An introduction to the language, its main concepts and its potential.
The number of security incidents has been on the rise for years, and the growth of the Internet of Things is unlikely to improve the situation. Successful attacks on all kinds of interconnected smart devices, from car locks over home security systems to highly automated factories, have already been demonstrated and carried out.
An aspect contributing to the bad state of security is the use of programming languages which are highly prone to vulnerabilities, namely C/C++. With the increased interconnection of systems which could pose a danger to life if disrupted, for example vehicle controls or critical infrastructure, there is a need for programming languages which provide a higher level of security „by default“.
This post will give you an introduction to Side-channel Attacks by looking at some common vulnerabilities and concrete attacks that try to exploit those.
But first: What actually is a Side-channel attack in general?
A Side-channel Attack is an attack on a system, most probably a “secure” system, that does extract secret data by using special properties of the implementation rather that direct access by brute-force or theoretical weaknesses.
You often try to derive the information by looking at properties that are maybe only indirectly coupled to the data. Most of the time those properties are of a physical nature, like time, magentic fields or accoustic waves but sometimes more abstract events like interrupts or traps of a CPU or MMU can be used.
A short overview of the cyber-attack on the German Bundestag based on leaked documents by netzpolitik.org
In May 2015 the German press reported about a cyber-attack on the IT infrastructure of the German Bundestag. A year later, in spring 2016, internal documents were published by netzpolitik.org which gave an impression of how the IT infrastructure was compromised. This blog post sums up the methods of the attackers, the initiated countermeasures, and gives a short summary of the event. As well, it gives a brief overview about the relevant departments in the German Bundestag involved in regards with the attack.
Today we will discuss file upload vulnerabilities; a topic that is widely underestimated by developers. First, we will imagine a website in which it is possible to upload images with the format .jpg, .png, .gif and so on. If an application does not have proper form validation for file uploads, an attacker is able to gain control over the system. This is especially true for file extensions like .php and .asp, since these are automatically interpreted by webservers. I’ll elaborate on how this works, and on which defense strategy will be effective depending on each specific case.
Modern cars embed complex technologies to improve the drivers comfort and safety. In 1999 the automobil industry introduced the smart key system that more and more cars use. Even if manufacturers make use of various designations like Keyless Go, KeyFree Power or Smart Key the technique is still similar.
Traditionally, access and authorization to drive and start cars have been achieved by using physical keys and lock systems. Smart key systems allow the car owners to comfortably open and start their cars while keeping their keys in their pockets. Same applies for stopping the engine and closing the car. However, this luxury contains a great security breach. Car thieves use this comfort for their own purpose. They steal cars equipped with this technology within seconds.
[written by Roman Kollatschny and Matthias Schmidt]
Welcome back to the second article in our Node.js development series. Today, we are going to adapt the TDD cycle in an helloWorld example application. If you missed our first article about the principles of TDD, you can find it here.
In the last article, we learnd about the fundamentals of the test driven development process. That involved the five steps of the TDD cycle, which have to be repeated until the completion of the application. We also had a look at our two frameworks Mocha and Chai that we are using in this tutorial.
In order to get everyone on the same page, we want to start this post with a presentation of our project and an overview of the technologies that we are going to use for the development of our pipeline.