Post Content
The post 🔴 LIVE: Security & Compliance Weekly #79 appeared first on Malware Devil.
The post Digital Defense Expands Reach into the United Kingdom and South Africa with Private Protocol Partnership appeared first on Digital Defense, Inc..
The post Digital Defense Expands Reach into the United Kingdom and South Africa with Private Protocol Partnership appeared first on Security Boulevard.
The post Digital Defense Expands Reach into the United Kingdom and South Africa with Private Protocol Partnership appeared first on Malware Devil.
Matt Dunn, associate managing director in Kroll’s Cyber Risk practice, discusses options for securing RDP, which differ significantly in terms of effectiveness.
Read More
The post Is Remote Desktop Protocol Secure? It Can Be appeared first on Malware Devil.
Food is a ubiquitous part of the human experience. Cultures revolve around food; it’s the glue that brings families together at holidays, and it’s essential to survival. Humans must find food, shelter, and water according to Maslow’s Hierarchy of Needs before they can begin thinking about fulfillment and exploring what makes them happy. For something so universal, for a sector that makes up one-fifth of the whole US economy, you would think that food processing plants, farms, and restaurants would have a purpose-built system for keeping their propriety data, operation systems, software systems, and client information safe.
The post Why Food and Agriculture Need to Accelerate Security Measures in the Second Half of 2021 appeared first on Security Boulevard.
The post Why Food and Agriculture Need to Accelerate Security Measures in the Second Half of 2021 appeared first on Malware Devil.
Food is a ubiquitous part of the human experience. Cultures revolve around food; it’s the glue that brings families together at holidays, and it’s essential to survival. Humans must find food, shelter, and water according to Maslow’s Hierarchy of Needs before they can begin thinking about fulfillment and exploring what makes them happy. For something so universal, for a sector that makes up one-fifth of the whole US economy, you would think that food processing plants, farms, and restaurants would have a purpose-built system for keeping their propriety data, operation systems, software systems, and client information safe.
The post Why Food and Agriculture Need to Accelerate Security Measures in the Second Half of 2021 appeared first on Security Boulevard.
The post Why Food and Agriculture Need to Accelerate Security Measures in the Second Half of 2021 appeared first on Malware Devil.
Food is a ubiquitous part of the human experience. Cultures revolve around food; it’s the glue that brings families together at holidays, and it’s essential to survival. Humans must find food, shelter, and water according to Maslow’s Hierarchy of Needs before they can begin thinking about fulfillment and exploring what makes them happy. For something so universal, for a sector that makes up one-fifth of the whole US economy, you would think that food processing plants, farms, and restaurants would have a purpose-built system for keeping their propriety data, operation systems, software systems, and client information safe.
The post Why Food and Agriculture Need to Accelerate Security Measures in the Second Half of 2021 appeared first on Security Boulevard.
The post Why Food and Agriculture Need to Accelerate Security Measures in the Second Half of 2021 appeared first on Malware Devil.
Jen Easterly, former NSA official and Morgan Stanley vet, will take up the lead at CISA as the ransomware scourge rages on.
Read More
The post New CISA Director Confirmed, White House Gains Cyber-Director appeared first on Malware Devil.
Agile development is known for well-paced development cadences with short, quick sprints. These fast bursts are typically focused on ensuring something of value (functioning code) gets done in a short amount of time, allowing for new features and functionality to be available in the product on a regular basis. As opposed to the traditional, slower forms of software development, with releases methodically planned and executed over many months or even years, Agile keeps the focus on speed, user feedback, and iterative refinement.
The post Balancing Agility with Data Security appeared first on Security Boulevard.
The post Balancing Agility with Data Security appeared first on Malware Devil.
Interesting attack:
Masquerading as UK scholars with the University of London’s School of Oriental and African Studies (SOAS), the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps (IRGC) intelligence collection efforts, established backstopping for their credential phishing infrastructure by compromising a legitimate site of a highly regarded academic institution to deliver personalized credential harvesting pages disguised as registration links. Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage…
The post Iranian State-Sponsored Hacking Attempts appeared first on Security Boulevard.
The post Iranian State-Sponsored Hacking Attempts appeared first on Malware Devil.
One year and a half following the start of the COVID-19 pandemic, we’re seeing most companies either maintaining their remote work policies or slowly moving to a hybrid model. In fact, an estimated 36.2 million Americans will be working remotely by 2025, which is nearly double pre-pandemic levels.
The post Zero Trust: The Protection Model for the Post-Pandemic World appeared first on Security Boulevard.
The post Zero Trust: The Protection Model for the Post-Pandemic World appeared first on Malware Devil.
State and local governments are weathering a digital explosion. The move to “virtual everything” means that greater amounts of information are being produced and transmitted electronically, but the digital infrastructure powering these operations is straining under the weight.
The post Mind the Gap: Securely Embracing the Digital Explosion appeared first on Security Boulevard.
The post Mind the Gap: Securely Embracing the Digital Explosion appeared first on Malware Devil.
You’re just about to take out a long-time rival, claim Victory Royale or round out a royal flush when your ping spikes or you’re DCed. Chances are you, or the You’re just about to take out a long-time rival, claim Victory Royale or round out a royal flush when your ping spikes or you’re DCed. […]
The post Game Over: How to Stop DDoS Attacks on Online Gamers appeared first on Blog.
The post Game Over: How to Stop DDoS Attacks on Online Gamers appeared first on Security Boulevard.
The post Game Over: How to Stop DDoS Attacks on Online Gamers appeared first on Malware Devil.
The Cybereason team is excited to announce the launch of the Cybereason Defenders League, a Global Partner community, designed to reward the cybersecurity industry’s most trusted advisors and solution providers by increasing their margins and profitability. Members of this program will gain access to award-winning technology and services to help end users stop cyber attacks.
The post Cybereason Launches Global Defenders League Partner Program appeared first on Security Boulevard.
The post Cybereason Launches Global Defenders League Partner Program appeared first on Malware Devil.
Microsoft alerted the company to a security vulnerability in its Serv-U Managed File Transfer and Secure FTP products that a cyberattacker is using to target a “limited” amount of customers.
Read More
The post SolarWinds Issues Hotfix for Zero-Day Flaw Under Active Attack appeared first on Malware Devil.
Security decision leaders are prioritizing cloud security posture management (CSPM) tools for their organizations, and with just cause: the ability to monitor cloud configurations is essential for complying with regulations and reducing risk from cloud data breaches. However, CSPM answers only some of the modern security challenges that cloud infrastructure has introduced. Cloud Infrastructure Entitlements […]
The post Why Managing Security Posture and Entitlements from One Place Makes Sense appeared first on Ermetic.
The post Why Managing Security Posture and Entitlements from One Place Makes Sense appeared first on Security Boulevard.
The post Why Managing Security Posture and Entitlements from One Place Makes Sense appeared first on Malware Devil.
Secure Web Gateways (SWGs), software for controlling access to websites and SaaS not managed by corporate IT, have evolved from hardware appliances installed on premises, to software running on end user devices with varying degrees of interaction with the security provider’s hosted infrastructure. But the details on how the software interacts with the security provider’s infrastructure makes all of the difference with respect to performance, security, and ease of management. The Bitglass SmartEdge SWG architecture uniquely addresses these concerns in several ways.
The post Hairpinning: The Bottleneck in Most Secure Web Gateway Architectures appeared first on Security Boulevard.
The post Hairpinning: The Bottleneck in Most Secure Web Gateway Architectures appeared first on Malware Devil.
In one of the first major surveys of IT and Security professionals since the Covid19 pandemic, Hysolate together with independent global survey organisation Global Surveyz interviewed 200 IT and Security leaders at top US and UK companies with 500-10,000 employees to learn more about the challenges they are facing. The findings are fascinating. Employees want … Continued
The post New Survey: IT and Security leaders want more IT Freedom for employees, but also stricter IT Security appeared first on Hysolate.
The post New Survey: IT and Security leaders want more IT Freedom for employees, but also stricter IT Security appeared first on Security Boulevard.
The post New Survey: IT and Security leaders want more IT Freedom for employees, but also stricter IT Security appeared first on Malware Devil.
Echidna is a weird creature that eats bugs and is highly electrosensitive (with apologies to Jacob Stanley)
More seriously, Echidna is a Haskell program designed for fuzzing/property-based testing of Ethereum smarts contracts. It uses sophisticated grammar-based fuzzing campaigns based on a contract ABI to falsify user-defined predicates or Solidity assertions. We designed Echidna with modularity in mind, so it can be easily extended to include new mutations or test specific contracts in specific cases.
Generates inputs tailored to your actual code
Optional corpus collection, mutation and coverage guidance to find deeper bugs
Powered by Slither to extract useful information before the fuzzing campaign
Source code integration to identify which lines are covered after the fuzzing campaign
Curses-based retro UI, text-only or JSON output
Automatic testcase minimization for quick triage
Seamless integration into the development workflow
Maximum gas usage reporting of the fuzzing campaign
Support for a complex contract initialization with Etheno and Truffle
.. and a beautiful high-resolution handcrafted logo.
The core Echidna functionality is an executable called echidna-test. echidna-test takes a contract and a list of invariants (properties that should always remain true) as input. For each invariant, it generates random sequences of calls to the contract and checks if the invariant holds. If it can find some way to falsify the invariant, it prints the call sequence that does so. If it can’t, you have some assurance the contract is safe.
Invariants are expressed as Solidity functions with names that begin with echidna_, have no arguments, and return a boolean. For example, if you have some balance variable that should never go below 20, you can write an extra function in your contract like this one:
To check these invariants, run:
An example contract with tests can be found examples/solidity/basic/flags.sol. To run it, you should execute:
Echidna should find a a call sequence that falisfies echidna_sometimesfalse and should be unable to find a falsifying input for echidna_alwaystrue.
After finishing a campaign, Echidna can save a coverage maximizing corpus in a special directory specified with the corpusDir config option. This directory will contain two entries: (1) a directory named coverage with JSON files that can be replayed by Echidna and (2) a plain-text file named covered.txt, a copy of the source code with coverage annotations.
If you run examples/solidity/basic/flags.sol example, Echidna will save a few files serialized transactions in the coverage directory and a covered.$(date +%s).txt file with the following lines:
*r | function set1(int val) public returns (bool){
* | if (val % 10 == 0 && !flag0)
* | flag1 = false;
}
Our tool signals each execution trace in the corpus with the following “line marker”:
* if an execution ended with a STOP
r if an execution ended with a REVERT
o if an execution ended with an out-of-gas error
e if an execution ended with any other error (zero division, assertion failure, etc)
Our Building Secure Smart Contracts repository contains a crash course on Echidna, including examples, lessons and exercises. You should start here.
Echidna can test contracts compiled with different smart contract build systems, including Truffle, Embark and even Vyper, using crytic-compile. For instance, we can uncover an integer overflow in the Metacoin Truffle box using a contract with Echidna properties to test:
Echidna supports two modes of testing complex contracts. Firstly, one can describe an initialization procedure with Truffle and Etheno and use that as the base state for Echidna. Secondly, echidna can call into any contract with a known ABI by passing in the corresponding solidity source in the CLI. Use multi-abi: true in your config to turn this on.
Echidna’s CLI can be used to choose the contract to test and load a configuration file.
The configuration file allows users to choose EVM and test generation parameters. An example of a complete and annotated config file with the default options can be found at examples/solidity/basic/default.yaml. More detailed documentation on the configuration options is available in our wiki.
Echidna supports three different output drivers. There is the default text driver, a json driver, and a none driver, which should suppress all stdout output. The JSON driver reports the overall campaign as follows.
Coverage is a dict describing certain coverage increasing calls. Each GasInfo entry is a tuple that describes how maximal gas usage was achieved, and also not too important. These interfaces are subject to change to be slightly more user friendly at a later date. testType will either be property or assertion, and status always takes on either fuzzing, shrinking, solved, passed, or error.
EVM emulation and testing is hard. Echidna has a number of limitations in the latest release. Some of these are inherited from hevm while some are results from design/performance decisions or simply bugs in our code. We list them here including their corresponding issue and the status (“wont fix”, “in review”, “fixed”). Issues that are “fixed” are expected to be included in the next Echidna release.
Description
Issue
Status
Debug information can be insufficient
#656
in review for 2.0
Vyper support is limited
#652
wont fix
Limited library support for testing
#651
wont fix
If the contract is not properly linked, Echidna will crash
#514
in review
Assertions are not detected in internal transactions
#601
in review for 2.0
Assertions are not detected in solc 0.8.x
#669
in review for 2.0
Value generation can fail in multi-abi mode, since the function hash is not precise enough
#579
in review for 2.0
Before starting, make sure Slither is installed (pip3 install slither-analyzer –user). If you want to quickly test Echidna in Linux or MacOS, we provide statically linked Linux binaries built on Ubuntu and mostly static MacOS binaries on our releases page. You can also grab the same type of binaries from our CI pipeline, just click the commit to find binaries for Linux or MacOS.
If you prefer to use a pre-built Docker container, log into Github on your local docker client and check out our docker package, which are also auto-built via Github Actions. Otherwise, if you want to install the latest released version of Echidna, we recommend using docker:
Then, run it via:
If you’d prefer to build from source, use Stack. stack install should build and compile echidna-test in ~/.local/bin. You will need to link against libreadline and libsecp256k1 (built with recovery enabled), which should be installed with the package manager of your choosing. You also need to install the latest release of libff. Refer to our CI tests for guidance.
Some Linux distributions do not ship static libraries for certain things that Haskell needs, e.g. Arch Linux, which will cause stack build to fail with linking errors because we use the -static flag. Removing these from package.yaml should get everything to build if you are not looking for a static build.
If you’re getting errors building related to linking, try tinkering with –extra-include-dirs and –extra-lib-dirs.
Nix users can install the lastest Echidna with:
It is possible to develop Echidna with Cabal inside nix-shell. Nix will automatically install all the dependencies required for development including crytic-compile and solc. A quick way to get GHCi with Echidna ready for work:
Running the test suite:
Feel free to stop by our #ethereum slack channel in Empire Hacking for help using or extending Echidna.
Get started by reviewing these simple Echidna invariants
Review the Solidity examples directory for more extensive Echidna use cases
Considering emailing the Echidna development team directly for more detailed questions
Echidna is licensed and distributed under the AGPLv3 license.
This is a partial list of smart contracts projects that use Echidna for testing:
Uniswap-v3
Balancer
MakerDAO vest
Optimism DAI Bridge
WETH10
Yield
Convexity Protocol
Aragon Staking
Centre Token
Tokencard
Minimalist USD Stablecoin
The following lists security vulnerabilities that were found by Echidna. If you found a security vulnerability using our tool, please submit a PR with the relevant information.
Project
Vulnerability
Date
0x Protocol
If an order cannot be filled, then it cannot be canceled
Oct 2019
0x Protocol
If an order can be partially filled with zero, then it can be partially filled with one token
Oct 2019
0x Protocol
The cobbdouglas function does not revert when valid input parameters are used
Oct 2019
Balancer Core
An attacker cannot steal assets from a public pool
Jan 2020
Balancer Core
An attacker cannot generate free pool tokens with joinPool
Jan 2020
Balancer Core
Calling joinPool-exitPool does not lead to free pool tokens
Jan 2020
Balancer Core
Calling exitswapExternAmountOut does not lead to free assets
Jan 2020
Yield Protocol
Arithmetic computation for buying and selling tokens is imprecise
Aug 2020
Origin Dollar
Users are allowed to transfer more tokens that they have
Nov 2020
Origin Dollar
User balances can be larger than total supply
Nov 2020
Liquity Dollar
Closing troves require to hold the full amount of LUSD minted
Dec 2020
Liquity Dollar
Troves can be improperly removed
Dec 2020
Liquity Dollar
Initial redeem can revert unexpectedly
Dec 2020
Liquity Dollar
Redeem without redemptions might still return success
Dec 2020
We can also use Echidna to reproduce a number of research examples from smart contract fuzzing papers to show how quickly it can find the solution:
Source
Code
Using automatic analysis tools with MakerDAO contracts
SimpleDSChief
Integer precision bug in Sigma Prime
VerifyFunWithNumbers
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts
Crowdsale
Harvey: A Greybox Fuzzer for Smart Contracts
Foo, Baz
All these can be solved, from a few seconds to one or two minutes on a laptop computer.
Echidna: effective, usable, and fast fuzzing for smart contracts, Gustavo Grieco, Will Song, Artur Cygan, Josselin Feist, Alex Groce – ISSTA ’20
echidna-parade: A Tool for Diverse Multicore Smart Contract Fuzzing, Alex Groce, Gustavo Grieco – ISSTA ’21
If you are using Echidna on an academic work, consider applying to the Crytic $10k Research Prize.
Original repository: https://github.com/crytic/echidna
The post Echidna – Ethereum smart contract fuzzer appeared first on Hakin9 – IT Security Magazine.
The post Echidna – Ethereum smart contract fuzzer appeared first on Malware Devil.
Planning, Protecting and Not Paying Your company is aware of the many attempts that hackers make every day to infiltrate organizations, steal data, and demand ransoms. Hacking methods seem to propagate rapidly, but ransomware has been making the headlines regularly in the past two years. Ransomware, a form of malware, accounted for about ten percent of the breaches collated in …
The post Reimagining Ransomware Responses appeared first on Enzoic.
The post Reimagining Ransomware Responses appeared first on Security Boulevard.
The post Reimagining Ransomware Responses appeared first on Malware Devil.
In an attempt to provide better insights to our readers about what DMARC is and how its implementation can help in securing an organization’s outbound email channels, KDMARC has released its 2020-2021 DMARC Industry Report. DMARC Report The DMARC Industry Report 2020-2021 focuses on the benefits of DMARC implementation and dives into the following topics […]
The post DMARC Industry Report 2020-2021 appeared first on Kratikal Blogs.
The post DMARC Industry Report 2020-2021 appeared first on Security Boulevard.
The post DMARC Industry Report 2020-2021 appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
