The article describes the interactive Schnorr identification protocol (hereinafter referred to as the Schnorr protocol) and formulates the problem of compatibility of this protocol with the instant digital signature (IDS) mode. This post shows how to modify the Schnorr protocol to provide such compatibility.
Information Security *
Data protection
Business Continuity and Operation Resilience on paper vs. for real
Hello, my reading friends!
My previous post (rus) on Habr was about how the Business Continuity Management function started, as well as about its relations with other corporate functions. In fact, it was quite theoretical.
This time, I’d like to tell you about some practical vectors of procedures and tools implementation as regards to Business Continuity Management, or BCM, along with Operational Resilience, or OpRes. Plus some real initiatives that can follow the BCM & OpRes implementation in a company and the associated with it investigation of the corporate landscape and procedures.
BCM & Operational resilience: yesterday, today, and tomorrow. Where has it come from and what comes next?
Recently, The BCI, one of the leading institutes working in the field of organizational resilience and business continuity, issued its regular report BCI Operational Resilience Report 2023 in collaboration with Riskonnect, who work with risk management solutions.
One of the questions they asked the respondents was if there was a difference between organizational resilience and operational resilience. As the answers demonstrated, for most respondents (and in most companies) these terms were used as synonyms. Having studied the report, the colleagues brought up another matter – The BCI introduced the new term of "organizational resilience" in addition to "business continuity" and "operational resilience".
If we search Habr for "Business Continuity", "DRP", "BCP", or "BIA", we’ll find quite enough posts by my colleagues (I’ve met some of them face to face and worked with the others) about data system recovery, data system testing, fault-tolerant infrastructure, and some other things. Yet, hardly any of them explain where all of it has come from, how it is changing, where it is heading – and why.
I thought the time has come to change the situation for the better and answer some of the questions like where business continuity provisions and operational resilience has come from, how they are changing, and where this trend is heading and why. To share my thoughts about development of the industry and its current de-facto state in case of a mature (or not too mature) introduction level – some things I’ve stated for my own use.
How to Set Up a Custom Domain and Get a Free SSL Certificate on Firebase
In my previous article, I showed you how to deploy your project to Firebase and use it for free. Now, let’s explore additional benefits of Firebase. In the upcoming article, I will show you how to set up a custom domain name for your project and utilize a free SSL certificate from Firebase.
How we built a Cyber Immune product using an open source library: stages, pitfalls, solutions
My name is Sergey Yakovlev, and I'm the head of the Kaspersky Thin Client project based on our proprietary operating system, KasperskyOS. A thin client is one of the main components of a virtual desktop infrastructure, which is a remote desktop access system. In this article, I will use such a client as an example of how you can build a secure (yet commercially viable!) product. I will cover the stages, the stumbling blocks, the problems and solutions. Let's go!
Instant Digital Signature Mode
In this note, we discuss the Instant Digital Signature (IDS) mode, which was announced earlier. While the main content of the IDS mode was already disclosed in a previous publication, we believe that additional specifications will improve understanding.
Q1 2023 DDoS Attacks and BGP Incidents
Let's take a deeper look at the Q1 2023 DDoS attacks mitigation statistics and observations from Qrator Labs' perspective.
Q4 2022 DDoS Attacks and BGP Incidents
Now that 2022 has come to an end, we would like to share the DDoS attack mitigation and BGP incident statistics for the fourth quarter of the year, which overall saw unprecedented levels of DDoS attack activity across all business sectors.
In 2022, DDoS attacks increased by 73.09% compared to 2021.
Let's take a closer look at the Q4 2022 data.
Payment Village at PHDays 11: pentesting our online bank
Hello everyone! We've already talked in our blog about how the Positive Hack Days 11 forum had a special Payment Village zone, where anyone could look for vulnerabilities in an online bank, ATMs, and POS terminals. Our competition to find vulnerabilities in an online bank is not new, but in recent years it has been somewhat supplanted by ethical hacking activities for other financial systems. In 2022, we decided to correct this injustice and created a new banking platform, making use of all our years of experience. We asked the participants to find typical banking vulnerabilities and report them to us. In the competition, the participants could play for either the "white hats" (participate in the bug bounty program of an online bank) or for the "black hats" (try to steal as much money from the bank as possible).
BGP Route Leak prevention and detection with the help of the RFC9234
All the credit is due to the RFC’s authors: A. Azimov (Qrator Labs & Yandex), E. Bogomazov (Qrator Labs), R. Bush (IIJ & Arrcus), K. Patel (Arrcus), K. Sriram.
A BGP route leak is an unintentional propagation of BGP prefixes beyond the intended scope that could result in a redirection of traffic through an unintended path that may enable eavesdropping or traffic analysis, and may or may not result in an overload or complete drop (black hole) of the traffic. Route leaks can be accidental or malicious but most often arise from accidental misconfigurations.
How to exchange a secret key over an insecure network (EC-Diffie-Hellman algorithm)
Let’s say you want to send an encrypted message to your friend in order to avoid it being intercepted and read by a third party. You generate a random secret key and encrypt the message with it. Let’s say you use AES. But how do you let your friend know the key to decrypt it?
In this article, we will explore how the Elliptic-Curve Diffie-Hellman algorithm works under the hood. The article includes the implementation of this algorithm from scratch, written in Python.
Anonymity and Authenticity
The following text consists of two logically connected parts. The first part constructively rules out the assumption that untraceability supposes anonymity. The second part enumerates specific practical tasks in the form of various scenarios when digital signatures (DS) do not provide correct solutions to the task. It is demonstrated that a complete solution can be obtained through a special combination of DS and an interactive anonymous identification protocol.
Q3 2022 DDoS attacks and BGP incidents
With the end of the 2022' third quarter, we invite you to take a tour into DDoS attacks mitigation and BGP incidents statistics recorded from July to September.
Payment Village at PHDays 11: ATM hacking
The Positive Hack Days 11 forum, which took place May 18–19, 2022, was truly epic. The bitterly fought ATM hacking contest featured no fewer than 49 participants. How cool is that? The winner of this year's prize fund of 50,000 rubles, with the handle Igor, was the first to hack the virtual machines. And he wasn't even at the event! :)
Besides Igor, eight other participants picked up prizes this year for their VM-hacking skills. They were: drd0c, vient, vrazov, durcm, zxcvcxzas7, asg_krd, hundred303, and drink_more_water_dude. A big thank-you to everyone who took part, and for those who weren't at PHDays, here are the links to the virtual machines.
The 2022 National Internet Segment Reliability Research
The National Internet Segment Reliability Research explains how the outage of a single Autonomous System might affect the connectivity of the impacted region with the rest of the world. Generally, the most critical AS in the region is the dominant ISP on the market, but not always.
As the number of alternate routes between ASes increases (the "Internet" stands for "interconnected networks" - and each network is an AS), so does the fault-tolerance and stability of the Internet across the globe. Although some paths are more important than others from the beginning, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust network.
The global connectivity of any given AS, whether an international giant or a regional player, depends on the quantity and quality of its path to Tier-1 ISPs.
Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will always be maintained. For many ISPs at all "tiers", losing connection to even one Tier-1 peer would likely render them unreachable from some parts of the world.
Top 10 incident response mistakes
Imagine someone withdrew money from a company's account at night. The next morning panic breaks out, leading to yet more problems. The IT department can reinstall a compromised system from scratch or restore it from backup. Reinstalling from scratch will wipe out all traces left by the attackers, and external investigators will have to search for clues in other systems. Restoring from backup carries the risk of accidentally reinstating a compromised image. In this paper, we will describe common mistakes that experts make when responding to security incidents.
20 years of payment processing problems
Thanks to yarbabin for the logo
Electronic payment systems have existed on the Internet for a long time, and some bugs in them are twenty years old. We've found critical vulnerabilities allowing us to steal money and drive up the balance. Today we will analyze typical implementations of payment processing and related security issues.
How abortion in the age of surveillance capitalism turns Internet into a dystopia
Not even a week later, news emerged that the blow to women's rights might come from an unexpected (for naive Americans who are not familiar with the «Yarovaya Package» and other niceties of Russian legislation) side, when the willingness to «leak» personal data even without a decision was confirmed by the developers of major applications for women. Thus, suddenly, own gadgets and all the IT infrastructure that surrounds the modern man for his convenience, suddenly showed its downside: the possibility of total control over human life and actions.
Q2 2022 DDoS attacks and BGP incidents
The second quarter of the year has ended and, as usual, we take a look back at the mitigated DDoS attacks activity and BGP incidents that occurred between April and June 2022.
Blood, sweat and pixels: releasing a mobile game with no experience
Over our many years of experience in security awareness and experimentation with learning approaches (e.g. online adaptive platforms, interactive workshops and even VR simulations), we’ve noticed that even if the material is presented in a highly engaging way, people still lack the opportunity to apply the knowledge in practice. This means that although they are taking in the information, it won’t necessarily be applied.
Authors' contribution
-
alizar 21361.3 -
marks 9200.7 -
ptsecurity 8715.1 -
LukaSafonov 6170.8 -
ValdikSS 5478.6 -
GlobalSign_admin 5136.9 -
Kaspersky_Lab 4479.9 -
esetnod32 3275.0 -
zhovner 2947.0 -
Jeditobe 2709.8