Month: June 2016

The Elixir Programming Language

~ Yann Loic Philippczyk

elixir

An introduction to the language, its main concepts and its potential.

The number of security incidents has been on the rise for years, and the growth of the Internet of Things is unlikely to improve the situation. Successful attacks on all kinds of interconnected smart devices, from car locks over home security systems to highly automated factories, have already been demonstrated and carried out.

An aspect contributing to the bad state of security is the use of programming languages which are highly prone to vulnerabilities, namely C/C++. With the increased interconnection of systems which could pose a danger to life if disrupted, for example vehicle controls or critical infrastructure, there is a need for programming languages which provide a higher level of security „by default“.

Continue reading

Side-channel Attacks

~ Daniel Grießhaber

This post will give you an introduction to Side-channel Attacks by looking at some common vulnerabilities and concrete attacks that try to exploit those.
But first: What actually is a Side-channel attack in general?

A Side-channel Attack is an attack on a system, most probably a “secure” system, that does extract secret data by using special properties of the implementation rather that direct access by brute-force or theoretical weaknesses.
You often try to derive the information by looking at properties that are maybe only indirectly coupled to the data. Most of the time those properties are of a physical nature, like time, magentic fields or accoustic waves but sometimes more abstract events like interrupts or traps of a CPU or MMU can be used.

Continue reading

Web App – File Upload Vulnerabilities

~ Thomas Derleth
Today we will discuss file upload vulnerabilities; a topic that is widely underestimated by developers. First, we will imagine a website in which it is possible to upload images with the format .jpg, .png, .gif and so on. If an application does not have proper form validation for file uploads, an attacker is able to gain control over the system. This is especially true for file extensions like .php and .asp, since these are automatically interpreted by webservers. I’ll elaborate on how this works, and on which defense strategy will be effective depending on each specific case.

Continue reading

Keyless Gone – Vulnerabilities in keyless car systems

~ Antonia Böttinger

keylessgo(written by Antonia Böttinger and Andreas Gold)

Introduction

Modern cars embed complex technologies to improve the drivers comfort and safety. In 1999 the automobil industry introduced the smart key system that more and more cars use. Even if manufacturers make use of various designations like Keyless Go, KeyFree Power or Smart Key the technique is still similar.

Traditionally, access and authorization to drive and start cars have been achieved by using physical keys and lock systems. Smart key systems allow the car owners to comfortably open and start their cars while keeping their keys in their pockets. Same applies for stopping the engine and closing the car. However, this luxury contains a great security breach. Car thieves use this comfort for their own purpose. They steal cars equipped with this technology within seconds.

Continue reading

Test Driven Development Part II

~ Matthias Schmidt


[written by Roman Kollatschny and Matthias Schmidt]

Welcome back to the second article in our Node.js development series. Today, we are going to adapt the TDD cycle in an helloWorld example application. If you missed our first article about the principles of TDD, you can find it here.

In the last article, we learnd about the fundamentals of the test driven development process. That involved the five steps of the TDD cycle, which have to be repeated until the completion of the application. We also had a look at our two frameworks Mocha and Chai that we are using in this tutorial.

Let’s code!
Continue reading