Arkadiy Tetelman A security blog

Reverse Engineering Protobuf Definitions From Compiled Binaries

A few years ago I released protodump, a CLI for extracting full source protobuf definitions from compiled binaries (regardless of the target architecture). This can come in handy if you’re trying to reverse engineer an API used by a closed source binary, for instance. In this post I’ll explain how it works, but first, a demo:

Continue reading "Reverse Engineering Protobuf Definitions From Compiled Binaries" →

Detecting Manual AWS Actions: An Update!

Back in 2019 I published Detecting Manual AWS Console Actions, which continues to be one of the more popular articles on this blog. In this post I’ll do a refresh with what’s changed in my approach over the last 5 years.

Continue reading "Detecting Manual AWS Actions: An Update!" →

Scanning your iPhone for Pegasus, NSO Group's malware

In collaboration with more than a dozen other news organizations The Guardian recently published an exposé about Pegasus, a toolkit for infecting mobile phones that is sold to governments around the world by NSO Group. It’s used to target political leaders and their families, human rights activists, political dissidents, journalists, and so on, and surreptitiously download their messages/photos/location data, record their microphone, and otherwise spy on them. As part of the investigation, Amnesty International wrote a blog post with their forensic analysis of several compromised phones, as well as an open source tool, Mobile Verification Toolkit, for scanning your mobile device for these indicators. MVT supports both iOS and Android, and in this blog post we’ll install and run the scanner against my iOS device.

Continue reading "Scanning your iPhone for Pegasus, NSO Group's malware" →

Getting Partial AWS Account IDs for any Cloudfront Website

Yesterday Amazon released a new Cloudfront API that returns partial AWS account ids and Cloudfront distribution ids associated with some given domain name, to help you determine which of your own AWS accounts serves traffic for that domain.

Continue reading "Getting Partial AWS Account IDs for any Cloudfront Website" →

A Summary of Zoom's Bad Security Month

As a result of the global pandemic Zoom has seen an explosion in usage (going from 10M to 200M daily active users) and has received quite a bit more scrutiny into their security and privacy practices. This has caused them to get reamed in the press for a number of issues:

Continue reading "A Summary of Zoom's Bad Security Month" →