The 5 Most Common Smart Contract Vulnerabilities

Today’s post is authored by Stefan Beyer, CEO @ Cryptonics, Blockchain Consultant and Smart Contract Auditor. Please enjoy.


Smart contracts are hard to get right. Their three main properties, the ability to hold value, transparency, and immutability, are essential for them to work. However, these properties also turn smart contracts into a security risk and a high-interest target for cybercriminals. Even without deliberate attacks, there are plenty of examples of funds getting stuck and companies losing money due to smart contract bugs and vulnerabilities.

Over the last two years, we have audited the smart contracts of more than 40 projects here at Cryptonics. The contracts audited include different types of asset tokenization, insurance policies, decentralized finance platforms, investment funds, and even computer games. We have observed certain trends in the types of vulnerabilities that we usually encounter, and some issues seem more common than others. In this article, we will describe the five most common issues we detect in our daily auditing activities.

[Read more…]

The fight for privacy

The post, next week.

Own text. Original comic strip by RaphComic. Modified with permission.

CNA Tactics: a first proposal

(Editor’s note: this post was originally published in the Spanish version of Security Art Work on 11th November 2019)


Today we have a doctrinal and somewhat metaphysical article… I.e., something dense. Be warned :)

Within CNO (Computer Network Operations) we find three types of capabilities or actions: CND, CNA and CNE (Defense, Attack and Exploitation respectively).

While CND obviously deals with the defense of technological environments against attacks also technological —not against a missile that hits a Datacenter—, CNE operations and capabilities focus on the acquisition and exploitation of information through networks and computers: what we currently call cyberspying. For its part, CNA, Computer Network Attack, refers to what is often identified with purely destructive operations (the famous “4D”: disrupt, deny, degrade and destroy).

Any actor that executes CNO operations develops TTP (Tactics, Techniques and Procedures) to achieve its objectives; without going into the more formal definitions of the US military literature, tactics specify what an actor does, techniques specify how a tactic is implemented and procedures define a particular implementation —depending even on the person who applies them— of that tactic; this approach, from the higher level to a more operational level, models the behaviour of an actor, something similar to what is usually called its modus operandi.

[Read more…]

YaraRET (I): Carving with Radare2 & Yara

During the management of forensic cases, there are times when we find ourselves in a dead end, where after the detection of a critical compromise indicator, we have to approach an analysis with weak evidence.

That is why I decided to develop a carving tool based on Yara rule detection. This tool also had to handle raw files in and be able to carry out a wide variety of options on this data in a flexible way, so I decided to use Radare2.

From this combination was born YaraRET, a file carving tool developed in Go, whose stable version is available in the repository of YaraRules: https://github.com/Yara-Rules/YaraRET

The development version can be found in the following repository: https://github.com/wolfvan/YaraRET

So, during the next article the resolution of a fictitious forensic case with YaraRET will be presented, which is based on the combination of several cases that I have been finding for a few months. [Read more…]

The State of VPN Security Today

Today’s post is authored by Christopher Nichols from SurfShark.com, who gives a quick insight of some of the main threats of surfing without protection in today’s Internet, and gives some valuable information on the advantages of, probably, the main countermeasure: Virtual Private Networks. Please enjoy.

No one should log onto the internet without the added protection of a virtual private network (VPN). Personal and financial information transmitted over the web needs protection against snoopers, hackers, and spies. Those snoopers also include the user’s own government as well as the internet services provider, who collects service fees as well as free information from their users. [Read more…]

The 5 keys of an Operator’s Security Plan for a health service

(This post has been prepared by Juan Carlos Muria & Samuel Segarra.)

Regarding the protection of critical infrastructures and essential services, as reflected in the European NIS Directive, in Spain there is a National Strategy that includes the health sector as a critical infrastructure.
In this SAW post, we explain the key success factors for approaching the preparation of the Sector Strategic Plan to render it compliant with Spanish regulation, although there are many points in common with protecting critical infrastructure in other countries, according to our experience.

And finally it arrived: The Sector Strategic Plan (PES) for the health sector was published at the end of October, and now comes the time, for elected operators, to draft the Operator’s Security Plan (OSP) in less than six months, not forgetting that then there will only be four months to detail the Specific Protection Plans for each of the critical infrastructures, and finally the Operational Support Plans (PAO).

This is the minimum required by the National Center for the Protection of Critical Infrastructures, in response to meetings held and emails exchanged with different operators.

The structure of these plans is defined by the (CNPIC) itself, so we have preferred to focus on the things that a healthcare operator should take into account, and since we are on a blog and the content should be short and concrete, we have decided to highlight the 5 most important things, which should not be missing in a OSP.
Shall we start?
[Read more…]

(Cyber) GRU (XI): TTP

The information that has come to light in recent months, especially Mueller’s accusation, has identified different tactics and techniques of the GRU, some of them previously known – and in many cases linked to APT28 – and others that, although we could all imagine, no one had previously confirmed. These TTPs are summarized in the following table, based on an adaptation of the tactics and techniques published by MITRE in its ATT&CK framework:

[Read more…]

(Cyber) GRU (X): objectives

Apart from some more specific objectives, such as Westinghouse Electric Company’s – with business in nuclear technology – or domestic routers that can be compromised to orchestrate a distributed attack against the real objective, the information published in 2018 has brought to light five major GRU objectives, consistent with the interests of the Service and consequently with those of the Russian Federation; are those exposed at this point.

It is striking that in most of these objectives – with the possible exception of Ukraine and its infrastructures – the GRU has, presumably always, an interest related more to the confrontation of psychological information to which we have referred than with a purely technical attack. In other words, it is unlikely that the GRU will attack targets such as the researchers of the use of Novichok or the demolition of the MH17, which we will see below, with the intention of technologically altering the results of these investigations … it is more likely that the real objective was to obtain information, on the one hand, to know first-hand the state at each moment and on the other, equally important, to obtain data that would allow the Service to initiate disinformation campaigns against these investigating bodies, so that in the face of society they would lose lost credibility in their claims, thus benefiting the interests of the Russian Federation. [Read more…]

CISSP certificate – II. Personal experience

In yesterday’s post we saw some general aspects of CISSP certification, which can be expanded consulting the official website of (ISC)2. In this post I will go into detail on the non-formal aspects, such as materials, advice and personal opinions. Let’s get started.

Is the exam difficult?

If you search on Google, the main user communities related to (ISC)2 are found on reddit and in the (ISC)2 forums. In both there are multiple entries relating opinions, experience with the exam, asking and giving advice, reviewing study materials and other topics. However, my impression is that the tone tends to be negative and somewhat frightening, terrifying even at times. Many people who have taken the exam describe it as very difficult and obscure with tricky wording. In addition, there are no “example” questions on the Internet, and the people who produce the training material (including the official question book) or teach the training courses (bootcamps) are never the same people who write the exam questions. Therefore, a critical element to manage during exam preparation is uncertainty.

[Read more…]

IoT in the Industry 4.0 – Our data – collaboration or use?

On 7 February, a meeting was held in Madrid at the Vodafone Observatory of the Company, where experts in the cloud, artificial intelligence, robotics and digital transformation gave a vision on how to face the challenges of industry 4.0. In previous articles by Joan Balbastre about Industry 4.0, we could see what characterizes this industrial revolution and its basic design principles. In these articles, up to six different principles are named and one of them allows us to focus on this text: service orientation. This orientation turned out to be the fundamental axis of the whole event.

It is true that, in the face of strong competition between companies from different sectors, the optimization of the products or services provided has become a priority. There are many ways to improve a company or product. In recent years, information gathering has become one of the fundamental pillars on which the Industry 4.0 revolution is based. The data collected from consumers allows companies to perform different actions such as preventive maintenance, quality assurance, real-time defect management, operations management, etc. A clear example of the change that companies in the industry are undergoing is the case of Quality Espresso, which has gone from producing only one product, designing, producing and marketing coffee makers, to the provision of an added service thanks to the collection of information. Quality Espresso coffee machines not only allow connectivity with different devices, but are also able to collect statistical information for the company, in order to improve the products or even influence the design of new ones, as indicated in the event.

[Read more…]