Skip to navigation Skip to main content Skip to footer

Research Blog

Insights and research from our global cybersecurity team.

Filter content

Reset filters

Public Report – Keyfork Implementation Review

In April 2024, Distrust engaged NCC Group’s Cryptography Services team to perform a cryptographic security assessment of keyfork, described as “an opinionated and modular toolchain for generating and managing a wide range of cryptographic keys offline and on smartcards from a shared mnemonic phrase”. The tool is intended to be run on an air-gapped system […]


Public Report – AWS Nitro System API & Security Claims Italian

In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. The Public Report in Italian this review may be downloaded below: The original Public Report […]


04 Mar 2024

Public Report – AWS Nitro System API & Security Claims French

In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. The Public Report in French this review may be downloaded below: The original Public Report […]


04 Mar 2024

Public Report – AWS Nitro System API & Security Claims Spanish

In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. The Public Report in Spanish for this review may be downloaded below: The original Public […]


04 Mar 2024

Public Report – AWS Nitro System API & Security Claims German

In the last calendar quarter of 2022, Amazon Web Services (AWS) engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. The Public Report in German for this review may be downloaded below: The original Public […]


04 Mar 2024

Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling

Authored by: Jesús Miguel Calderón Marín Introduction Two years ago I carried out research into online casino games specifically focusing on roulette. As a result, I composed a detailed guide with information on classification of online roulette, potential vulnerabilities and the ways to detect them[1]. Although this guideline was particularly well-received by the security community, […]


Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability

Vendor: Eclipse MosquittoVendor URL: https://mosquitto.org/Versions affected: <= 1.4.15Systems Affected: Mosquitto BrokerAuthor: Daniel Romero – daniel.romero[at]nccgroup[dot]trustAdvisory URL / CVE Identifier: CVE-2017-7654Risk: High (The memory leak vulnerability can lead to a Denial of Service) Summary A Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial […]


29 Aug 2018

Symantec Messaging Gateway Out of band stored XSS delivered by email

Summary Name: Symantec Messaging Gateway – Out-of-band stored-XSS delivered by emailRelease Date: 30 November 2012Reference: NGS00268Discoverer: Ben WilliamsVendor: SymantecVendor Reference:Systems Affected: Symantec Messaging Gateway 9.5.3-3Risk: CriticalStatus: Published TimeLine Discovered: 17 April 2012Released: 17 April 2012Approved: 29 April 2012Reported: 30 April 2012Fixed: 27 August 2012Published: 30 November 2012 Description I. VULNERABILITY Symantec Messaging Gateway 9.5.3-3 – […]


05 Nov 2015

Time Trial: Racing Towards Practical Remote Timing Attacks

Daniel Mayer (daniel@matasano.com)Joel Sandin (jsandin@matasano.com)August 7, 2014


07 Aug 2014