Blogs

[CONFERENCE] SIGSEGV2

L’événement SIGSEGv2, organisé par l’association Read The Fancy Manual (RTFM) est une conférence française annuelle sur le thème de la sécurité informatique dont le mot d’ordre est de “promouvoir la pratique du hacking sous toutes ses formes”. Cette deuxième édition, pour laquelle Randorisec était sponsor, a eu lieu le samedi 30 novembre 2019 dans les locaux d’Epitech Paris. L’évènement SIGSEGv2 a pour objectif de : Partager des connaissances Montrer le niveau de la France dans le secteur de la sécurité informatique et du hacking Proposer des épreuves de hacking Soutenir des projets innovants L’événement s’est déroulé en deux parties :

Continue reading

[Training/Conference] DeepSec 2019

Training During the DeepSec event, we gave our Mobile Hacking training (this training was also provided at Hack In Paris). This training presented the toolset needed when assessing mobile applications (such as adb, Apktool, Jadx, Androguard, Cycript, Frida, Needle and MobSF) and, also, the techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This 2-days training focused on Android and iOS applications.

Continue reading

[SWIFT] Customer Security Programme

Since 2017 and as a result of the Bangladesh Bank cyber heist, SWIFT established a Customer Security Programme which describes a set of mandatory and advisory security controls for participants. All customers need to re-attest and confirm full compliance with the mandatory security controls. As stated by SWIFT’s CEO in May 2016: The Bangladesh Bank hack was a watershed event for the banking industry. There will be a before and an after Bangladesh.

Continue reading

[CONFERENCE] CERT-EU 2019 ANNUAL CONFERENCE

RandoriSec was at CERT-EU 2019 Annual Conference. It was our first time attending this conference and probably not the last one as the speakers line-up was impressive ! We cannot share details like we used to do as it was a closed, invitation-only event and many talks had a TLP GREEN, AMBER or even RED but we can give you the agenda excluding for the TLP AMBER and RED talks.

Continue reading

[PUBLICATION] Éprouver la sécurité des applications mobiles

Guillaume et moi-même avons écrit trois articles sur la sécurité des applications mobiles (tout le dossier en fait ;), qui ont été publiés dans le magazine MISC106 de novembre/décembre : Contournement de l’API Google Play Billing (for fun and profit ;) Auditer la sécurité d’une application iOS (avec et sans jailbreak) Présentation du Mobile Security Testing Guide de l’OWASP (devenu LA référence dans le domaine) Comme à notre habitude nous aurions aimé opter pour une licence CC dans le but de mettre les articles à disposition au plus grand nombre dès l’expiration des droits d’auteur, mais cela n’a été possible que pour un seul des trois articles.

Continue reading

[Conference] Hack.Lu 2019

RandoriSec was at Hack.lu for its 15th edition and as you can imagine it was super interesting. In addition this year, RandoriSec sponsored the CTF! If you’ve never heard of Hack.lu, it’s a 3 days IT security conference held in Luxembourg every year. The conference is attended mostly by cybersecurity professionals from all over the globe. Several subjects are discussed including malware analysis and reversing, forensics, network, mobile and web security and incident response.

Continue reading

Moxa EDR-810 Command Injection and Logs disclosure

Abstract During an engagement for a client, RandoriSec found 2 vulnerabilities on Moxa EDR-810 Series Secure Routers. The first one is a command injection vulnerability found on the CLI allowing an authenticated user to obtain root privileges. And the other one is an improper access control found on the web server allowing to retrieve log files. As usual, we reported those issues directly to Moxa and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) in order to “responsible disclose” them.

Continue reading

[Publication] Le réel danger des biais cognitifs en cybersécurité

Dans le MISC Hors série n° 20 (octobre / novembre 2019), vous trouverez un article de votre serviteur sur les biais cognitifs et leur importance dans le traitement de la sécurité, en particulier dans les contextes de gestion d’incident majeur ou de crise (l’article reprend la trame de ma master class au FIC 2019). Les biais cognitifs sont des traitements cognitifs, c’est à dire des mécanismes de la pensée - relativement systématiques - qui provoquent une altération du raisonnement et du jugement tout en préservant l’apparence de la raison logique.

Continue reading

[Training/Conference] DeepSec 2019 - Mobile Hacking / Abusing Google Play Billing

RandoriSec is going back to DeepSec (Vienna, Austria) this year. Guillaume Lopes will give a talk about abusing the Google Play Billing API and he’ll give a training with Davy Douhine. The Mobile Hacking training, running the 27 and 28 November, is intended for penetration testers, bug bounty researchers or just curious who would like to improve their security testing skills applied to the mobile ecosystem. The objective of the course is to introduce the basic toolset (Adb, Apktool, Jadx, Cycript, Drozer, Frida, Hopper, Needle, etc.

Continue reading

[Training/Conference] Hack In Paris 2019

RandoriSec was at Hack In Paris 2019 and it was wonderful! This 9th edition took place at Maison de la Chimie in Paris (of course;)). The event was divided in two parts: June 16th to 18th: 3 days of trainings with 13 different subjects (IoT, ICS, Windows exploitation, Web and mobile hacking, etc.) June 19th to 20th: 2 days of talks with a unique track.

Continue reading