Greeting from FelixGreeting from Felix

Shift Security Left #17

It has been said that "all genius is simple". However, many system architects would disagree with this claim. According to conventional wisdom, "complexity is the enemy of security", and large systems always exhibit complexity at the system level. But is that really the case?

Phil Venables will guide you how to cope, when it comes to handling complexity.

Enjoy this issue: there's a lot to learn besides how to deal with complexity :)

Felix from Cossack Labs

Cryptography

Energy Consumption of Post Quantum Cryptography: Dilithium and Kyber Beat Our Existing TLS 1.3 Performance

The quantum computer is coming and it will need your clothes, your boots, your motorcycle and your public key 🤖

Existing key exchange, digital signing and public key encryption methods are at risk as quantum computers improve. As a result, TLS 1.3 and higher must migrate away from anything that uses RSA and ECC and towards quantum safe methods, such as lattice techniques.

However, which has higher energy costs? Can the best PQC methods beat the ECC and RSA methods for a TLS 1.3 handshake or not?

Learn more by checking out Bill Buchanan's research.

medium.com

What We Do in the /etc/shadow – Cryptography with Passwords

Although a password-free future would be ideal, it's unlikely to arrive very soon. As a result, it's important to learn to work with password-based cryptography effectively.

Soatok introduces you password-based key derivation functions and password hashing function, their pitfalls and gives recommendation on choosing suitable algorithm. Enjoy :)

soatok.blog

Malware

Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies

Forewarned is forearmed 💪

SpiderLabs researchers Pawel Knapczyk and Wojciech Cieslak discovered malware masquerading as a Google Drive extension. The malware allows threat actors to monitor browsing activity, capture screenshots, utilise forged dialogs to deceive users into revealing their two-factor authentication (2FA) and then withdraw cryptocurrencies in the background.

Dig into the investigation's finer points to learn more.

trustwave.com

Tools

CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research

Do you agree that it is better to find vulnerabilities before the release? Me too.

Static analysis allows you to look for the security flaws in an application's code without running it. And it is possible to find potential vulnerabilities without digging into static analysis by using the predefined queries in CodeQL.

Learning static analysis fundamentals will enable you to define and query for specific patterns or vulnerabilities. So, let's learn.

github.blog

P.S.

Proper threat modelling increases the likelihood of reducing threats and the likelihood of having a great weekend, which is what I want to wish you :)

P.P.S. If you somehow missed "Threat Model Examples: collection of threat models" in one of the previous issues, don't miss it now.

Felix from Cossack Labs

No spam, ever. We'll never share your email address and you can opt out at any time.