Latest articles

  1. How to unpack and edit Android boot img?

    Published: Thu 11 August 2016 in Cookbook.
    A step-by-step guide from fetching and editing to reflashing an Android boot image.

    Tools selection

    The method I present here relies on CyanogenMod’s Android source code.

    While Google’s AOSP only provides to the tool to build the boot.img file, CyanogenMod also adds the unpackbootimg tool allowing you to unpack it. This tool does not seem specifically designed for CyanogenMod in any way, so most chances are that it will work for other ROMs as well.

    There are however a relatively large number of alternatives to unpack the boot.img file which all work more-or-less the same.

    Basically, such unpack tool will extract the content of the boot.img file and display a set of parameters you will have to pass to Google’s mkbootimg tool to build a file whose configuration (mainly kernel parameters and memory addresses) will match the original one.

    Here are a few examples, I did not test them personally so cannot recommend any and I present …

  2. How to block laptops and cellphones microphones from spying you?

    Published: Mon 18 July 2016 in Cookbook.
    Various ways to prevent your mobile devices microphones to be used as roving bugs.

    In State of surveillance, Edward Snowden explains the real danger behind cellphones spying, notably the fact that such form of spying provides access to information you precautiously never stored in any electronical device.

    It also demonstrate how to take appart and remove the camera and the microphone from a cellphone. Is going this far really necessary? Are there any revesible or more convenient ways?

    While IMHO using some black electrical duct-tape should be enough to blind a camera in most situations, things gets more complicated with the microphone but we still have several possibilities.

    Physical destruction / removal

    The most well-known and most effective solution is to physically destruct (drill) or remove (desolder) the microphone: no microphone anymore, no malicious way to use it. An external microphone can then be plugged whenever required (earphones for instance in the case of cellphones).

    Be aware however that certain devices (in particular cellphones and …

  3. How to run a CAM table overflow attack in GNS3

    Published: Sun 26 June 2016 in Cookbook.
    Updated: Sat 19 August 2017
    Background information on CAM table overflow attacks and concrete steps to reproduce them in a GNS3 lab.

    Knowing where difference with real gears lies

    For performance reasons, a lot of switch things are actually not part of the IOS code but are implemented in hardware. This includes the ARL, or Address Resolution Logic, which provides all the methods to add, remove and lookup entries in the MAC address table.

    Therefore, for the NM-16ESW module to work in GNS3, Dynamips had to reimplement all these normally hardware provided services, or at least push this far enough to allow an unmodified IOS to run on it correctly.

    The sad thing is indeed that this is unfinished work, as stated in this module’s source code header:

     * Cisco router simulation platform.
     * Copyright (c) 2006 Christophe Fillot (
     * NM-16ESW ethernet switch module (experimental!)
     * It's an attempt of proof of concept, so not optimized at all at this …

  4. Are EMV credit cards clonable? How?

    Published: Tue 15 September 2015 in Opinions.
    Why a system regularly presented as unbreakable actually isn't.

    From a theoretical perspective, a smart card can be compared to a networked computer: it’s content cannot be accessed directly like a disk or a USB stick, you must send requests to the chip (either to access some data or to execute some operation) and the chip answers following a given protocol (authentication may be needed for some requests, etc.).

    Therefore, still from a theoretical perspective, while a smart card itself can be considered as secure, this led to a wrong marketing discourse claiming that systems based on it were “unbreakable” or that such cards were “unclonable”. However, a complex system like a complete payment system cannot be shrinked to the sole EMV card security. The payment card is only the tip of the iceberg, every element composing this system and their mutual interaction must be taken into account, from the various involved devices to the protocols and the …

  5. What is the difference between HTTP and HTTPS with a self-signed certificate?

    Published: Fri 28 August 2015 in Opinions.
    The security and user experience differences and how to safely manage them.

    Security difference

    First, let’s talk about SSL (now called TLS by the way), which adds the ‘S’ at the end of HTTPS and is in charge of “securing the communication“. The clue to answer this question is indeed to fully understand what we mean by “securing the communication”.

    SSL, no matter if it is a self-signed certificate which is being used or one signed by a trusted CA, will ensure that the communication between you and the remote host remains confidential and that no one can tamper with any data exchanged.

    The warning message shown by browser about self-signed certificates is therefore not about that.

    But, how can you be sure that the remote host answering to your requests is really the one you expect? With public websites, for which you have no direct way to authenticate the certificate by yourself, this is just impossible. Here comes external …

  6. Can SELinux really confine the root user?

    Published: Thu 20 August 2015 in Opinions.
    How but most importantly why SELinux allows to confine even the root user.

    Several projects such as [this one][play_root] propose a free root access to a Linux box in order to demonstrate SELinux confinement abilities. Even given a root access on a box, SELinux still prevents any harm from being done.

    Is this for real or is there any trick behing such setup?

    This is indeed possible because SELinux does not actually care about the current Unix user: all it sees is a supplementary metadata called the context (which includes, among other fields, a domain field) and which lets SELinux decide whether the requested action can be authorized or not.

    What one usually conceives as the root user should be mapped in SELinux as a root Unix user running either the unconfined_t or sysadm_t SELinux domain. It is the classical full-powered omnipotent root user.

    However, one could perfectly setup his system to spawn a root shell (I mean root Unix user shell …

  7. Do randomized PIDs bring more security?

    Published: Sat 23 May 2015 in Opinions.
    The limits of randomness-based security and the position of the main free *nixes on the subject.

    The issue

    I read an article in the french magazine MISC (no. 74 - July/August, 2014) publishing a flaw affecting stunnel and libssh.

    To make things short, this flaw relies on the fact that a hello cookie created by the server is generated using the current Unix timestamp (so up to the second) and the PID of the process handling the request. The exploit sends a high number of connection attempts in order to force the server to generate duplicated cookies. At the end this attacks aims to deduce the server private keys.

    The author explains that such attack is not realizable on systems using traditionnal sequential PID because it would require more than 65000 connections attempts to made in less than one second.

    However, thanks to random PIDs used on some “hardened” systems the author demonstrates that, with 20 connection attempts per seconds, there is statistically more than one …

  8. Prevention measures against laptop seizure by the customs.

    Published: Mon 11 May 2015 in Cookbook.
    Steps to mitigate the risk of data theft and backdoor installation upon device seizure.

    The ANSSI, French government service in charge of IT security, has published a document (in French) providing brief advice to people having to travel abroad.

    The ANSSI advices concerning preparation before travel are as follow:

    1. Review the applicable company policy,
    2. Review destination country applicable laws,
    3. Prefer to use devices dedicated to travel (computers, smartphones, external storage etc.) and not containing any data not strictly needed for the mission,
    4. Backup all of your data before leaving and keep the backup in a safe place,
    5. Avoid taking any sensitive data at all, prefer to use a VPN (or a specially set up secured mailbox where all data will be deleted after retrieval) to retrieve the data securely (this is one of the most on-topic pieces of advice, since this one prevents any sensitive data from being present on the computer when crossing the border),
    6. Use a screen filter to avoid shoulder surfing …

Pages: 1 2 3 4 5 6

Popular tags see all