Exploring security vulnerabilities in NFC digital wallets
NFC-based devices, such as mobile digital wallets, contactless smart cards, and security keys (hardware authentication devices), are exposing users to NFC vulnerabilities in encryption, replay and side-channel attacks.
Smart contract security audit: tips & tricks
Smart contract security audit is very different from traditional application security audit. Smart contracts are immutable, they interact with each other and transfer user funds between accounts. Unique threat landscape brings unique challenges.
Introduction to automated security testing
Keep your code shipshape and reduce vulnerabilities with automated security testing. Delve into ways and tools of software security testing that developers and platform engineers can set up and automate to make apps more secure.
Cryptographic failures in RF encryption allow stealing robotic devices
Stunned by losing their robotic devices, [REDACTED] learnt that they were hijacked by attackers even with communication being encrypted. Having researched its firmware and found numerous cryptographic failures, we've crafted a few demos on how cryptography goes wrong in real life.
RepoMetaScore: evaluating supply chain risks of open-source repositories
Releasing RepoMetaScore (repository metadata scoring): a dependency checking tool that analyzes metadata of open-source project, including commit history and contributors’ background. RepoMetaScore calculates risk rating, makes supply chain risks visible and prevents weaponizing OSS.
Cossack Labs stands on guard for security of Ukrainian companies
Cossack Labs stands with Ukraine and offers free security assessment and engineering services for Ukrainian companies to improve country protection and resilience.
Security of React Native libraries: the bad, the worse and the ugly
How to select a secure React Native library for your app. Sort out improper platform usage, easy to misuse API, deprecated and abandoned libraries – check our research of the React Native ecosystem security.
Crypto wallets security as seen by security engineers
Read about building secure crypto wallets and issues we found when doing crypto wallet security audits. Hot non-custodial wallets store private keys, sign crypto transactions, and claim to be secure. But are they?
Shared responsibility model in cloud security: mind the gap
Understanding cloud security # In this article, we observe security responsibility of cloud providers: where it ends, what are the gaps and grey areas, and what risks security teams should take into account when using “as a service” platforms. So, you’re planning your new business in an area where security matters, and you start thinking about choosing your cloud provider to build your application on. Typically, you start juggling with a combination of all the nice building blocks you need and financial aspects you’re facing.
React Native security: things to keep in mind
React Native security: what developers and team leads need to know. Handle risks and threats, prevent typical security mistakes, follow best engineering practices — learn from our experience.
Audit logs security: cryptographically signed tamper-proof logs
Logs, audit logs, and security events are must-have components of a secure system, which help to monitor ongoing behaviour and provide forensic evidence in case of an incident. Let’s cut through complexity. In this article, we cover cryptographically signed audit logging, aka “secure logging”, when logs are generated in a certain way which prevents tampering messages, removing, adding or changing the order of log entries. We explain why signed logs are essential for security software, how we’ve built-in secure audit logging in Acra, and how to use it together with other defense in-depth layers in your systems.
How to build OpenSSL for Carthage iOS
Imagine your builds going red because of an outdated OpenSSL that is used by one of your Carthage dependencies. In this story, we share scripts, error messages, testing matrix, and a working solution we used for Themis to prevent such a situation.
Lift & Shift: cloud security strategy
Intro # When companies move their infrastructures into the cloud, provisioning resources and configuring them to emulate their initial infrastructure — a practice called “lift and shift” — or migrate the existing solutions from one platform to another, something inevitably migrates together with all the code and assets: their security assumptions . The security assumptions affect the major security bottleneck — security team’s time and priorities. And the on-premises threat model and security priorities are very different from cloud-based.
How to prepare for data security issues
Understanding data security issues # The first thing that comes to mind when one thinks about security issues is typically some poorly written code that is prone to RCE, XSS, and similar attacks. But hardly anyone deliberately sets out with “I’m going to write some really bad, vulnerable code today!” intent in mind. Code is always written for a reason, driven by functional demands, culture, and processes. From a software engineer’s point of view, fixing a security issue equals removing an opportunity to exploit something.
Implementing End-to-End encryption in Bear App
Bear with us! 🐻 # The latest release of a popular note-taking app Bear contains a new feature — end-to-end encryption of user notes. Cossack Labs team worked closely with the amazing Bear team to help deliver this feature. We are rarely allowed to disclose the details of our custom engineering work, but Bear team was awesome enough to let us highlight some important aspects of work done for them.
Install Acra 1-Click App through DigitalOcean Marketplace
Cossack Labs has recently joined the DigitalOcean Marketplace family following our mission to make high-end security tools available to the general developer audience in a convenient fashion. Acra encryption suite is one of the first data security and encryption tools on DigitalOcean Marketplace and it is now available as 1-Click App running in DigitalOcean Droplet . Acra provides selective encryption, multi-layered access control, SQL firewall (SQL injection prevention), database leakage prevention, and intrusion detection capabilities as server deployed in your infrastructure (on prem or in cloud).
Defense in depth security strategy based on data encryption
Intro # Any set of security controls deployed in your infrastructure may fail. Given enough pressure, some controls will certainly fail. No surprises here, but the question is – how to build our systems to make security incidents less damaging in case of a failure of some components? How to prevent data leaks even in case of a successful data breach? Building security tools , we strive towards defense in depth approach.
How to prevent SQL injections when WAF’s not enough
Can WAF prevent SQL injection? What is the biggest threat to a tool that prevents unauthorised database access? Requests from the application side that trigger data leakage. Namely, SQL injections and other application attacks that allow attackers to craft custom SQL queries. How can we prevent that? The standard industry response is obvious — input sanitization, web application firewalls (WAFs), and prepared statements are typically used for addressing these concerns.
Blockchain & GDPR: dos and don’ts while achieving compliance
On blockchain and GDPR As cryptographers who develop data security tools that heavily involve cryptography (surprise surprise), we get asked a lot of questions about “crypto”. Unfortunately, not “cryptozoology”* crypto, but neither it is cryptography. Very often it is about blockchain. More and more tools claim to have “unprecedented levels of security” or “GDPR compliance & security by design” when using security designs based on blockchain and distributed consensus systems.
GDPR for software developers: implementing rights and security demands
A methodical software developer’s perspective on mapping privacy regulations to changes in the database structure, updates in DevOps practices, backups, and restricted processing. GDPR and software development After 2 years of fearful anticipation, GDPR is finally here, in full effect starting with May 25, 2018. A considerable number of clients who've entrusted their data to our solutions keep asking a lot of questions in one or another way related to GDPR.
Poison Records in Acra – Database Honeypots for Intrusion Detection
Poison Records in Acra Intro When naming our special type of data containers created for raising an alarm within Acra-powered infrastructures, we were sure we’ve seen the term “poison records” used elsewhere in the same context. This particular technique in out of the box solution was first offered by us (if it wasn’t, let us know! We'd like to know more about their backstory :)). In a way, poison records are very much like passive honeypots, but their mechanics of work is completely different.
13 tips to enhance database and infrastructure security
Article updated in 2019. Previously in the series... Previously, we’ve talked about design patterns best practices in backend security, then about key management goals and techniques. It is important to understand that database security evolved with system administration techniques and programming demands, with cryptography and access controls being complementary features, rather than cornerstones. In classic designs, there are two important drawbacks: Trust tokens: they rely on storing trust tokens somewhere inside the infrastructure;
Why making Internet safe is everyone’s responsibility
Responsibility is yours, mine, and that developer's in the office nearby. Open any tech news aggregator and chances are, one-third of all news will be security-related. What we are seeing right now is insane raise of awareness to cyber security, dictated by security threats suddenly turning looming on the horizon to dangerously close to anybody on the Internet. It is not your typical buzzword market fad, where everyone suddenly gets interested in next exciting topic in the development of modern tech, looking for ‘wild opportunities’.
Key management in data security: fundamentals
Key management in security system Frequently overlooked, much less hyped than quantum computers breaking trapdoor functions, managing keys is actually the most important part of building a security system. Secret keys, public-private key pairs, passwords and other factors of authentication are the control vessels within security system. In this article, we will go through basic key management concepts, explain some important ideas for next articles and provide some practical advice you can start implementing within your application tomorrow.
Backend security: design patterns best practices
This article was revisited and updated in August 2018. In modern client-server applications, most of the sensitive data is stored (and consequently leaked) on the backend. At Cossack Labs, we’re working on novel techniques to protect the data within modern infrastructures. We talk to engineers across industries about these techniques quite a lot too. However, it is still not uncommon to see infrastructures without even the basic classic database defence patterns.
Zero Knowledge Protocols without magic
When we’ve first released Secure Comparator to use in our Themis crypto library and started talking about novel authentication concepts, we’ve encountered a few common misconceptions and plenty of magical thinking about Zero-Knowledge Proofs as a phenomenon. In this post, we’ll talk about some of them, tie ZKP authentication to traditional security models, and help you gain a better understanding of how authentication, in general, should work. Understanding authentication and Zero-Knowledge Proof Protocols What is authentication, anyway?
Perimeter security: avoiding disappointment, shame and despair
Perimeter security: looking back Over the years, the Internet has evolved, and complex systems facing the Internet have evolved too. Traditional security methodology to defend these systems was to build strong walls around your most valuable assets: build a castle and hope it stands against the external adversary. We’ve invested into firewalls, data leakage prevention systems, intrusion detection of all sorts. And what’s behind these walls? Whatever it is, it’s protected, we’ve thought for a long time.
Choose your Android crypto (Infographic)
Why do I even need to choose? Warning: This article borrows a lot from our original Choose your iOS Crypto publication, so if you've read that one, feel free to skip ahead to the libraries and ending notes about the actual Android specificities. When building your next app, you might realise that you need to encrypt the data. There are two main reasons for that: transmitting sensitive data to the server and back
Crypto in iOS: Choose your destiny (Infographic)
Why do I even need to choose? When building your next app, you might realize that you need to encrypt the data. There are two main reasons for that: The need to transmit sensitive data to server and back; The need to store sensitive data. Even though there are multiple tools for doing just that, not all of those tools are equal. By just taking some random algorithm from CommonCrypto and using StackOverflow example to implement it, you'll fail.
What's wrong with Web Cryptography
Introduction Building full stack of cryptographic protection for modern applications includes working with the modern web browser, of course. However, through 20+ years of history of web browsers, we're at the stage where in-browser cryptography is still problematic, and best you can rely on is SSL. Which only protects data transport between you and server, leaving you hoping that you're good enough to go. Which is not always the case.
Why we need novel authentication schemes?
Introduction: A Word To Pass Before introducing our novel request authentication scheme in Themis, we’ve decided to create an overview of the existing methods of authentication and try to look into what the future might bring us. Passwords are ultimate keepers of diversity and security. Since Ancient Roman times until now, they are used for one to prove being worthy to get some privilege others do not possess, however strongly desire to obtain.
Why you should avoid SSL for your next application
Introduction 2018 update: This article was 4 years old, and even then presented disputable opinion. Many things have changed since then, we're having TLS 1.3, which eliminates a number of cryptographic concerns and enforces correct uses. Still, many challenges stand unaddressed. We've remixed the article to keep relevant problems, and outline solutions to those solved, along with a few thoughts on what and when you can use instead. Everyday software developers trust SSL / TLS encryption to protect their communications without considering whether or not this is the right thing to do.