Immortalising 20 Years of Epic Research

In December 2019 we launched this new technical security research blog site. As part of its launch we had cause to revisit our old blog website and found a myriad of forgotten whitepapers and conference presentations spanning NCC Group’s history (formation in 1999). Deeply nested on our old blog site we found over 200 whitepapers and conference presentations dating as far back as 2001, and which included key outputs from previous cyber security acquisitions including NGS Software (2008), iSEC Partners Inc. (2010), Matasano Security (2012), Intrepidus Group (2012), FortConsult A/S (2014), Fox-IT (2015), Payment Software Company Inc (2016), and VSR Inc. (2016).

While much of the research may not be so relevant anymore due to changes in technology landscapes and a maturation of the cyber security industry; the whitepapers and presentations chronicle much of the foundation of our industry, and at many times show the genesis of ideas and techniques, classes of vulnerability, methods of attack and defence, open source tooling and public reports on key Internet components, and much more. This research has helped our clients with their cyber security assurance needs, and has positively contributed to the security of the Internet as we all know and use it.

There is also sometimes much value in revisiting historical research – this can aid in general learning and development, stimulation of new research ideas and/or re-invigoration of older research ideas that perhaps at the time were theoretical or unfeasible, but are now realisable due to improvements in technology and computational power.

Word cloud created from the whitepaper titles

What a journey its been! With early whitepaper topics covering finding and exploiting format string vulnerabilities in Windows 2000, to more recent topics covering assessment of Unikernel security, and practically every type of technology in between and the security aspects of those technologies.

The research is in no way exhaustive either – many of the public presentations that we have delivered at all manner of Tier-1 conferences around the world over the past 20 years didn’t find their way to our old web site for whatever reason. We have however taken whatever was available and present it here, greppable by title, author, synopsis and year of publication in the table below.

We welcome feedback on additional and relevant things to include in this list and we will happily update the table accordingly.

Just reading the author names in the table is fascinating – many of those individuals are now CISOs, CEOs or senior and influential cyber security professionals in the industry and at some of the largest companies in the world. We are proud of them and their research legacy.

Our current research team continues to build on this legacy as can be seen from their great outputs that we are always excited and proud to showcase on this blog platform. Thank you to everyone who does, and has, contributed to NCC Group’s research and here’s to the next 20 years and the immense research challenges it will bring…

Hackproofing Lotus Domino Web ServerDavid LitchfieldThis document describes how to secure the web service that comes with Lotus Domino. It is written to show Lotus Domino administrators how an attacker would attempt to subvert the security of a Domino Web server and provide insight into the mind and modus operandi of a Domino hacker.2001
Windows 2000 Format String VulnerabilitiesDavid LitchfieldA deep-dive on format string vulnerabilities in Windows 2000.2001
Advanced SQL Injection In SQL Server ApplicationsChris AnleyThis document discusses in detail the common ‘SQL injection’ technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform.2002
More Advanced SQL InjectionChris AnleyThis paper addresses the subject of SQL Injection in a Microsoft SQL Server/IIS/Active Server Pages environment, but most of the techniques discussed have equivalents in other database environments. It should be viewed as a “follow up”, or perhaps an appendix, to the previous paper, “Advanced SQL Injection”.2002
E-mail Spoofing and CDONTS.NEWMAIL – Protecting Microsoft Active Server Pages ApplicationsDavid LitchfieldThis paper will examine how the CDONTS.NEWMAIL object can be used by attackers to send arbitrary e-mails via the vulnerable web server and what must be done to prevent an online ASP application being abused in this way.2002
Assessing IIS Configuration Remotely – Low Level IIS Application AssessmentDavid LitchfieldThis document will look at the relatively unsung skill of assessing the in-depth configuration of a Microsoft IIS web server remotely, showing how to “read” server responses to do this.2002
Hackproofing Oracle Application Server – A Guide to Securing Oracle 9David LitchfieldThis paper will show how an attacker can break into an Oracle-based site, gaining control of the web front end and from there the database server. With each attack explained, the defense against it will be covered.2002
Microsoft SQL Server Passwords – Cracking the password hashesDavid LitchfieldThis paper will discuss the function in detail and show some weaknesses in the way SQL Server stores the password hash. In fact, as we shall see, later on I should be saying, ‘password hashes’.2002
Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XPDavid LitchfieldThis document will describe what they are and how to write one. As will be seen they are easy to write, more so than traditional stack based overflows and as they only require only an understanding of how functions are called at a low level. The non-stack based buffer overflow exploit writer doesn’t even need to know assembly language.2002
Creating Arbitrary Shellcode In Unicode Expanded Strings – The “Venetian” exploitChris AnleyThe paper is intended to be read by the portion of the security community responsible for creating protective mechanisms to guard against “shellcode” type security flaws; the intention is to remove the perception that Unicode buffer overflows are non exploitable and thereby improve the general state of network security.2002
Violating Database – Enforced Security Mechanisms Runtime Patching Exploits in SQL Server 2000: a case studyChris AnleyThis paper discusses the feasibility of violating the access control, authentication and audit mechanisms of a running process in the Windows server operating systems. Specifically, it discusses the feasibility of totally disabling application – enforced access control in a running service, taking SQL Server 2000 as a sizeable and meaningful example.2002
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 ServerDavid LitchfieldThis paper presents several methods of bypassing the protection mechanism built into Microsoft’s Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows. Recommendations about how to thwart these attacks are made where appropriate.2003
Variations in Exploit methods between Linux and WindowsDavid LitchfieldThis paper will examine the differences and commonality in the way a vulnerability common to
both Windows and Linux is exploited on each system.
New Attack Vectors and a Vulnerability Dissection of MS03-007David LitchfieldThe patch announced by Microsoft on the 17th March 2003 fixed a security vulnerability in the core of the Windows 2000 operating system. The problem, however, is much wider in scope than just simply machines running IIS. Researchers at NGSSoftware have isolated many more attack vectors including java based web servers and
other non-WebDAV related issues in IIS. Due to this, NGSSoftware urge Windows 2000 users to apply the patch.
Quantum Cryptography – A study into the present technologies and future applicationsBill GrindlayIn this report I intend to demonstrate why many scientists now view quantum
cryptography as the first ever completely unbreakable cipher, which will allow people all over the world to communicate securely and privately.
I shall also consider the implications which this will have on society as a whole, including potential problems for law enforcement organisations and the possible
impact on civil liberties.
Writing Secure ASP ScriptsChris AnleyThis paper briefly describes several common classes of coding error generally encountered when auditing web applications running on the Active Server Pages
(ASP) platform.
Hackproofing MySQLChris AnleyThis document is a brief outline of common attacks on MySQL and the steps that a MySQL administrator can take to defend against them.2004
Slotting Security into Corporate DevelopmentGunter Ollmann
Sherief Hammad
John Heasman
Chris Anley
Technology trail-blazing organisations such as large financial institutions have been working to secure their custom applications for several years, but the second-tier “technology following” organisations have been slow to follow. This is now rapidly changing due to recent bad press following many highly publicised security compromises.2004
Blind Exploitation of Stack Overflow Vulnerabilities – Notes on the possibilities within Microsoft Windows NT based operating systemsPeter Winter-Smith
Chris Anley
This paper presents a number of technical discussion points relating to the potential for exploiting stack overflow vulnerabilities without having direct access to the application which is to be exploited.2004
Passive Information Gathering The Analysis of Leaked Network Security InformationGunter OllmannLike it or not, every Internet-connected system unintentionally leaks internal information about their organisation which could be used to formulate a targeted attack. Depending upon the source of this leakage, the information may relate to the components used within the organisation’s physical asset infrastructure, the ma2004
Second-order Code Injection Attacks – Advanced Code Injection Techniques and Testing ProceduresGunter OllmannA second-order code injection attack can be classified as the process in which malicious code is injected into a web-based application and not immediately executed, but instead is stored by the application and then later retrieved, rendered and executed by the victim.2004
Database Security: A Christmas CarolDavid LitchfieldPresentation2004
An Introduction to Heap overflows on AIX 5.3LDavid LitchfieldIn terms of exploitation, one way to exploit heap overflows is with the “arbitrary 4 byte overwrite”. When the pointers that keep track of heap blocks are updated, an attacker can influence this if they manage to overwrite the inline heap management data.2005
Anti Brute Force Resource Metering – Helping to Restrict Web-Based Application Brute Force Guessing Attacks through Resource MeteringGunter OllmannWhilst commonly proposed solutions make use of escalating time delays and minimum lockout threshold strategies, these tend to prove ineffectual in real attacks and may actually promote additional attack vectors.2005
Database Servers on Windows XP and the Unintended Consequences of Simple File SharingDavid LitchfieldThis paper presents some unexpected consequences of running database servers on Windows XP with
Simple File Sharing enabled
Securing PL/SQL Applications with DBMS_ASSERTDavid LitchfieldOracle has introduced the DBMS_ASSERT PL/SQL package. Whilst integrated into Oracle 10g Version 2 from day one, the DBMS_ASSERT was introduced into 10g Version 1 as part of the October 2005 Critical Patch Update. As a security researcher, it is excellent to see Oracle finally making the right positive moves in the direction of greater security.2005
Security Best Practice: Host Naming & URL Conventions Security considerations for web-based applicationsGunter OllmannThere are a number of simple steps that can be
taken to strengthen the security of an environment or application making it more resilient to
several popular attack vectors. By understanding how an attacker can abuse poorly thought
out naming conventions, and by instigating a few minor changes, it is possible to positively
increase the defence-in-depth stature of an environment.
Data-mining with SQL Injection and InferenceDavid LitchfieldSQL Inference is the subject of this paper; this paper is the paper I promised I’d write after talking about this at
the Blackhat Security Briefings in Europe of in the March of 2005. Better late than never!
Stopping Automated Attack Tools – An analysis of web-based application techniques capable of defending against current and future automated attack toolsGunter OllmannThis whitepaper examines techniques which are capable of defending an application against these tools; providing advice on their particular strengths and weaknesses and proposing solutions capable of stopping the next generation of automated attack tools.2005
The Pharming Guide – Understanding & Preventing DNS-related Attacks by PhishersGunter OllmannThis paper, extending the original material of “The Phishing Guide”, examines in depth the workings of the name services of which Internet-based customers are dependant upon, and how they can be exploited by Pharmers to conduct identity theft and financial fraud on a massive scale.2005
Writing Small ShellcodeDafydd StuttardThis paper describes an attempt to write Win32 shellcode that is as small as possible, to perform a common task subject to reasonable constraints. The solution presented implements a bindshell in 191 bytes of null-free code, and outlines some general ideas for writing small shellcode.2005
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms on the Windows platformDavid LitchfieldStarting with Windows 2003 Server, Microsoft introduced a number of Exploitation Prevention Mechanisms (XPMs) into their software. Over time these XPMs were refined as weaknesses were discovered and more XPMs were introduced.2005
Software Penetration TestingBrad Arkin – Symantec
Scott Stender – iSec Partners
Gary McGraw – Cigital
Quality assurance and testing organizations are tasked with the broad objective of assuring that a software application fulfills its functional business requirements. Such testing most often involves running a series of dynamic functional tests to ensure proper implementation of the application’s features.2005
Dangling Cursor Snarfing: A New Class of Attack in OracleDavid LitchfieldWhat is detailed in this document should provide a security reason as to why developers should ensure that cursors are closed properly, especially in the event of an exception.2006
Implementing and Detecting a PCI RootkitJohn HeasmanThis paper discusses means of persisting a rootkit on a PCI device containing a flashable
expansion ROM.
Inter-Protocol CommunicationWade AlcornThis paper explores the Inter-Protocol Communication attack vector. That is, the potential of two different protocols meaningfully communicating commands and data. This has been investigated through encapsulating the target protocol within a carrier protocol. The findings demonstrate that under certain conditions distinct protocols are interoperable.2006
Low Cost Attacks on Smart Cards The Electromagnetic Side-ChannelAdam MatthewsThis paper documents a successful Electromagnetic Analysis attack implemented using limited technical knowledge and low cost equipment. EM traces were
acquired from a sample card and analysis software successfully identified the correct key guesses in proprietary traces.
Which database is more secure? Oracle vs. MicrosoftDavid LitchfieldThis paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question.2006
Oracle Passwords and OraBrutePaul Wrightoracle-passwords-and-orabrute2007
A Simple and Practical Approach to Input ValidationDavid SolderaInput validation, in theory, is not a difficult problem to solve; it is however a difficult problem to get developers to prioritise security (with regards to other development pressures) and put the time and effort into following good security practice when validating input.2007
Attacking the Windows KernelJonathan LindsayThis paper is focused on Windows and the Intel Architecture, and will briefly outline the current
supervisor boundaries provided. Different attack vectors, along with relevant examples, will be
provided to demonstrate how to attack the supervisor from the perspective of the supervised, as
well as an outline of what possible architectures could be used to mitigate such attacks, such as
the research operating system Singularity.
DNS Pinning and Web ProxiesDafydd StuttardThere are various ways in which DNS-based attacks against web proxies could potentially be prevented through changes to proxy and browser software. Each of the fixes considered suffers from important shortcomings. In the meantime, there are other defences that organisations and individuals can employ to prevent attacks against them.2007
Inter-Protocol ExploitationWade AlcornIn October 2006, this author presented a paper exploring the threat of Inter-Protocol Communication. That is, the possibility of two different applications using two different
protocols to meaningfully exchange commands and data. This paper extends that and other research to explore Inter-Protocol Exploitation. These findings demonstrate the
practicality of encapsulating exploit code in one protocol to compromise a program which uses a different protocol.
Database Security Brief: The Oracle Critical Patch Update for April 2007David LitchfieldOn the 17th April 2007 Oracle released their 10th Critical Patch Update. This brief discusses the database
flaws and EM01 which relates to the Intelligent Agent.
Oracle Forensics Part 1: Dissecting the Redo LogsDavid LitchfieldThis paper represents the first in a series of papers on performing a forensic analysis of a compromised
Oracle database server.
Oracle Forensics Part 2: Locating dropped objectsDavid LitchfieldAs this second paper in the Oracle Forensics series will show, even when an object has been dropped and purged from the system there will be, in the vast majority of cases,
fragments left “lying around” which can be sewn together to build an accurate picture of what the actions the attacker took – or at least some of their actions.
Oracle Forensics: Part 3 Isolating Evidence of Attacks Against the Authentication MechanismDavid LitchfieldIn this section we’ll look at attacks against the
authentication mechanism and evidence from the TNS Listener log file and audit trail, assuming CREATE SESSION is audited of course, and to check whether a logon
attempt was successful or not. We’ll also look at other attacks levelled at the authentication process including SID guessing, user enumeration and brute forcing of
passwords over the network.
Oracle Forensics Part 4: Live ResponseDavid LitchfieldAn organization should have a clear understanding of what actions should be taken in the event of an incident occurring. For those that don’t have a plan often the knee-jerk response is to pull the plug or disconnect the system from the network.2007
Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of AuditingDavid LitchfieldThis paper details information about Oracle 10g Release 2 only and should be used as a guideline for investigating other versions of Oracle as no guarantees or assertions can be made about other versions.2007
Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle BinDavid LitchfieldThis paper examines the ways in which a forensic examiner or incident responder may look for evidence in those places and technologies designed by Oracle for disaster
recovery purposes – namely Undo segments, Flashback and the Recycle Bin – of a compromise and the actions an attacker may have taken.
Exploiting PL/SQL Injection Flaws with only CREATE SESSION PrivilegesDavid LitchfieldWhen exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code2007
Weak Randomness Part I – Linear Congruential Random Number GeneratorsChris AnleyThis, the first paper in the series, describes the extremely common linear congruential generator and describes a bug in Jetty, a popular Java-based web server, which illustrates some of the dangers described in the paper.2007
Cross Site Request Forgery – An introduction to a common web application weaknessJesse BurnsCross‐site request forgery (CSRF; also known as XSRF or hostile linking) is a class of attack that affects web based applications with a predictable structure for invocation.2007
Exploiting Rich ContentRiley HassellAs rich Internet application (RIA) technologies flourish in the mar-ketplace security professionals begun to wonder what impact RIA will have on security landscape. I decided to perform an assessment of one of the most widely deployed technologies, Adobe Flash, and in the process discovered several issues that could be used to com-promise systems with Adobe Flash installed2007
IAX Voice Over-IP SecurityZane Lackey
Himanshu Dwivedi
Inter‐Asterisk eXchange (IAX) is a protocol used for Voice‐Over‐IP (VoIP) communication with Asterisk servers (, an open source PBX system.2007
A Taxonomy of Attacks against XML Digital Signatures & EncryptionBrad HillThis document is an enumeration and taxonomy of currently known attacks and evasions against the W3C Recommendation for XML-Signature Syntax and Processing.2007
Blind Security Testing – An Evolutionary ApproachScott StenderSecurity testing requires that functional testing be covered, for example by ensuring that an authorization mechanism grants or denies access where appropriate, in addition to testing for nonfunctional aspects of the system, a much less tractable test.2007
ProxMon – Automating Web Application Penetration TestingJonathan WilkinsPerforming a web application penetration test is full of repetitive but essential tasks. ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.2007
Command Injection in XML Signatures and EncryptionBrad HillThis paper describes the vulnerabilities in detail and offers advice for remediation. The most damaging attack is also likely to apply in other contexts where XSLT is accepted as input, and should be considered by all implementers of complex XML processing systems.2007
Firmware Rootkits: The Threat to the EnterpriseJohn HeasmanBlackhat / DEFCON USA 2007 Presentation2007
Advanced Exploitation of Oracle PL/SQL FlawsDavid LitchfieldBlackhat USA 2007 Presentation2007
Hacking the Extensible Firmware InterfaceFirmware InterfaceJohn HeasmanBlackhat USA 2007 Presentation2007
VoIP SecurityBarry DempsterBlackhat USA 2007 Presentation2007
Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic InvestigationsDavid LitchfieldThis paper will examine the internals of the Oracle System Change Number (SCN) in 10g and demonstrate how it can be used in the forensic examination of a compromised database server. It will also demonstrate how to use orablock and oratime, part of cadfile, a forensic toolkit for
database servers, to discover when an Oracle data block was changed.
Cleaning Up After Cookies Version 1.0Katherine McKinleyThis paper presents the findings from running our tool using several major browsers with two plug-ins across three common operating systems. We find current browsers are unable to extend tracking protection to third party plug-ins such as Google Gears and Adobe Flash2008
DEVELOPING SECURE MOBILE APPLICATIONS FOR ANDROID – An introduction to making secure Android applicationsJesse BurnsThis guide was written for developers of Android applications. It takes the reader through the security model of Android, including many of the key security mechanisms and how you can use them safely. While it is targeted towards applications developers, I hope it is useful background for those intending to change or extend the platform.2008
Exposing Vulnerabilities in Media SoftwareDavid ThielDeep media stream fuzzing presents a rich opportunity for turning up hard to find bugs in media players, codecs and other unexpected software, and can be a useful tool for developers to ensure the robustness of code. It also requires techniques a bit different than those used in traditional, bit-flipping file fuzzers. This paper explores possibilities, techniques and results of media codec fuzzing and exploitation, using several modern (and some antiquated) audio codecs as examples.2008
Secure Session ManagementWith Cookies for Web ApplicationsChris PalmerStrong session management is a key part of a secure web application. Since HTTP does not directly provide a session abstraction, application and framework developers must bake their own using cookies. In this article I am to help developers aovid the common pitfalls that result in unsafe applications.2008
A Quick Introduction to SQL InjectionBrad Hill
Geng Yang
This article will give you some tips and tricks to hunt down and eliminate SQL injection
in your applications
Microsoft SDL: Return-on-InvestmentiSEC Partners & MicrosoftThis paper will help managers:
– Understand and communicate the benefits of a structured approach to software security.
– Develop and use metrics for ROI to guide process improvement.
– Get meaningful results from a new program or optimize existing efforts on a limited budget.
“Aurora” Response RecommendationsAlex StamosiSEC Partners has been investigating this attack with several victims, and has found a number of common oversights and vulnerabilities that enabled these attackers to be successful2010
Secure Application Development on FacebookJustine OsborneThis document provides a basic outline/best practice for developing secure applications on the Facebook platform. Facebook applications are web, desktop, or mobile applications that make use of the Facebook API to integrate tightly with the social network experience.2010
Security Compliance as an Engineering DisciplineBrad HillIn this article, I’ll focus on some of the strategies and best practices for deploying SDL and integrating it with security compliance regimes.2010
Weaknesses and Best Practices of Public Key Kerberos with Smart CardsBrad HillThis whitepaper will:
– Give a brief introduction to Kerberos and smart cards
– Dispel some common myths about smart cards
– Explore the certificate validation practices of common PKINIT implementations
– Discuss a practical elevation of privilege exploit possible in common configurations of Windows KDCs
– Provide step by step advice to network architects and administra-tors for securing their smart card deployments
BlackBerry PlayBook Security: Part oneDaniel Martin Gomez
Andy Davis
This is the first in a series of white papers about the security of the BlackBerry PlayBook, the first tablet device released by Research in Motion (RIM) who has had significant success with their BlackBerry smartphones that are used extensively by businesses and consumers around the world.2011
BlackBerry PlayBook Security: Part two BlackBerry BridgeGavin JonesThis is the second in a series of white papers regarding the security of the BlackBerry PlayBook, the first tablet device released by Research in Motion (RIM).2011
Exporting Non-Exportable RSA KeysJason GeffnerThis paper discusses the details of said obfuscation and provides code to export non-exportable keys from client versions of Windows, server versions of Windows, and Windows Mobile devices. Unlike prior work done in this space, the solution offered in this paper does not rely on function hooking or code injection.2011
Fuzzing USB devices using FrisbeeLiteAndy DavisThis paper will discuss the format of device requests that are sent to USB devices in order to hopefully provide an insight into areas where software flaws may exist. It will also discuss a number of public vulnerabilities in USB devices and finally, the installation and usage of Frisbee Lite.2011
Common Flaws of Distributed Identity and Authentication SystemsBrad HillThis paper presents an informal list and plain-language discussion, in the spirit of the “OWASP Top 10”, of some common flaws in distributed authentication, authorization and identity systems of the last fifteen years.2011
Creating a Safer OAuth User-ExperiencePaul YounAn increasing number of web services are implementing OAuth servers in order to allow users to securely share their resources with third-party “consumer” applications. OAuth allows end-users to grant a consumer access to these private resources without surrendering their actual server credentials. Security risks can be introduced into an OAuth implementation and this paper suggests making a more secure user-experience by creating a simple and understandable workflow, implementing a least-privileges model, and auditing consumers.2011
Exporting Non-Exportable RSA KeysJason GeffnerBlackhat EU 2011 Presentation2011
The Role of Security Research in Improving Cyber SecurityAndy DavisPresentation2011
What the HEC? Security implications of HDMI Ethernet Channel and other related protocolsAndy DavisThis paper discusses the various communications protocols that exist within HDMI to provide a whole host of plug-and-play functionality and the security impact of exposing these technologies to a corporate environment.2012
They ought to know better: Exploiting Security Gateways via their Web Interfaces – “All your Gateway are Belong to Us”Ben WilliamsThis paper summarises research undertaken to identify various ways to exploit Security Gateway
products via their Web UIs, and also provides some practical examples of how these systems could be
HDMI – Hacking Displays Made InterestingAndy DavisIn this paper I will explain the circumstances in which display devices send data to their connected host and show that this data could potentially contain threats (which could compromise a laptop for example). I will describe video protocol data-structures, data-sequences and practical challenges. I will also explain how to build a hardware-based fuzzer, provide some example firmware fuzzing code, and describe some interesting findings from the fuzzing which has been undertaken so far.2012
Abusing Privileged and Unprivileged Linux ContainersJesse HertzThis paper will examine some of the security mechanisms behind containers and show
how they can be exploited. Although the focus of this paper will primarily be LXC, and will discuss Docker, this paper will demonstrate many techniques that are applicable across any Linux container system built on the same foundations.
HTML5 SECURITY THE MODERN WEB BROWSER PERSPECTIVEDoug DePerryThe purpose of this paper is to serve as a current analysis of HTML5 on modern web browsers and mobile platforms and as a reference for related testing methodologies.2012
AUDITING ENTERPRISE CLASS APPLICATIONS AND SECURE CONTAINERS ON ANDROID – The Limitations of Mobile Security in the EnterpriseMarc BlanchouThere is an increasing need to assess the security claims of such enterprise class software vendors , but there is very little information on how their claims hold up to real world threats. This paper cover s research into those threats, with a focus on mobile devices running Android. By understanding the different attack.2012

Tom Ritter
Jon Passki (Aspect Security)
Certain block cipher confidentiality modes are susceptible to an adaptive chosen-ciphertext attack against the underlying format of the plaintext. When the application decrypts altered ciphertext and attempts to process the manipulated plaintext, it may disclose information about intermediate values resulting in an oracle. In this paper
we describe how to recognize and exploit such an oracle to decrypt ciphertext and control the decryption to result in arbitrary plaintext. We also discuss ways to mitigate and remedy the issue.
What the HEC? Security implications of HDMI Ethernet Channel and other related protocolsAndy Davis44Con Presentation2012
When Security Gets in the Way – PenTesting Mobile Apps That Use Certificate PinningJustine Osborne
Alban Diquet
Blackhat USA 2012 Presentation2012
The Myth of Twelve More Bytes – Security on the Post-Scarcity InternetAlex Stamos
Tom Ritter
Blackhat USA 2012 Presentation2012
Mobile Threat War RoomOllie WhitehouseRSA Conference eFraud Global Forum2012
Finding the Weak Link in BinariesOllie WhitehouseHack in the Box Presentation2012
Hacking Displays Made EasyAndy DavisCanSecWest Vancouver 20122012
Mobile apps and security by designOllie WhitehousePresentation2012
Software Security Austerity – Security Debt in Modern Software DevelopmentOllie Whitehouse44Con2012
They ought to know better: Exploiting Security Gateways via their Web InterfacesBen WilliamsBlackhat EU 2012 Presentation2012
Further adventures with USBAndy DavisPresentation2012
The Demise in Effectiveness of Signature and Heuristic Based Antivirus: “Or has the death of AV been wildly exaggerated?”NCC Group’s Technical Directors ForumOverall our view is that signature based antivirus is tackling a problem we had 20 years ago and is not relevant to many of today’s threats for businesses, although we feel it still has a role in protecting the consumer. As a result, NCC Group’s opinion is that security budgets might be more effectively directed into other areas of mitigation that offer a higher return on investment in terms of risk reduction.2013
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platformsAndy DavisThis paper details how attackers can exploit the privileged position that laptop docking stations have within an environment. It will also describe the construction of a remotely controllable, covert hardware implant, but most importantly it will discuss some of the techniques that can be employed to detect such devices and mitigate the risks that they pose.2013
Hacking Appliances: Ironic exploits in security productsBen WilliamsThis paper summarises research undertaken during 2012 to assess the overall security posture of popular appliance-based security products. A selection of the products and vulnerabilities discovered during the course of this research are demonstrated here, with redacted proof-of-concept exploits and scenarios in which these vulnerabilities could be exploited.2013
Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack InteractionsAndy DavisIn this paper we will show how USB stack interaction analysis can be used to provide information such as the OS running on the embedded device, the USB drivers installed, and the devices supported.2013
The Pentester’s Guide to AkamaiDarren McDonaldThis paper summarizes the findings from NCC’s research into Akamai while providing advice to companies wish to gain the maximum security when leveraging their solutions.2013
Lessons learned from 50 bugs: Common USB driver vulnerabilitiesAndy DavisOver the past few years NCC Group has identified over fifty USB driver bugs in all the major operating systems and many of these have affected more than one OS. Based on these discoveries, this paper presents common USB vulnerabilities and how to identify them from a black box testing perspective.2013
CONTENT SECURITY POLICY BEST PRACTICESJake MeredithContent Security Policy is an HTTP header that provides client side defense in depth against content injection attacks. This document describes the nuances of Content Security Policy, provides guidance on testing and deploying, and proposes a list of best practices for its secure use.2013
AN INTRODUCTION TO AUTHENTICATED ENCRYPTIONShawn FitzgeraldOver the last decade, authenticated encryption has become popularized and a number of modes have been
proposed. This paper presents a technical introduction and analysis of the most well-known and standardized
LOGIN SERVICE SECURITYRachel EngelLogin and password reset services exist in just about every web application. They’re easy pieces of functionality to think about, but include a few common bugs used by attackers to compromise account credentials. This paper discusses security vulnerabilities related to web login services, highlighting possible implementation pitfalls along the way.2013
Paul Youn
Advancements in password cracking and frequent theft of password databases endanger single-factor password authentication systems. Password managers are one of the only tools available that can help users remember unique high-entropy passwords, and other secrets such as credit card numbers, for a large number of applications. Can password managers deliver on security promises, or do they introduce their own security vulnerabilities? This paper examines popular browser-based password managers and presents common security flaws that could be exploited to remotely extract a user’s password.2013
Shawn Fitzgerald
Over last few years, a number of vulnerabilities have been discovered in the Transport Layer Security protocol. The purpose of this paper is to serve as an analysis of recent attacks on SSL/TLS and as a reference for related mitigation techniques; particularly as they relate to HTTPS.2013
WINDOWS PHONE 7 APPLICATION SECURITY SURVEY: a look at popular apps and their data storage practicesAndy GrantAs more people use mobile devices for sensitive tasks, such as online banking and password storage, the data stored on the device increases in value. With each new mobile platform there are more opportunities for a mobile application developer to store data in an insecure manner. This paper looks at how popular Windows Phone 7 apps address data storage with a focus on the platform’s initial lack of data protection APIs and how that influenced the type of and manner in which data was kept on a user’s device.2013
How to assess and secure iOS appsNCC Group44Con Workshop2013
Harnessing GP²Us Building Better Browser Based BotnetsMarc BlanchouBlackhat EU 2013 Presentation2013
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platformsAndy DavisPresentation2013
Bypassing Windows AppLocker using a Time of Check Time of Use vulnerabilityOllie WhitehouseThis paper presents the findings from research conducted by NCC Group into a way to bypass
Windows AppLocker to allow unauthorized code to execute on a system.
Fuzzing the easy way, using ZuluAndy DavisThis paper serves as an introduction to using Zulu and includes a number of tutorials explaining how to use the different features within the tool.2014
XML Schema, DTD, and Entity Attacks
A Compendium of Known Techniques
Timothy D. Morgan and Omar Al IbrahimThe eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. A core feature of XML is the ability to define and validate document structure using schemas and document type definitions (DTDs). When used incorrectly, certain aspects of these document definition and validation features can lead to security vulnerabilities in applications that use XML. This document attempts to provide an up to date reference on these attacks, enumerating all publicly known techniques applicable to the most popular XML parsers in use while exploring a few novel attacks as well.2014
Understanding Ransomware: Impact, Evolution and Defensive StrategiesEmily Mitchell
Will Alexander
Nikos Laleas
Jacqueline Gough
David Cannings
In this whitepaper we discuss the potential impact of ransomware trojans, the technology behind a number of recent threats and most importantly how enterprises can begin to protect themselves from losing business critical data.2014
Erlang Security 101Ed WilliamsWe’ve been doing Erlang security focused code reviews for over four years and built up a body of knowledge on the subject2014
Preparing for Cyber Battleships – Electronic Chart Display and Information System SecurityYevgen DyryavyyIn this paper, we discuss the results of a research project looking at the security risks and weaknesses within Electronic Chart Display and Information Systems (ECDIS), an information technology product used by the maritime industry.2014
Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and BeyondOllie WhitehouseThis white paper outlines a set of practical and pragmatic security considerations for organisations designing, developing and, testing Internet of Things (IoT) devices and solutions. The purpose of this white paper is to provide practical advice for consideration as part of the product development lifecycle.2014
An Analysis of Mobile Geofencing App SecurityAshley CoxNCC Group conducted a security analysis of consumer-focused geofencing mobile applications available for the Android operating system from the Google Play store. The purpose of this security analysis was to identify issues associated with privacy, integrity, and overall security of the solutions.2014
RESEARCH INSIGHTS – Sector Focus: Financial ServicesMatt LewisAn overview of the current and emerging cyber threats facing financial services.2014
“SS-Hell: the Devil is in the details” Or “How organisations can properly configure SSL services to ensure the integrity and confidentiality of data in transit”Will Alexander
Jerome Smith
In this whitepaper we discuss how organisations can avoid SSL issues commonly found during penetration tests, ensure that data in transit is properly secured and ultimately instil in users a sense of confidence that their information is adequately protected.2014
Application Layer Attacks – The New DDoS BattlegroundAkhilesh Mathur
Paul Vlissidis
Distributed denial of service (DDoS) attacks,
which are designed to flood organisations’
servers preventing sites from functioning
efficiently or at all, have become increasingly
more sophisticated and targeted in the approach
employed to bypass current defences.
Automated enumeration of email filtering solutionsBen WilliamsThis paper summarises research undertaken in 2013-2014 to develop offensive reconnaissance techniques for automated and external enumeration of the email filtering solutions of target organisations.2014
THE FACTORING DEAD: PREPARING FOR THE CRYPTOPOCALYPSEJaved SamuelThis paper will explain the latest breakthroughs in the academic cryptography community and look ahead at what practical issues could arise for popular cryptosystems. Specifically, we will focus on the recent major developments
in discrete mathematics and their potential ability to undermine our trust in the most basic asymmetric primitives, including RSA.
Early CCS Attack AnalysisNCC GroupThe OpenSSL project released a security advisory on June 5th 2014, for several newly patched vulnerabilities. Among these is CVE-2014-0224, an attack affecting a two susceptible OpenSSL endpoints in the presence of a network attacker.2014
idb – iOS Blackbox PentestingDaniel A. MayerPresentation of toolset to assist in iOS blackbox pentesting2014
PERFECT FORWARD SECURITY – AN EXTRA LAYER OF SECURITY AND PRIVACYPratik Guha SarkarDisclosure of state sponsored monitoring of electronic communications and the threat of retroactive decryption of traffic of millions of people have created an urge for an extra layer of security and privacy for all electronic communications. The purpose of this paper is to survey Perfect Forward Security — invented more than twenty
years ago — as the solution to this problem.
Automating extraction from malware & recent campaign analysisDavid Cannings44Con Presentation Breakfast riefing2014
Are we secure yet?Rory McCuneTrust Forum Presentation2014
Batten down the hatches: Cyber threats facing DP operationsAndy DavisPresentation on Cyber threats facing DP operations2014
External Enumeration and Exploitation of Email and Web Security SolutionsBen WilliamsPresentation on External Enumeration and Exploitation of Email and Web Security Solutions2014
Distributed Denial of ServiceThomas McDonald
Akhilesh Mathur
Fuzzing the easy way: Using ZuluAndy DavisNullcon 2014 Presentation2014
Dissecting Social Engineering AttacksRobert RayTrust Forum Presentation2014
How we breach network infrastructures and how to protect themBernardo DamelePresentation2014
Practical SME Security on a ShoestringMatt SummersPresentation2014
Phishing StoriesShaun JonesPresentation2014
Social Engineering – Techniques, Methods, Tools & MitigationPanagiotis GkatziroulisTrust Forum Presentation2014
SSL Checklist for PentestersJerome SmithB-Sides Manchester 20142014
The Mobile Internet of Things and Cyber SecurityAndy DavisPresentation2014
U Plug, We PlayDavid MiddlehurstB-Sides Manchester 20142014
USB attacks need physical access right? Not any more…Andy DavisPresentation2014
USB under the bonnetAndy DavisPresentation2014
Cyber Red-Teaming Business-Critical Systems while Managing Operational RiskOllie WhitehouseIn this short paper, we outline how we support our clients in ensuring they can conduct red team engagements while managing their operational risk levels to within acceptable levels when working with business-critical functions and their underlying systems.2015
RESEARCH INSIGHTS – Sector Focus: AutomotiveDavid ClareDriven by demands for cleaner emissions and increased vehicle safety for both drivers and pedestrians, the modern vehicle has become increasingly computerised, and now has more in common with an industrial control system than with a simple mechanically controlled car from 30 years ago.2015
The Why Behind Web Application Penetration Test PrerequisitesJerome SmithThe paper is aimed at anyone who is charged with preparing for a web application penetration test, from project managers to developers, and as such it is written for both technical and non-technical readers.2015
Modelling Threat Actor Phishing Behaviour – “you’re only as strong as your weakest link!”Ed WilliamsThis whitepaper will discuss how likely targets are identified and why certain individuals become targets. It will also cover why the timing of attacks affects the likelihood of success2015
Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong)Dominic WangIn June 2015, Microsoft released the MS15-61 advisory, to address a number of vulnerabilities. This paper aims to provide detailed analysis of one of these vulnerabilities, in the win32k.sys driver, and document the necessary details for exploiting this class of vulnerability on Microsoft Windows 7 Service Pack 1.2015
“If your password is ‘password’, then it doesn’t matter how good your security is” or “Why password and brute-force mitigation policies matter”Will AlexanderIn this whitepaper we discuss the need for good password and brute-force mitigation (or account lockout) policies, for both operating systems and web applications, to help minimise the likelihood of user accounts being compromised.2015
RESEARCH INSIGHTS – Common Issues with Environment BreakoutsDave SpencerEnvironment breakout assessments attempt to bypass
restrictions and move the user into a less restricted context.
Exploiting CVE2015-2426, and How I Ported it to a Recent Windows 8.1 64-bitCedric HalbronnThis paper details how I ported the CVE-2015-2426 (a.k.a. MS15-078) vulnerability, as originally exploited by Eugene Ching of Qavar Security on the January 2015 version of Windows 8.1 64-bit to the more recent July 2015 version of Windows 8.1 64-bit, the last version of Windows still vulnerable to this issue before it got patched by Microsoft.2015
Secure Device Manufacturing: Supply Chain Security ResilienceRob WoodThis whitepaper is primarily concerned with the following questions: How can I build a secure product that my customers can trust when I do not trust my
factory? How do I limit the number of counterfeit devices in the marketplace? Can the grey market be of any benefit to my company?
Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817Grant WilcoxIn this whitepaper, I will discuss how I went about disassembling and debugging a TD-8817 v8 router to develop a compatible Misfortune Cookie exploit, which would allow me to gain reliable access to the admin control panel on the web interface without the need for a username or password2015
RESEARCH INSIGHTS – Exploitation AdvancementsAaron AdamsIn the last decade and a half, we have seen a significant shift in the defensive realm, with the introduction of many mitigations into mainstream compilers and operating systems, and into their services and applications. This increase in defences has led exploit writers to start leveraging new techniques, along with many that were previously known but considered advanced and unnecessary, in order to achieve a successful compromise.2015
Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free VulnerabilityDominic WangThis paper is a written form of a presentation I gave at ToorCon San Diego in October 2015. It details the exploitation tactics used for exploiting the CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free vulnerability discovered by Yong Chuan, Koh of MWRLabs.2015
Best Practices for the use of Static Code Analysis within a Real-World Secure Development LifecycleJeremy BooneIn this paper we describe a methodology for evaluating and selecting the most appropriate static code analysis solution for your software organisation, as well as best practice guidance for effectively integrating that solution with your development procedures as part of a mature secure development lifecycle.2015
Exploiting CVE-2014-0282Katy WinterbornThis paper details the vulnerability and how to produce a working exploit that exits gracefully.2015
RESEARCH INSIGHTS – Defensive TrendsJames Eaton-LeeDefensive measures in information security have always
demanded that information security practitioners attempt
to make decisive assessments as to where to deploy
resources based on limited information.
RESEARCH INSIGHTS – How we are breaking in: Mobile SecurityThomas CannonThe proliferation of the personal and business use of mobile devices has created a strong demand for mobile security assurance. Mobile apps and devices can suffer from many of the same vulnerabilities as traditional systems but also require new approaches to security testing and risk assessment.2015
RESEARCH INSIGHTS – Sector Focus: Maritime IndustryYevgen DyryavyyComputerised systems that are present on board a vessel suffer from many of the same vulnerabilities as traditional systems, but these shipboard systems also require a non-traditional approach to security testing and risk assessment.2015
PROTECTING STORED CARDHOLDER DATA – AN UNOFFICIAL SUPPLEMENT TO PCI DSS V3.0Rob ChahinThis document is intended as an analysis of the various compliant options such that the reader can choose an option that makes sense – and in doing so, meet their compliance obligations while also improving security and keeping costs proportionate.2015
Blackbox iOS App Assessments Using idbDaniel A. MayerTo assist the community in assessing security risks of mobile apps, we introduce our recent tool called idb and
show how it can be used to efficiently test for a range of iOS app flaws.
Going AUTH the Rails on a Crazy Train – A Dive into Rails Authentication and AuthorizationTomek Rabczak
Jeff Jarmoc
In this paper, we explore Ruby on Rails Authentication and Authorization patterns and
Matasano And ISEC Interns Summer 2014 Internet of Things SecurityBrian Belleville
Patrick Biernat
Adam Cotenoff
Kevin Hock
Tanner Prynn
Sivaranjani Sankaralingam
Terry Sun
Daniel Mayer
We assessed the security of several currently available IoT devices targeted at consumers. We considered all user-facing interfaces and all networking components to be in scope of our investigation, and evaluated the devices for common security vulnerabilities. All of the devices we investigated had numerous exploitable security flaws. We discuss in detail the vulnerabilities and the processes used to discover them.2015
Analysis of Boomerang Di erential Trails via a SAT-Based Constraint Solver URSAAleksandar KircanskiIn this paper, we propose the use of a SAT-based constraint solver URSA as aid in analysis of differential trails and find that previous rectangle/boomerang attacks on XTEA, SHACAL-1 and SM3 primitives are based on incompatible trails. Given the C speci cation of the cryptographic primitive, verifying di erential trail portions requires minimal work on the side of the cryptanalyst2015
Secure Messaging for Normal PeopleJustin Engler
Cara Marie
This paper discusses the types of attacks used against a variety of messaging models and discusses how secure messaging features can defend against them. The goal of this paper is to help inform those who are tech-savvy but not crypto-experts to make smart decisions on which crypto applications to use.2015
Faux Disk Encryption: Realities of Secure Storage On Mobile DevicesDaniel A. Mayer
Drew Suarez
In this paper, we discuss the challenges mobile app developers face in securing data
stored on devices including mobility, accessibility, and usability requirements. Given
these challenges, we first debunk common misconceptions about full-disk encryption
and show why it is not sufficient for many attack scenarios.
SSL/TLS SMACK: State Machine AttaCKs SKIP-TLS & FREAKNCC GroupPresentation of two attacks: SKIP-TLS: spoofing and encryption removal & REAK: downgrading of encryption2015
4 secrets to a robust incident response planDavid CanningsWebinar Presentation2015
Broadcasting your attack: Security testing DAB radio in carsAndy DavisPresentation2015
Mature Security Testing FrameworkNCC GroupPresentation2015
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactionsAndy DavisBlackhat USA 2015 Presentation2015
OSQuery Application Security Assessment – FacebookRaphael Salas
Andrew Rahimi
Robert Seacord
Public Report2015
The L@m3ne55 of Passw0rds:Notes from the fieldBen WilliamsPresentation2015
An Introduction to Ultrasound Security ResearchAlex SmyeThis paper examines the use of Ultrasound and Near Ultrasound as a communications channel and evaluates potential security issues within them.2016
A few notes on usefully exploiting libstagefright on Android 5.xAaron AdamsAt NCC Group, a colleague and I recently spent some time trying to develop a more robust exploit for the Android libstagefright bug CVE-2015-3684. This is a bug that persisted through the patches Joshua Drake (jduck) originally provided to Google, so a few more firmware versions are vulnerable. In this white paper, I will discuss a few tricks we came up with to make the exploit a bit more robust with regards to address space spraying, dealing with SELinux sandbox restrictions, automating device identification, and staging a kernel exploit.2016
RESEARCH INSIGHTS – Hardware Design: FPGA Security RisksDuncan HurwoodThe paper examines the process of developing configuration binaries for FPGA devices and the potential security problems that could be encountered. It assumes no prior knowledge of FPGA technology.2016
Creation of WiMap, the Wi-Fi Mapping DroneMichael JohnsonThe objective of this project is to detail the methods used to create, from parts, a hexacopter capable of being controlled over 3/4G and equipped to perform wireless and infrastructure assessments.2016
Private sector cyber resilience and the role of data diodesNCC GroupIt has long been received wisdom that the way to ensure
that a network can’t be compromised remotely is to
isolate it using an air gap. However, in today’s world,
an isolated network is rarely practical given the need
for flows between producers and consumers. While
these islands might be secure, they are simply not
practical given modern demands.
General Data Protection Regulation – Are you ready?Lydia LavenderThis whitepaper will review the new controls against existing controls for the Data Protection Act 1998 (DPA) and provide key next steps for businesses to undertake ahead of GDPR enforcement.2016
How to Backdoor Diffie-HellmanDavid WongWe present two ways of building a Nobody-But-Us (NOBUS) Diffie-Hellman backdoor: a composite modulus with a hidden subgroup (CMHS) and a composite modulus
with a smooth order (CMSO). We then explain how we were able to subtly implement and exploit it in a local copy of an open source library using the TLS protocol.
Local network compromise despite good patching: The dangers of NBNS/LLMNR spoofing attacks and how to prevent themJon MacfarlaneThis paper aims to raise awareness of the dangers of these attacks, and particularly the steps required to prevent them.2016
Post-quantum cryptography overviewSteffan KargerOrganisations that need to keep long-term secrets, or which are designing systems that will be in use for ten or more years, need to plan for a post-quantum-computing
world. This paper gives a short introduction and overview of post-quantum cryptography. We discuss why post-quantum crypto is needed, and provide handles to determine
how to plan for migration. Furthermore, we provide an overview of promising post-quantum crypto directions, and provide references for further reading.
My name is Matt – My voice is my passwordMatt LewisThis paper is aimed at IT practitioners tasked with implementing, or looking to use, voice biometrics as an authentication mechanism in systems or applications. The paper should also be useful to anyone interested in learning more about voice biometrics in general, with specific focus on the relative merits and limitations of voice recognition systems.2016
RESEARCH INSIGHTS – Modern Security Vulnerability DiscoveryAaron Adams
Pete Beck
Jeremy Boone
Zsolt Imre
Greg Jenkins
Edward Torkington
Ollie Whitehouse
Peter Winter-Smith
David Wood
This paper is intended for individuals with a technical background who are responsible for identifying, understanding, mitigating or responding to security vulnerabilities in software. The paper is technical in nature, although high level, and is intended to provide a view on modern vulnerability discovery approaches in 2016.2016
End-of-life pragmatismBlake Markham
William Burlend
Robbie Joseph
This paper aims to identify and address these concerns and help with planning and replacing technology that is nearing or has reached its end-of-life (EoL) or end-of-support.2016
State-of-the-art email riskJulian Storr
Dean Hardcastle
Matt Lewis
This paper is aimed at senior managers and above with a view to presenting the overall risks that
organisations face when using email services, with focus on the techniques used by advanced threat
actors and defensive solutions to a number of the vulnerabilities exploited
Peeling back the layers on defence in depth…knowing your onionsEd Williams & Grant DaleThis whitepaper will discuss five key principles of network design and implementation that, when combined, create the foundations of a defence-in-depth strategy that will provide an organisation with increased assurance, reduce the impact of breaches and ultimately frustrate any malicious threat actors that do breach the perimeter.2016
Understanding and Hardening Linux ContainersAaron GrattafioriThis paper discusses these container features, as well as exploring various security mechanisms. Also included is an examination of attack surfaces, threats, and related hardening features in order to properly evaluate container security. Finally, this paper contrasts different container defaults and enumerates strong security recommendations to counter deployment weaknesses– helping support and explain methods for building high-security Linux containers.2016
My Hash Is My Passport: Understanding Web and Mobile AuthenticationDavid SchuetzThis paper explains, with simple examples, how some of the most frequently seen authentication systems work. It identifies the characteristics of an “ideal” authentication system, compares the common methods against that ideal, and demonstrates how to verify that they’ve been implemented correctly.2016
Optimum Routers: Researching Managed RoutersAmy Burnett &
Read Sprabery
In this paper, we discuss the process of finding vulnerabilities in remotely
managed routers, in particular those running on the Optimum network. We delve into
the setup process for these routers, examine modifications that Optimum has made to
an off-the-shelf router firmware, and highlight vulnerabilities in the routers examined.
The Importance of a Cryptographic ReviewNCC Group Cryptography ServicesCryptography is an underpinning of every organization’s data security. It is as simple as the correct deployment of TLS and as complicated as bespoke protocols for software updates. This technology is an integral part of an organization’s security infrastructure. With the field constantly evolving, having a dedicated review is becoming increasingly important.2016
Maritime Cyber Security Threats and OpportunitiesBrendan SaundersPresentation2016
Zcash Cryptography and Code ReviewAlex Balducci
Robert Seacord
Public Report2016
Ricochet Security AssessmentJesse Hertz
Patricio Jara-Ettinger
Mark Manning
Public Report2016
Applying normalised compression distance for architecture classificationThomas Marcks von WürtembergIn this whitepaper, we present a technique to classify binaries and shellcode with statistical analysis using normalised compression distance.2017
Beyond Data Loss PreventionWilliam BurlendThis whitepaper aims to discuss the various benefits and pitfalls of DLP solutions currently available. It will also address how DLP can be integrated with cloud providers given the ever-increasing demand to place data in the cloud.2017
GDPR: Knowing your dataPaul BarksThis whitepaper discusses the importance of knowing your data and how to carry out data mapping.2017
Understanding the insider threat and how to mitigate itKaty WinterbornThis paper is intended to give a high-level view on the insider threat for those looing to implement a defensive programme. It considered the types of attack that may take place and some of the common weaknesses that aid insider attack.2017
Latest threats to the connected car & intelligent transport ecosystemDavid ClareModern vehicles consist of a multitude of different
inter-connected process control systems which each
govern a specific mechanical process. These take
input from a complex array of real-time sensors and
connected data sources.
Matty McMattface: Security implications, mitigations & testing strategies for biometric facial recognition systemsMatt LewisThis paper is aimed at IT practitioners tasked with implementing, testing, or looking to use facial recognition biometrics as an authentication mechanism in physical and/or logical systems or applications.2017
Mobile & web browser credential management: Security implications, attack cases & mitigationsMathew NashThis paper is aimed at users of internet services and website developers tasked with securely managing user data.2017
Adversarial Machine Learning: Approaches & defencesMatt Lewis
Thomas Marcks von Würtemberg
In this paper we discuss ‘Adversarial Machine Learning’ and the potential impact of advances in this
area of study.
Best practices with BYODPaul DaltonThis paper is intended for senior managers and above, with a view to present the overall risks that organisations can encounter with BYOD deployments, as well as touching on privacy concerns that often arise.2017
Managing PowerShell in a modern corporate environmentDean HardcastleThis paper explores how PowerShell is abused by adveraries but more importantly, how it can be securely managed in a modern corporate environment.2017
Understanding cyber risk management vs uncertainty with confidence in 2017Stephen Bailey
Jeff Bennison
Shanne Edwards
Matt Field
Lee Hazell
Chris Hilder
Ted Ipsen
Patrick McCloskey
Tim Rawlins
Reuben Sinclair
Ollie Whitehouse
There is no universally accepted risk management method or universal acceptance of risk nomenclature.2017
Encryption at rest: Not the panacea to data protectionMatthew PettittAn overview of what encryption at rest does and doesn’t provide in the context of data protection.2017
Endpoint connectivityBlake MarkhamThis whitepaper aims to identify the security risks posed by USB and address the associated concerns by looking at the available strategies and solutions that can be used to deliver effective USB endpoint access control.2017
Securing the continuous integration processIrene MichlinThis paper intentionally avoids recommending a specific solution or vendor. Instead, it focuses on technology and process change invovled in setting up a CI environment and aims to provide best practice guidance for introducing CI into your SDLC.2017
SOC Maturity & CapabilityKaty WinterbornThis paper aims to give an overview of a SOC and its capabilities, describing the roles and responsibilities of a SOC along with some of the considerations and benchmarks that a mature and capable SOC might utilise.2017
Non-flood/non-volumetric Distributed Denial of ServiceGabriel GarridoThis whitepaper aims to provide an overview of non-voumetric DDoS attacks, addressing the techniques used to carry out such attacks and the defences or mitigations needed to improve system resilience when under attack.2017
Rise of the machines: Machine Learning & its cyber security applicationsMatt LewisThis initial whitepaper is by no means intended to be exhaustive; we acknowledge that, as an industry, cyber security is still catching up on ML and AI topics that have been researched for decades within academia.2017
Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of thingsMatt LewisIn this paper we set out an approach using graph databases to understand IoT network complexity and the impact different devices and their profiles have on the overall security of an underlying network and its data.2017
Accessing Private Fields Outside of Classes in JavaRobert C. SeacordJava developers are frequently unaware that the use of nested classes in Java programs
weakens the accessibility guarantees of the language and allows private fields
to be accessed from outside the class, potentially violating developers’ assumptions
and affecting overall security. This whitepaper describes the Java language mechanisms used in
these exploits, specifies the extent to which the compiler weakens the accessibility of
private fields, and identifies possible attack vectors.
Network Attached Security: Attacking a Synology NASJason Noll
Prahlad Suresh
Because Synology is one of the top manufacturers of NAS devices, we chose to analyze a
Synology DS215j . In doing so we were able to identify a number of exploitable security
flaws. In this paper, we discuss in detail the analysis performed, methodologies used,
and vulnerabilities found during the summer of 2015.
Combating Java Deserialization Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)Robert C. SeacordThis whitepaper examines Java deserialization vulnerabilities and evaluates various LAOIS solutions including JDK Enhancement Proposal (JEP) 290.2017
Automated Reverse Engineering of Relationships Between Data Structures in C++ BinariesNick CollissonThis paper discusses a general approach for finding  kinds of
pointer sequences and introduces a new tool implementing this approach.
Use of Deserialisation in .NET Framework Methods and ClassesSoroush DaliliThis document lists .NET Framework classes and methods using deserialisation techniques that can potentially be exploited when handling untrusted data.2018
Third party assuranceDavid Rowan
Agwu Nwoke
This paper explores the concept behind third party assurance and the extent to which such assurance is deemed satisfactory or detrimental.2018
Ethics in Security TestingNick DunnThis paper discusses the similarities and differences between professional ethics in the information security industry and ethics in the hacker community.2018
Public cloud: What, why, where, how, who?Matthew PettittAre public cloud services safe, cost effective and reliable?2018
The disadvantages of a blacklist-based approach to input validationNick DunnIn this paper, we look at the relative merits of whitelisting and blacklisting for input validation purposes, and examine the difficulties of carying out a fully effective blacklisting approach.2018
Open Banking – Security Considerations & Potential RisksMatthew PettittNCC Group has been working with a number of providers to ensure that appropriate secuity is both built into the specifications, and actively applied within specific implementations, both in the bank-specific and in the third-party facing sections.2018
The Economics of Defensive  SecurityNick DunnThis paper examines the costs of cyber defence in comparison to the costs and likelihood of a data breach.2018
Nine years of bugs & coordinated vulnerability disclosure: Trends, observations & recommendations for the futureMatt LewisThis paper provides some analysis of the data that we’ve captured over the past nine years in terms of types of bug found, their risk ratings, whether there are any trends in specific vulnerability classes and whether there are any observations around the overall responsible disclosure process2018
Return of the Hidden Number ProblemKeegan RyanWe implement a full proof of concept against OpenSSL and demonstrate that it is possible to extract a 256-bit ECDSA private key using a simple cache attack after observing only a few thousand signatures.2018
The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS ImplementationsEyal Ronen – Weizmann Institute
Robert Gillham – University of Adelaide
Daniel Genkin – University of Michigan
Adi Shamir – Weizmann Institute
David Wong – NCC Group
Yuval Yaromy – University of Adelaide, Data61
Over the last twenty years researchers and implementors had spent a huge amount of effort in developing and deploying numerous mitigation techniques which were supposed to plug all the possible sources of Bleichenbacher-like leakages. However, as we show in this paper most implementations are still vulnerable to several novel types of attack based on leakage from various microarchitectural side channels2018
Android Cloud Backup/RestoreMason Hemmel
Jason Meltzer
Thomas Pornin
Keegan Ryan
Javed Samuel
David Wong
Rob Wood
Greg Worona
Public Report2018
NCC Group Kolide- The Update Framework Security AssessmentNCC Group Kolide- The Update Framework Security AssessmentPublic Report2018
Proxy Re-Encryption Protocol – IronCore LabsNCC GroupPublic Report2018
Cyber Security in UK AgricultureLawrence Baker, NCC Group
Richard Green, Harper Adams University
This whitepaper addresses the cyber security threat
to agriculture and the wider food network.
Common Security Issues in Financially-Oriented Web Applications – A guideline for penetration testersSoroush DaliliThis document summarises NCC Group’s experience of assessing e-commerce and financial services applications, providing a checklist of common security issues seen in financial services web applications.2019
Connected Health: Security Landscape ReviewKatharina Sommer
Katy Winterborn
Matt Lewis
Stuart Kurutac
Security concerns in connected health can differ to those in environments traditionally tested by the security community, although many of the issues are still applicable. Traditionally, penetration tests in standard environments focus heavily on remote code execution and privilege elevation in order to fully compromise a network.2019
Assessing Unikernel SecuritySpencer Michaels
Jeff Dileo
Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than full-OS virtual machines and containers. We surveyed two major unikernels, Rumprun, and IncludeOS, and found that this was decidedly not the case.2019
Zcash Overwinter Consensus and Sapling Cryptography ReviewThomas Pornin
Aleks Kircanski
Mason Hemmel
David Wong
Janet Ghazizadeh
Mathias Hall-Andersen
Javed Samuel
Public Report2019