Blog

Beside the list you are seeing below, VSEC also has many other articles presented in Vietnamese for Vietnam bloggers to find out. Press()for more information.

Recently, I got the request to pentest the application from two companies. For security purpose, I hide their identity, so, I called them with the name as X and Y. During the penetration test, I discovered the bug that led to Account Takeover (ATO), I found that the bug was simple, not superior. The more important was that I wanted to share the things what I have done. Somebody says “Sharing is Caring”.

Sorry for the long post, I have no idea how to make it shorter, if you do not have time to read all so you can press a like and then move the other page. On the one hand, I like to write, the other is the way I develop skills ...

In their recent report of the highest-performing B2B companies from all over Asia and Africa, Clutch.co named featured our team, particularly for our stand-out performance compared to other Vietnamese service providers. We placed second for IT Consulting Companies in Vietnam out of 59 other contenders. Additionally, we landed twelfth for Software Developers in Vietnam out of 66 firms. While any company can get listed on Clutch, only the highest-performing and most reliable firms are chosen as industry leaders by means of verified client reviews and Clutch’s internal scoring methodology.

In 2017, VSEC provided services to a large number of domestic and global Clients, ensuring the safety of many systems. Most of the Clients are well-known enterprises, so the number of users of Clients is also huge, reaching tens of millions. This also means that VSEC has helped protect directly and indirectly the mass of users from attacks.

When security tools and processes are integrated throughout development, and an application or update is just soon to be released, don’t forget that you’ve got one more step in the security process to go. A Secure Code Review.

It could be very difficult to generate and implement a secure application development process which could cover all the vulnerabilities and requirements of specific projects right away. Managing a development team while making sure the proper secure procedures and coding is complied with is hard a task as well.

In this article, I will present about a buffer overflow vulnerability in a modem of a ISP in Viet Nam. This is one of the many vulnerabilities that  I have found in this modem device. Currently, this vulnerability has not been fixed by ISP and modem manufacturer so I just provide some basic information about device.

Wannacry is a Ransomware infect and encrypt data across over 100 countries in the world, include Viet Nam. Wanna cry use a vulnerability of share file service SMB in Window ( MS 17-010) was released by the hacker group The ShadowBrowkers to attack and infect. Currently, the ransom have to pay to decrypt files is from $300 - $600 in bitcoins. Microsoft have issued patch name MS17-010 to remove this vulnerability on 14 march 2017, before Exploit tools of NASA named...

  (Key notes at VSEC’s mini workshop “Information Security Risks”) [embed]https://www.youtube.com/watch?v=yuekJt9C1fU[/embed] On a sunny day in late April 2017, Truong Duc Luong, CEO of VSEC, delivered a speech on the hot topic of information security risks at a mini-workshop held in Hanoi, Vietnam. The workshop covered quite a few aspects of how information security risks can be created on both server side and client side. Server-side Risks Server-related risks can occur from quite a few reasons, including Poor Authorization and Authentication, Insecure Direct Object...

Analyzing Dropper: The same as the shellcode, Dropper also used a decryption function to transform themselves by XOR with 0xCC value. Then, it was parsing kernel32.dll and getting the addresses of APIs. In addition to getting the address of LoadLibrary function in kernel32.dll, Dropper used a decryption function to get the address of other libraries. Figure 7. APIs were getting by Dropper from DLLs In order to make difficulties in the process of static analysis, shellcode was built by using encryption and decryption to...

Shellcode analysis is not trivial. Static analysis is ineffective and easily to be defeated. Moreover, static analysis tools are usually not free. Dynamic analysis requires the shellcode to be loaded into another process in an appropriate environment, which is often a virtual machine. In this presentation we introduce PyAna, a new tool that aims to make it easier to analyze shellcode. PyAna uses the Unicorn framework to emulate CPU, and creates a virtual Windows process, into which the shellcode is injected...

(English caption below) Q: Gần đây tôi nghe nhiều người nhắc tới thuật ngữ Pentest, kiểm thử bảo mật, thuật ngữ đó nghĩa là gì vậy chị? A: Pentest là hoạt động đánh giá sức khỏe của hệ thống thông tin dựa trên kỹ thuật thử nghiệm tấn công hệ thống. Hệ thống có thể hiểu là website, máy chủ, mạng,… và thậm chí cả con người. Q: Kỳ lạ nhỉ. Có gì nhầm lẫn chăng khi chị tấn công vào hệ thống...

In January 2017, the Vietnamese Prime Minister approved a non-cash payment project for the 2016-2020 period, paving the way for online transaction development. Nowadays, information technology is widely used in all sectors of the economy. In particular, information security in online transactions plays an important role. The proportion of online transactions is increasing, which has been shown in e-commerce sales reaching over $4 billion and growth rate 37% in 2015 (according to an e-commerce report by the Ministry of Industry...