Rigging the Vote: Uniqueness in Verifiable Random Functions
This blog post presents a whirlwind overview of Verifiable Random Functions (VRFs) as used by several leading-edge blockchains, and shows how a very interesting and recently found implementation oversight causes the VRF’s assurance of uniqueness to fall apart. As VRFs are commonly used for selecting blockchain consensus voting committees, this can result in a rigged […]
Public Report – Kubernetes 1.24 Security Audit
NCC Group was selected to perform a security evaluation of Kubernetes 1.24.0 release in response to Kubernetes SIG Security’s Third-Party Security Audit Request for Proposals. The testing portion of the audit took place in May and June 2022. The global project team performed a security architectural design review that resulted in the identification of findings […]
Detecting Mimikatz with Busylight
In 2015 Raphael Mudge released an article [1] that detailed that versions of mimikatz released after 8th of October, 2015 had a new module that was utilising certain types of external USB devices to flash lights in different colours if mimikatz was executed. The technique presented in the article required certain kind of busylights that […]
Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough?
The healthcare sector and ransomware attacks appear together frequently in the media. Since before the start of the pandemic rarely a week goes by without at least one story about a healthcare organisation falling victim to a ransomware attack. We often hear about the financial impact these attacks have or how they can affect patient safety, but […]
Public Report – Lantern and Replica Security Assessment
From September 28th through October 23rd, 2020, Lantern – in partnership with the Open Technology Fund – engaged NCC Group to conduct a security assessment of the Lantern client. Lantern provides a proxy in order to circumvent internet censorship. This assessment was open ended and time-boxed, providing a best-effort security analysis in a fixed amount […]
Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination Programs
by Drew Wade, Emily Liu, and Siddarth Adukia TL; DR We studied a range of Canadian provinces’ proof-of-vaccination apps to analyze their associated security and privacy properties. In particular, building on prior work in which some of us created an assessment framework for evaluating the security privacy of vaccine passports, in this post, we discuss […]
Assessing the security and privacy of Vaccine Passports
There has been a lot of development lately in the field of health credentials, especially in the field of vaccine credentials. This has largely been driven by a perceived need to track and validate an individual’s vaccination status with respect to COVID-19. This post attempts to explore the security and privacy concerns related with vaccine […]
Practical Considerations of Right-to-Repair Legislation
Background For some time there has been a growing movement amongst consumers who wish to repair their own devices in a cost effective manner, motivated to reduce their expenses, and reduce e-waste. This is becoming ever more difficult to achieve as devices reach ever higher levels of complexity, and include more electronics and firmware. The […]
Tool Release – Solitude: A privacy analysis tool
Created by Dan Hastings and Emanuel Flores Solitude is an open source privacy analysis tool that enables you to conduct your own privacy investigations into where your private data goes once it leaves your web browser or mobile device. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an […]
Domestic IoT Nightmares: Smart Doorbells
Preface Half way through 2020, UK independent consumer champion Which? magazine reached out to us and asked if we could assist investigating the security of a series of domestic IoT devices and to perform a vulnerability assessment of each device. The assessments included smart plugs and smart/connected doorbells. We also worked on a number of […]