Monthly Archives: January 2020

Say hello to OpenSK: a fully open-source security key implementation

Today, FIDO security keys are reshaping the way online accounts are protected by providing an easy, phishing-resistant form of two-factor authentication (2FA) that is trusted by a growing number of websites, including Google, social networks, cloud providers, and many others. To help advance and improve access to FIDO authenticator implementations, we are excited, following other open-source projects like Solo and Somu, to announce the release of OpenSK, an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

Photo of OpenSK developer edition: a Nordic Dongle running the OpenSK firmware on DIY case

By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.

With this early release of OpenSK, you can make your own developer key by flashing the OpenSK firmware on a Nordic chip dongle. In addition to being affordable, we chose Nordic as initial reference hardware because it supports all major transport protocols mentioned by FIDO2: NFC, Bluetooth Low Energy, USB, and a dedicated hardware crypto core. To protect and carry your key, we are also providing a custom, 3D-printable case that works on a variety of printers.

“We’re excited to collaborate with Google and the open source community on the new OpenSK research platform,” said Kjetil Holstad, Director of Product Management at Nordic Semiconductor. “We hope that our industry leading nRF52840’s native support for secure cryptographic acceleration combined with new features and testing in OpenSK will help the industry gain mainstream adoption of security keys.”

While you can make your own fully functional FIDO authenticator today, as showcased in the video above, this release should be considered as an experimental research project to be used for testing and research purposes.

Under the hood, OpenSK is written in Rust and runs on TockOS to provide better isolation and cleaner OS abstractions in support of security. Rust’s strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks. TockOS, with its sandboxed architecture, offers the isolation between the security key applet, the drivers, and kernel that is needed to build defense-in-depth. Our TockOS contributions, including our flash-friendly storage system and patches, have all been upstreamed to the TockOS repository. We’ve done this to encourage everyone to build upon the work.

How to get involved and contribute to OpenSK 

To learn more about OpenSK and how to experiment with making your own security key, you can check out our GitHub repository today. With the help of the research and developer communities, we hope OpenSK over time will bring innovative features, stronger embedded crypto, and encourage widespread adoption of trusted phishing-resistant tokens and a passwordless web.


We also want to thank our OpenSK collaborators: Adam Langley, Alexei Czeskis, Arnar Birgisson, Borbala Benko, Christiaan Brand, Dirk Balfanz, Dominic Rizzo, Fabian Kaczmarczyck, Guillaume Endignoux, Jeff Hodges, Julien Cretin, Mark Risher, Oxana Comanescu, Tadek Pietraszek

Vulnerability Reward Program: 2019 Year in Review

Our Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their discoveries help keep our users, and the internet at large, safe. We look forward to even more collaboration in 2020 and beyond.

2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!
Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. We've also expanded to cover popular third party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers. Since then we have paid out more than $21 million in rewards*. As we have done in years past, we are sharing our 2019 Year in Review across these programs.
What’s changed in the past year?

  • Chrome’s VRP increased its reward payouts by tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000. More details can be found in their program rules page.
  • Android Security Rewards expanded its program with new exploit categories and higher rewards. The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million. See our program rules page for more details around our new exploit categories and rewards.
  • Abuse VRP engaged in outreach and education to increase researchers awareness about the program, presenting an overview of our Abuse program in Australia, Malaysia, Vietnam, the UK and US.
  • The Google Play Security Reward Program expanded scope to any app with over 100 million installs, resulting in over $650,000 in rewards in the second half of 2019.
  • The Developer Data Protection Reward Program was launched in 2019 to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.
We also had the goal of increasing engagement with our security researchers over the last year at events such as BountyCon in Singapore and ESCAL8 in London. These events not only allow us to get to know each of our bug hunters but also provide a space for bug hunters to meet one another and hopefully work together on future exploits.

A hearty thank you to everyone that contributed to the VRPs in 2019. We are looking forward to increasing engagement even more in 2020 as both Google and Chrome VRPs will turn 10. Stay tuned for celebrations. Follow us on @GoogleVRP

*The total amount was updated on January 28; it previously said we paid out more than $15 million in rewards.

Cyber Threat Trends Dashboard


Information sharing is one of the most important activity that cybersecurity researchers do on daily basis. Thanks to “infosharing” activities it is possible to block or, in specific cases, to prevent cyber attacks. Most of the infosharing activities involved in cybersecurity are mostly focused on Indicator of Compromise such as: URL, IPs, Domains and file hashes which are perfectly used to arm protection tools such as: proxies, ng-firewalls and Antivirus Engines.

Collecting and analyzing public available samples every single day I became more and more interested on the Cyber threats evolution (Cyber Threats Trend) rather than specific single analyses, which after hundreds of them, could get bored (no more emotion in analyzing the next Ransomware or a new Emotet version 😛 ). Regarding APT well it’s another cup of tea (a lot of passion in understanding next steps in there). So I decided to develop a super simple dashboard showing in real time (as soon as I get analyses done) the threat trends that are observed over days. The dashboard is available HERE (on top menu TOOLS => Cyber Threat Trends). So far only few basic information are showed, if you would like to see more stats/graph/infos, please feel free to contact me (HERE).


Aim of this dashboard is to monitor trends over thousands even millions of samples providing quantitative analyses on what has observed during the performed automatic analyses. The data in this dashboard is totally auto-generated without control and with no post-processing. You should consider it as raw-data where you can start to elaborate your own research and eventually where you can apply your personal filters or considerations. If you do that, you should be aware that false positives could be behind the corner Let’s move on the current graphs and let’s try to explain what I’d like to show with them but before getting in you should be aware that all the digits on the graphs are expressing percentages and not absolute numbers. Now let’s dig a little bit on them.

  • Malware Families Trends. Detection distribution over time. In other words what are time-frames in where specific families are most active respect to others.
  • Malware Families. Automatic Yara rules classify samples into families. Many samples were not classified in terms of families, this happens when no signatures match the samples or if multiple family signatures match the same sample. In both ways I am not sure where the sample belong with, so it would be classified as “unknown” and not visualized on this graph. Missing slice of the cake is attributed to “unknown”.
  • Distribution Types. Based on the magic file bytes this graph would track the percentages of file types that Malware used as carrier.
  • Threat Level Distribution. From 0 to 3 is getting more and more dangerous. It would be interesting to understand the threat level of unknown families as well, in order to understand if hidden in unknown families Malware or false positives would hide. For such a reason a dedicated graph named Unknown Families Threat Level Distribution has created.
  • TOP domains, TOP processes and TOP File Names. With a sliding window of 300 last analyzed samples, the backend extracts the TOP (in terms of frequency) contacted domains, spawned processes and utilized file names. Again, there is no filter and no post-processing analysis in that fields, by meaning you could probably find as TOP domain “” or “microsoft update”, which is fine, since if the sample queried them before performing its malicious intent, well, it is simply recorded and took to your attention. Same cup of tea with processes and file names.Indeed those fields are include the term “involved” into their title, if something is involved it does not mean that it is malicious , but that it is accounted to be in a malicious chain.


The introduced dashboard is part of my cybersecurity community contribution as every free tool released on the “Tools” menu box. Cyber Threat Trends dynamically evolves over time and you might find it useful to ask questions about live statistics on cybersecurity threats. If you are a journalist or a cybsec passionate you might find some answers to trending questions to be elaborated over time.

Who Needs WMDs (Weapons of Mass Destruction) Today ?


Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.

In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.

So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?

Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.

Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?

Today, all you need is two WDs in the same (pl)ACE and its Game Over.

Puzzled? Allow me to give you a HINT:.

Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.

If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.

Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.

They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.

If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)

Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.

Best wishes,

PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)

PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)

What is Active Directory? (Cyber Security 101 for the Entire World)


Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.

Cyber Security 101

Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?

You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because  "Who really cares about just a phone book?"

In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.

Again, after all, who cares about a phone book?!

Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -

An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.

In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the  risk of complete, swift and colossal compromise.

Active Directory Security Must Be Organizational Cyber Security Priority #1

Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.

Here's why - A deeper, detailed look into What is Active Directory ?

For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)

In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.

Best wishes,