BLAKE2X: Unlimited Hashing

BLAKE2 is one of the most popular hash functions today, it’s more secure than the legacy standard SHA-2, and it’s faster than the newer standard SHA-3. BLAKE2 is also used in the latest cryptocurrency Zcash, in the Argon2 password hashing scheme, and is available in popular libraries such as OpenSSL of libsodium. But BLAKE2 didn't cut … Continue reading BLAKE2X: Unlimited Hashing

Black Hat talk on SGX

Greetings from Vegas! Luis and I just gave our Black Hat talk SGX Secure Enclaves in Practice: Security and Crypto Review. It's the first public report about Intel's Software Guard Extensions (SGX) based on actual SGX hardware and on Intel's software development toolchain for Windows and Linux. We showed some undocumented parts of SGX and we released … Continue reading Black Hat talk on SGX

Insomni’hack 2016: microwave writeup

This is a write-up for the microwave pwn of Insomni'hack CTF (first published on deadc0de.re). Following binaries were given: microwave_61f50dba931bb10ab3089215b2e188f4 libc.so.6 Those are both available here The program The program simulates a microwave able to connect to twitter and tweets your favorite food. There are 4 options: Connect to Twitter account: asks for username and … Continue reading Insomni’hack 2016: microwave writeup

Insomni’hack 2016: Pcapbleeding writeup

The Insomni'hack conference and CTF happened last Friday in Geneva, as usual it was a lot of fun. And as usual, Dragon Sector won the CTF, beating a few other world-class teams that made the trip for this on-site jeopardy CTF. About 80 teams registered, and the final ranking looks as follows for the first … Continue reading Insomni’hack 2016: Pcapbleeding writeup

The NORX Bug Bounty Program

This post is on behalf of the team that designed the cipher NORX, namely Philipp Jovanovic (EPFL), Samuel Neves (Uni Coimbra), and JP Aumasson (Kudelski Security). Are you a cryptanalysis-ninja with differentials, boomerangs, and bicliques being your weapons of choice? Do you know what IND-CPA, IND-CCA{1,2}, and INT-{P,C}TXT actually mean and that querying random oracles … Continue reading The NORX Bug Bounty Program

Honey! Where is my POS??

Introduction Not a month goes by without news about another new POS (point-of-sale) malware or credit card data breach. Obviously, details of this kind of breach cannot be made public (banks, ongoing investigation, reputation …). But what do we know really about POS malware? Can we create groups of malware and relate them to groups of cyber … Continue reading Honey! Where is my POS??

Crisis vs. Risk Management – know the difference and account for the unforeseeable

Account for non-obvious and unidentified risks   Risk identification is mostly a mental process, which from data analysis (i.e., processes, past events, financials figures, logs, analytics, etc.) and interviews lead to a list of identified risks. Whatever the volume of data, the number of interviews, the cleverness, and mental or computer calculation power applied to … Continue reading Crisis vs. Risk Management – know the difference and account for the unforeseeable