Security Code Review of 700 projects written in NodeJS

TLTR: in the last two weeks we rewrote NodeJsScan and published it’s security analysis of over 700 projects hosted on GitHub.

Long story: Writing secure Node.JS is hard, almost no tools and little awareness. We felt the same pain while performing an increasing number of Code Reviews in Node and wanted to improve our internal process. That’s why we rewrote NodeJsScan to have better reporting and a JSON output. It’s not a substitute of manual review but it serves it’s use as an additional input for the audit and has customizable XML rules.

By testing it we ran a batch of more than 700 scans and released the output here: Security Audit of Node.JS projects ( It has an high rate of false-positive so not for the pavid :)

–Francesco `ascii` ongaro


ISGroup SRL sponsor ESC2k16 – End Summer Camp

From August 31 to 4 September there will be the XII edition of ESC – End Summer Camp, one of the best technical and underground camps in Italy, featuring great talks on Free Software & Open Hardware, Hacking, DiY, Ham Radio and Digital Human Rights. ISGroup joins and supports ESC as sponsor.

Screenshot from 2016-08-29 17:53:41

Teammates at ISGroup were involved in ESC from it’s first editions, so we have a special connection with the camp and the people who make this incredible community!

Screenshot from 2016-08-29 17:53:53

There is still room for donations, so if your company has some spare budget, why not!

Screenshot from 2016-08-29 17:54:41

See you at the camp!

Francesco `ascii` Ongaro

‪@EndSummerCamp #ESC2k16 #hacking #opensource

Conferences, ISGroup

Grappa Hat Aosta 4,5,6 March 2016

We want to thank all the attendees of Grappa Hat, a security conference in Aosta that took place over the past week-end. The mood was relaxing and informal, the city is surrounded by mountains and beauty and we had a chance to meet long-time friends and to make new ones too!

Personally I presented the speech I’m going to bring to the International Journalism Festival ( on 8 April in Perugia, an happening I warmly recommend to anybody interested in Digital Rights, Privacy and, obviously, Journalism ^_^

The talk is titled The lost war on Information Security and it highlights some regressions from the security standpoint that the Cloud paradigm is going to cause:

The lost war on Information Security

It happened, software ate the world, we lost control on our information and security is not better than before.

How to stem organized crime, corporations and governments appetite on data bubbles generated by Cloud computing? What people could realistically do?

We will explore the major indicators of the current state of software security, its evolution over time and how the adoption trend of Cloud solutions affects the confidentiality, integrity and availability of people’s and companies’s information.

Again thanks everybody, me and Andrea enjoined the time spent together! If you need a copy of the slides and you attended Grappa Hat ping me and I’ll happily send you the PDF :)

Need a pointer? 0x414141, LinkedIn or by Tweet

–Francesco Ongaro


Security fix in EasyAudit Exposure

We want to say thanks to Roberto Urbanus who found an Improper Error Handling and Source Code Disclosure in our EasyAudit Exposure service, a passive vulnerability and reputation management system. In some conditions the registration failed and the returned object was NULL. When the following code tried to access that object’s properties, it failed showing a very verbose debug error handler.

The issue was caused by both not validating the registration and by an error in the routine that selected the correct error handler in production and in development.

Roberto reported on Sunday and we fixed it today (Monday), the new code is online and it also adds some nice new features!

Thanks again!

–Francesco Ongaro
CEO of ISGroup SRL

Security Research

A good time to update your Veeam to Update 3 – VeeamVixProxy Vulnerability

Pasquale `sid` Fiorillo, Francesco `ascii` Ongaro from ISGroup, an Italian Security firm, and Antonio `s4tan` Parata from ush team, have just released a critical security advisory for any version of Veeam Backup & Replication prior to 8 Update 3 (released today, October 8th, 2015). The issue potentially involves 157,000 customers and 9.1 million Virtual Machines worldwide and could lead to full Domain Administrator compromise of the affected infrastructures.

Veeam 6 7 8 Vixproxy Vulnerability

This vulnerability is caused by a component, VeeamVixProxy, that logs in an obfuscated way the administrator username and password used by Veeam to run. An attacker could easily “decode” the password to cleartext. From subsequent analysis it turns out that Veeam’s admin user is often a Domain Administrator user and this enables a scenario in which an unprivileged user, or even an hacked IIS website, inside a single Virtual Machine, can escalate his privileges to Domain Administrator. Even if Domain escalation is not possible, the attacker will at least get the Local Administrator’s credentials.

Users are strongly advised to update their systems to the latest version released by the vendor.

–The press team
You can use the images in this post under the Creative Commons Attribution 4.0 International License.

Security Community

TrueCrypt security history (from isTrueCryptAuditedYet to Oct 2015)

TrueCrypt was a popular tool for encrypting volumes with strong cryptography before integrated solutions like BitLocker for Windows and encrypted .dmg volumes using the Disk Utility in Mac OS X. Linux had an historically good support for a number of implementations like the old loop-AES, Cryptoloop and the current dm-crypt / LUKS. Still a lot of people use TrueCrypt and there is plenty of interest in the software: this include forks, audits, licensing issues, and.. vulnerabilities. The main reason was it’s cross-platform support.

First you need to know that now TrueCrypt is abandonware, as developers discontinued it and suggest users to move to other solutions, as seen from their official statement:

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

The latest available build is 7.2 but do not download it as it’s stated as not secure by the original developers:

Our story starts October 2013, when Matthew Green suggested an audit of TrueCrypt that led to the Open Crypto Audit Project founded by crowfounding with a huge success ($16,579 on FundFill and $46,420 on Indiegogo for a total of $62,999). Thanks to a matching donation by the Open Technology Fund (till now $125,998 of total budget) the iSec team was engaged in a 5-6 week long assessment to verify the security of TrueCrypt in it’s 7.1a incarnation.

The audit started in December 2013 and there was an initial report from iSECpartners of nccgroup on February 14 2014, titled “Open Crypto Audit Project: TrueCrypt Security Assessment“. It’s written by Andreas Junestam and Nicolas Guigo, 32 pages long and highlight zero high impact issues, four medium, four low and three informational issues. The iSEC team did not like the code at all and there were some crypto-related concerns but no backdoors were identified.


Then the bomb, on May 2014 the TrueCrypt team release 7.2 and discontinue the product, but the Open Crypto Audit Project can’t stop. In particular on March 13 2015, iSEC release the final “Open Crypto Audit Project: TrueCrypt Cryptographic Review” report. It’s a 21 page document written by Alex Balducci, Sean Devlin and Tom Ritter and highlights two high impact issues, zero medium one low and one undetermined. The analysis was not a complete code review but the most important portions were audited.


The findings were related to the random number generation, inability to detect tampering of the volume, the method used to mix the entropy of keyfiles was not correct and several AES implementations were vulnerable by cache-timing attacks but mitigated by fixes introduced by Google’s Zero Project regarding ability to flip bits in adjacent DRAM rows.


In the meantime between February 2014 and March 2015 other issues are made public:

  • TrueCrypt bug in serpent implementation (March 2 2014)

Little (or none?) of the suggestions are implemented in the official 7.2 version but after the discontinuity announce of TrueCrypt two forks arise (VeraCrypt and CipherShed) and implement them. Developers at VeraCrypt and CipherShed are not friends and don’t lose time in bashing each other. Only VeraCrypt has a released version, while CipherShed has the goal to rewrite the 100% of code to solve licensing issues but is still at the “rebranding” stage of development. Still you can use a completely different implementation, like DiskCryptor but IMHO without the community and commercial audit plus.

And we come to the present day, with two high impact and exploitable vulnerabilities found by the Google Security Research for the driver user by TrueCrypt, VeraCrypt and CipherShed to create a system drive on Windows:

Summarizing, great effort has been pushed into TrueCrypt’s codebase and there is at least one valid fork (VeraCrypt) you can install and use if you need cross-platform support. If you want to encrypt your own data alone use the native Full Disk Encryption solution provided by your OS and you will probably be safer.

For any suggestion and comment @isgroupsrl on twitter :)

–Francesco Ongaro
CEO of ISGroup


HP Proliant SE1102 notes

HP Proliant SE1102 were great Special Editions HP released for datacenter customers. Based on the HP ProLiant DL160 G5 Server architecture, they have differences in terms of enabled PCI-Express slots (they are there but my understanding is that only the one who has the pci riser card is usable) and are artificially stripped down in some departments.

One of the issues you could face is their ability to support large drives (>2.2GB), somebody even flashed the DL160 G5 bios on a SE1102 and found that it’s a bios, and not hardware, limitation. You can find the bios on the HP website, it’s called SP52204.exe and will unpack to a USB bootable key. The default flash utility (HPQUSB.exe) will not leave you flash a different unit but the OP succeeded using an alternate utility called “flashrom”.

HP Proliant DL180 G5 server treats 3-TB SATA disks as 750-GB ones

Long short story: we did not feel brave and keep the original bios, also in order to mantain support for 24GB of RAM and found that Linux correctly manage 4TG hard-drives with some trickery. Please note that we did not need boot support from such disks as we boot from a PCI-X SSD that has a standard msdos MBR and partition table.

Our steps with HGST IDK Deskstar NAS 4 TB (ex Hitachi):

  1. Remove any partition header from the disk using dd (dd if=/dev/zero of=/dev/sda count=1 bs=1024);
  2. gdisk /dev/sda and create a GPT partition table;
  3. with parted /dev/sda:
    1. mkpart primary 1049kb 100% create an aligned partition;
    2. set 1 raid on flag it as a raid partition;
    3. align-check opt 1 make sure alignment is correct;
    4. quit :)

Now your HP Proliant SE1102 will boot instead of freezing after the BIOS POST (power-on self-tests).

Many thanks to my colleague and friend Pasquale `sid` Fiorillo who countlessly rebooted this machine until finding the right solution :)



Luiss Enlabs job posting public fail

Leggo con stupore l’annuncio di Augusto Coppola in merito alla ricerca di “3/4 persone junior” per LUISS ENLABS. La pagina originale è e ne riporto il contenuto integrale al 5 Ottobre 2015.

Sto cercando 3/4 persone junior da aggiungere al team che gestisce il programma di accelerazione in LUISS ENLABS. Non sono richiesti particolari background accademici, quello che invece è richiesto è:

1. Ottima conoscenza dell’inglese (dovete intervenire ad eventi internazionali in qualità di speaker o di partecipanti a panel) oltre che dell’italiano (ad esempio chi continua a scrivere gli asinini bhe, bho, accelleratore con due elle è automaticamente fuori da questo annuncio).

2. Capacità di lavorare in autonomia producendo risultati impeccabili (l’ambiente è caratterizzato da una velocità tale da impedire un controllo effettivo dei processi, ma al contempo è richiesta sempre una delivery di qualità superiore).

3. Precisione e affidabilità: non stiamo cercando persone che facciano il lavoro bene al 99%.

4. Un CV di max 2 pagine, tassativamente no Europass.

5. Una lettera motivazionale di max 1 pagina.

6. La disponibilità a lavorare a Roma, presso i nostri uffici nella stazione Termini.

7. Una mente analitica.

8. Un modo di pensare “semplice”, ovvero la capacità di trovare le soluzioni semplici a problemi complessi (il che implica anche capire come individuare approssimazioni della soluzione perfetta e piani concreti per farle evolvere nel tempo).

9. Se informatici, una vera passione per l’informatica, tale per cui quando non lavorate (e lavorerete tanto) passate un sacco di tempo a programmare e a leggere di programmazione.

10. Se non informatici, una vera passione per il mondo dell’innovazione e della tecnologia.

11. Ci piacciono le persone che hanno l’ambizione di salire sul palco e parlare ad un pubblico, ma che capiscono che prima di farlo hanno bisogno di imparare e fare sul serio le cose e che non basta averle lette su un libro.

Quello che offriamo è:

1. Un contratto di un anno di formazione (la retribuzione media durante l’anno è di 800EUR mese netti) a cui seguirà l’assunzione a tempo indeterminato con un RAL di poco inferiore ai 24.000EUR, più premi. Ogni anno è previsto uno scatto di stipendio (se meritato).

2. Imparare un sacco di cose in poco tempo.

Vorremmo chiudere il processo entro Natale per cui prima inviate le vostre candidature e prima vi daremo un feedback.

I colloqui durano tra i 30 e i 45 minuti, sono piuttosto eccentrici e servono anche a capire come lavorate sotto pressione.

Se avete domande potete postarle come commenti, rispondo a tutti (un minimo di pazienza, nelle prossime 2/3 settimane sarò continuamente in treno con la connessione a singhiozzo), mentre per le candidature basta inviarle ad

Il subject della mail deve essere: CV 15093

Leggo solo PDF il cui filename è CognomeNomeCV.pdf e CognomeNomeLM.pdf

Tra tutto, quello che più mi ha colpito è il requisito “capacità di lavorare in autonomia producendo risultati impeccabili. L’ambiente è caratterizzato da una velocità tale da impedire un controllo effettivo dei processi, ma al contempo è richiesta sempre una delivery di qualità superiore.” che a mio parere definisce le qualità di un Senior o addirittura di un Consulente Senior, quindi abituato a lavorare al di fuori dell’organizzazione e con forti doti di autogestione.

Possiamo, e come imprenditore devo, selezionare i più svegli, i più motivati e chi ha conoscenze pregresse più utili al lavoro da svolgere ma non possiamo chiedere sia l’autonomia che la qualità a dei neo-laureati o diplomati. Un collaboratore Junior deve necessariamente essere collocato all’interno di un processo per imparare, portare valore all’azienda e garantire un lavoro di qualità.

Per un’organizzazione che incuba startup e che quindi fornisce come valore accessorio supporto ai processi che la startup non si può permettere, come ad esempio l’HR, un bel passo falso.

–Francesco Ongaro
CEO of ISGroup


PHP Developer

ISGroup SRL ( is an Information Security company. To achieve the projects and development milestones set, ISGroup is recruiting a new PHP developer to join the team in Verona, Italy.

Skills Required:

  • PHP 5 (experience with Object Oriented Programming)
  • MySQL

Experiences with:

  • YII
  • Linux / Unix
  • Information Security
  • Bash

are a strong plus.

This is a full-time or part-time job offer. Candidates’ skills and experience will make the difference.

When applying, please, attach your CV (our mail is, a very short Cover Letter, where you should link any relevant project you took part in.

We look forward to reading lots of awesome applications!