, and then extended to one more share. Such a method allows them to train neural networks that can recover a message bit with the probability above 99% from high-order masked implementations.
bb8f1a666a9bb3b7ef38e7e61e8980c7e3efb86a13dead4ae283a439aa94aded
This paper goes over common components of broadcast systems, how hackers take advantage of them, and discusses some of the vulnerabilities discovered.
1467a96747d9321ba7a659e074789337bc6efc1d4621b6ec26b5fdf38e1ca678
The Wordfence Threat Intelligence team has released their 2022 State of WordPress Security report. In the report, they look at changes in the threat landscape, analyze impactful trends, and provide recommendations based on their findings.
833a6664e11b54321c4268553ac08e81c3b99e65165b4e44d62207f09cc2fb5c
The t2'23 Call For Papers has been announced. It will take place May 4th through the 5th, 2023 in Helsinki, Finland.
2235f9a9ede909195456aaef9036e5789bbe845b4ac330ad569f0d005760ac7e
Whitepaper called DensePose From WiFi. It discusses how scientists from Carnegie Mellon University have figured out how to map a human's 3D form by using two wifi routers.
79e410d611cf1fce59906fb6029e819c60c9ad628363ca5b29efc9728ff69195
In this paper, the author subjects the vulnerable web application vulnweb.com, developed by Acunetix, to security tests. Acunetix is a web application where we can perform legal penetration tests. The author discusses how to infiltrate the target system by acting as a real hacker through this application. Written in Turkish.
9452d8ba127e646598688770379f1d68ad85c10e81be8c7238597d9d656014c1
This is a brief whitepaper that discusses some basic fundamentals for approaching secure design of an application.
c962e90a506a04f9658f44421b9bf8e4b0339a1755b66c5c193c109f722ea574
EuskalHack Security Congress sixth edition is a new proposal from the EuskalHack Computer Security Association, with the aim to promote the community growth and the culture in the digital security field. As usual, in this new edition proximity to our public and technical quality will be our hallmarks. This exclusive conference is shaping up as the most relevant in Basque Country, with an estimated 200 attendees for this sixth edition. The participants include specialized companies, public organisms, state security organizations, professionals, hobbyists and students in the area of security and Information Technology. The date for the conference is the 23th and 24th of June 2023 in the lovely city of Donostia San Sebastian.
eb3ffa1da9807b837a3317ded516298ccef5fca21861e6fdeb5eed21bc5c6eed
BSidesSF is soliciting presentations, workshops, and villages for the 2023 annual BSidesSF conference. It will be located at City View at the Metreon in downtown San Francisco April 22nd through the 23rd, 2023.
155076340b81d26d3d2bd8aa8310d074feff7f8a583b03a687abd01754152f90
This is a whitepaper along with a proof of concept eml file discussing CVE-2020-16947 where a remote code execution vulnerability exists in Microsoft Outlook 2019 version 16.0.13231.20262 when it fails to properly handle objects in memory.
e10886839475e813dff9362bc048392f047b424255b849ca304a468b0daa17a3
This is a whitepaper along with a proof of concept eml file that demonstrates an out-of-bounds read on Outlook 2019 version 16.0.12624.20424. NIST references this issue as simply an information disclosure.
d7cbdf78b8d88b5ef4f17ae322717c6adec1d335f3eddae9fc75f883c66bbc76
This is a whitepaper discussing CVE-2020-1349 where a remote code execution vulnerability exists in Microsoft Outlook 2019 version 16.0.12624.20424 when it fails to properly handle objects in memory.
0cbeab94a42718d9dc0fbddcb25e670799fb9171ff9f4aa0d640945941711759
PatrIoT provides a four-stage IoT vulnerability research methodology built on top of four key elements: logical attack surface decomposition, compilation of top 100 weaknesses, lightweight risk scoring, and step-by-step penetration testing guidelines. The proposed methodology is evaluated with multiple IoT products. The results indicate that PatrIoT allows cyber security practitioners without much experience to advance vulnerability research activities quickly and reduces the risk of critical IoT penetration testing steps being overlooked.
7ef04fa8b69b383da473db2f732cbb05957268406e540aab12aa566dc3408119
The Nullcon Berlin 2023 Call For Papers is open. It will take place March 9th through the 10th, 2023 in Berlin, Germany.
fe1cb7a63d18537e4b4b907db517cecd2187c370eebe4852d306e3dc81a202d3