Příspěvky

Electronic Application Market places still violates the European Law

Steam, Google Play, App Sore, PlayStation network , Market place basically, almost all available electronic application market services still violates the European law as they don't allow reselling of used software. Moreover, they usually violates some local laws as i.e. in Czech law there is a paragraph stating that I can claim goods bought over the internet until two weeks and get a refund for it without giving any reason. That's basically because I can't try or overlook the goods before I buy it so I can submit a reclamation an claim it back if it it does not fit my needs or expectations. I know the software market is a bit different from regular goods markets and we usually just obtain a permission (a license) to use the software. But according to European Court of Justice decision in case of Oracle vs Usedsoft we are able to sell the software license to anybody else when we uninstall the software from computers and we make sure the software will not be used on device

TPM is not secure enough without PIN or additional authentication mechanisms

Recently, I was involved in security testing of the device where TPM was used to store hard drive encryption key and authorize the platform before the key is unsealed from TPM to allow the OS loader or OS itself to decrypt hard drives. As the device was a stand alone device without possibility of using of another authorization methods (such as PIN, password or another key stored i.e. on USB key or a smart card) I have identified a possible attack vector how to disclose the encryption key and decrypt the data stored on the protected partitions of the hard drive. The idea was based on the fact the he TPM chip is usually connected to standardized and well documented LPC bus on the motherboard. On this bus the communication is not encrypted so it is possible to capture the traffic using a low-cost digital analyzer device and decode the LPC / TPM ACPI protocols later using the simple Java program. It took about two days (including preparations and simple LPC/TPM ACPI decoder developme

MS Azure - AppService Configuration Vulnerability

Please note this critical vulnerability affects mainly those who use AppService for PCI DSS related services. As the service is not designed according to best security practices and security standards  ITS NOT COMPLIANT  with the PCI DSS standard at least its requirement 6. This in the end means the  complete customer service  is not compliant too. This is because the AppService is not designed and maintained according to best practices and industry standards as PCI DSS requires. I've started with development of some application with targeting the Azure as the hosting platform. Because I was ethical hacker for last 10 years I was interested how secure the Azure is before I'll put anything there. I've read all that stuff related to sandboxes and isolation level of VM's running in the cloud, especially those related to web applications... Its good to trust but also to check. Once I've created the account to the Azure Portal I have deployed my first small Asp.Net