Cyber Security

At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. Sometimes cybercriminals that host malicious servers employ tactics that involve mimicking the responses of legitimate software to evade detection.…

Medical device security is gaining more attention for several reasons. The conversation often gets connected to device safety, that is, the degree to which the risk of patient harm is limited by preventing or controlling for device malfunction. Device security expands the scope of safety by supposing a malicious attacker…

We’ve published a whitepaper about how we built WiMap, which is a Wi-Fi mapping drone.  The paper includes details of the methods used to create, from parts, a hexacopter capable of being controlled over 3/4G and equipped to perform wireless and infrastructure assessments. We’d love to hear your feedback via…

Andy Davis, NCC Group’s Research Director presented Fuzzing the Easy Way Using Zulu at the 2014 Nullcon conference in Goa, India. The presentation describes how Zulu has been successfully used to discover high profile bugs and details the motivations for developing the tool. Download our slides

This whitepaper details the vulnerability and examines some of the concepts needed for browser exploitation before describing how to construct a working exploit that exits gracefully. Download Whitepaper: Click to access cve-2014-0282.pdf Authored by Katy Winterborn

This whitepaper details the vulnerability and examines some of the concepts needed for browser exploitation before describing how to construct a working exploit that exits gracefully. Download whitepaper Authored by Katy Winterborn

Vendor: KineticaVendor URL: https://www.kinetica.com/Versions affected: 7.0.9.2.20191118151947Systems Affected: AllAuthor: Gary Swales Gary.Swales@nccgroup.com Advisory URL / CVE Identifier: CVE-2020-8429Risk: High (Command Injection on the underlying operating system) Summary The Kinetica Admin web application version 7.0.9.2.20191118151947 did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited…

Vendor: SumppleVendor URL: http://www.sumpple.comVersions affected: S610 firmware 9063.SUMPPLE.7601 - 9067.SUMPPLE.7601 Sumpple IP Cam Android V1.1.33 – V1.11 IOS 1.51.5986 (Previous versions are also likely to be affected)Systems Affected: Sumpple S610 WiFi Wireless PTZ Outdoor Security Video Network IP Camera Summple IP Cam Android and IOS mobile application.Author: Sebastian Parker-Fitch (@scorpioitsec)Advisory…

We are moving to a time where many ‘things’ that we know and use have the capability to be connected to a network either wired or wirelessly. The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise…

Over the past few years there has been an increase in the use of sound as a communications channel for device-to-device communications. This practice has been termed Data-Over-Sound (DOS) and has been billed as a cheap and easy to use alternative to traditional communications protocols such as Wi-Fi and Bluetooth.…

Quantum computing is still in its infancy but is expected to cause major changes to the technology landscape in coming years. Its ability to massively reduce the time taken for processes normally requiring large amounts of processing power is already causing concerns about the future of cryptography and the resistance…

Vendor: LansweeperVendor URL: https://www.lansweeper.com/Versions affected: prior to 7.1.117.4Systems Affected: Lansweeper applicationAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://www.lansweeper.com/changelog/ - CVE-2019-13462Risk: Critical when MSSQL database is in use (not default) Summary The Lansweeper application is agentless network inventory software that can be used for IT asset management. It uses the…

15 Security Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability118 CVEs, 1 CVE pending, 10 issues with no CVE requested About the Vulnerabilities NCC Group Security Consultant Viktor Gazdag has identified 128 security vulnerabilities across Jenkins plugins and one within the Jenkins core with the following distribution: Credentials stored…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in some Ricoh printers. The vulnerability list below was found affecting to some Ricoh printers: Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300) Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307) Buffer Overflow Parsing LPD Packets (CVE-2019-14308) No…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Brother printers. The vulnerability list below was found affecting to several Brother printers: Stack Buffer Overflow in Cookie Values (CVE-2019-13193) Heap Overflow in IPP Attribute Name (CVE-2019-13192) Information Disclosure Vulnerability (CVE-2019-13194) Technical Advisories: Stack Buffer Overflow…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Xerox printers. The vulnerability list below was found affecting to several Xerox printers: Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171) Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168) Multiple Buffer Overflows in Web Server (CVE-2019-13169,…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Kyocera printers. The vulnerability list below was found affecting to several Kyocera printers: Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206) Multiple Buffer Overflows in IPP Service (CVE-2019-13204) Buffer Overflow in LPD Service…

Multiple vulnerabilities, ranging Cross-Site Scripting to buffer overflows, were found in several HP printers: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Buffer Overflow in Web Server (CVE-2019-6326) Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324) Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)   Technical Advisories: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Vendor:…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers. The vulnerability list below was found affecting to several Lexmark printers: SNMP Denial of Service Vulnerability (CVE-2019-9931) Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933) Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935) Information Disclosure Vulnerability…

Vendor: IntelVendor URL: http://www.intel.com/Versions affected: Intel Driver Support Assistance prior to version 19.4.18Systems Affected: Microsoft WindowsAuthor: Richard Warren <richard.warren[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11114.Risk: Medium Summary This vulnerability allows a low privileged user to escalate their privileges to SYSTEM. Location Intel Driver Support Assistance – DSAService (DSACore.dll) Impact Upon successful…

Vendor: CitrixVendor URL: http://www.citrix.com/Versions affected: Citrix Workspace App versions prior to 1904 and Receiver for Windows versions prior to LTSR 4.9 CU6 version 4.9.6001Systems Affected: Microsoft WindowsAuthor: Ollie Whitehouse <ollie.whitehouse[at]nccgroup[dot]com> Richard Warren <richard.warren[at]nccgroup[dot]com> Martin Hill <martin.hill[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11634.Risk: Critical Summary The Citrix Workspace / Receiver client suffers…

This whitepaper addresses the cyber security threat to agriculture and the wider food network. The perspective and primary focus is the United Kingdom but the majority of observations on the structure of markets, technologies and related issues are largely applicable to other countries. Furthermore, some of the recommended actions identified in…

Connected Health is a rapidly growing area with huge innovative possibilities and potential. This is mostly due to the uptake of digital technologies in the health and medical fields that support diagnosis, treatment and management of health conditions. It is however crucially important that security of Connected Health products, systems…

Vendor: SmarterToolsVendor URL: https://www.smartertools.com/ Versions affected: prior to Build 6985 (CVE-2019-7214), prior to Build 7040 (CVE-2019-7211, CVE-2019-7212, CVE-2019-7213)Systems Affected: SmarterMailAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-7214, CVE-2019-7213, CVE-2019-7212, CVE-2019-7211 https://www.smartertools.com/smartermail/release-notes/current Risk: Critical and High Summary The SmarterMail application is a popular mail server with rich features for normal…

Vendor: MailEnableVendor URL: https://www.mailenable.com/ Versions affected: versions before 10.24, 9.83, 8.64, 7.62, 6.90 (20th June 2019)Systems Affected: tested on Enterprise Premium but all versions have been patchedAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-12923, CVE-2019-12924, CVE-2019-12925, CVE-2019-12926, CVE-2019-12927 http://www.mailenable.com/Premium-ReleaseNotes.txt http://www.mailenable.com/Premium-ReleaseNotes9.txt http://www.mailenable.com/Premium-ReleaseNotes8.txt http://www.mailenable.com/Premium-ReleaseNotes7.txt http://www.mailenable.com/Premium-ReleaseNotes6.txtRisk: Critical, High, Medium Summary The MailEnable…

Vendor: AvayaVendor URL: https://www.avaya.com/Versions affected: 10.0 through 10.1 SP3, 11.0Systems Affected: Avaya IP OfficeAuthor: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]comAdvisory URL: https://downloads.avaya.com/css/P8/documents/101054317Advisory URL / CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15614Risk: Medium Summary The One-X Web Portal was vulnerable to multiple persistent or stored cross-site scripting (XSS) vulnerabilities. This occurs when JavaScript or HTML code entered as…

These days it is quite common to see a deserialisation flaw in a product. Although awareness around finding and exploiting this type of vulnerability is out there for security researchers, developers can still struggle with securing their code especially when they are not fully aware of dangerous methods and functionalities…

  As part of our vulnerability research work at NCC Group we find many vulnerabilities (bugs) in commercial products and systems and for the past nine years we have kept a detailed internal log of these bugs. In this whitepaper prepared by Matt Lewis, Research Director at NCC Group, we…

Third parties can provide an invaluable resource and service for your organisation. But how far should you go when validating a third party supplier? What does the third party need to be validated against? How can you be confident that the validation process is effective? Is the validating process detrimental…

Whenever an outage on one of these cloud providers occurs, or a data breach of information held by them, the immediate press coverage starts asking whether they really are as secure and reliable as traditionally managed servers. This whitepaper provides an overview of public cloud services and the steps to…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Systems Affected: Microsoft OutlookAuthor: Soroush DaliliCVE Identifiers: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8572, https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11927Risk: Medium – Possible SMB Hash Hijacking or User Tracking Summary Microsoft Outlook could be abused to send SMB handshakes externally after a victim opening or simply viewing an email. A WebDAV request was sent even when the SMB…

Vendor: libSSHVendor URL: https://www.libssh.org/Versions affected: Versions of libSSH 0.6 and above, prior to 0.7.6 or 0.8.4.Author: Peter Winter-Smith peter.winter-smith[at]nccgroup.comAdvisory URL / CVE Identifier: CVE-2018-10933 - https://www.libssh.org/security/advisories/CVE-2018-10933.txtRisk: Critical – Authentication Bypass Summary libSSH is a library written in C which implements the SSH protocol and can be used to implement both…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before July 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8284 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

Vendor: Mitel Vendor URL: https://www.mitel.com Versions affected: 5330e IP Phone Systems Affected: Mitel MiVoice Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]trust Advisory URL: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0009 CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15497 Risk: Low-High (case dependent) – Denial of Service and possible Remote Code Execution Summary The Mitel MiVoice 5330e VoIP device is affected by a memory corruption…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before September 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8421 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

It’s not uncommon to find websites that attempt to validate user input and block code injection attacks using a blacklist of dangerous characters or keywords. Superficially, this might seem like a common-sense way to protect a website with minimum effort but it can prove to be extremely difficult to comprehensively…

Vendor: Virgin MediaVendor URL: https://www.virginmedia.com/Versions affected: products before Aug 2018 rollout / 9.1.116V and 9.1.885JSystems Affected: Hub 3.0Author: Balazs Bucsay (@xoreipeip)Advisory URL / CVE Identifier: NoneRisk: Critical Summary Multiple security vulnerabilities were found in the device’s firmware that could be chained and led to unauthenticated remote command execution. Location Multiple…

This paper discusses the similarities and differences between professional ethics in the information security industry and ethics in the hacker community. Sources of conflict and shared values of the two are discussed in order to find some reconciliation and come to an understanding of how a shared set of ethics…

It has been known for a while that deserialisation of untrusted data can often lead to serious security issues such as code execution. However, finding such issues might not be a trivial task during time-limited penetration testing. As a result, NCC Group has developed a Burp Suite extension called Freddy [1]…

The concept of Open Banking is an innovative one. However, as with any new developments surrounding sensitive financial information it is imperative to assess the security implications of these actions. Matthew Pettitt discusses the pros and cons of the planned implementation and potential risks of Open Banking in NCC Group’s…

Scenester – a tool to visually snapshot a website by supplying multiple user-agent. Designed to aid in discovery of different entry points into an application. For more information and to download the tool, visit our GitHub page here.

Automate NMAP scans and custom Nessus polices. Features include:  Discovers live devices Auto launches port scans on only the discoverd live devices Can run mulitple instances on multiple adaptors at once Creates client Ref directory for each scan Outputs all unique open ports in a Nessus ready format. Much faster…

A collection of tools to enumerate and analyse Windows DACLs: Tool 1: Process Perms Tool 2: Windows Stations and Desktops  Tool 3: Services  Tool 4: File Sytem  Tool 5 Registry   For more information and to download the tool visit our GitHub page here. 

umap is a USB host security assessment tool, based on Facedancer by Travis Goodspeed.  For more information and to download the tool visit our GitHub page here.

A tool to find and exploit servers vulnerable to Shellshock. To download the tool, please visit our Github page here.

Zulu is an interactive GUI based fuzzer. The tool is input and output agnostic, therefore when you are happy with using the fuzzing engine that’s driven by the GUI you are only limited by the input and output modules that have been developed for it. To download the tool, please…

This proto-type was originally designed a developed during Christmas 2008 / 2009 to show how a non signature based AV could reliably detect malicious code. For more information and to download the tool, visit our GitHub page here. 

vlan-hopping is a simple VLAN enumeration and hopping script, developed by Daniel Compton.  For more information and to download the tool, visit our GitHub page here. 

Tybocer is a new view on code review. When presented with a new piece of code to review it is useful to search through for common terms, or to hunt down specific definitions of particular functions. For more information and to download the tool visit our GitHub page here.

A network data locator using credentials obtained during penetration tests. Xcavator is a tool that scans a range of IP addresses for services that host files (FTP, FTPS and SMB at the moment) and for given credentials it will try to download everything it can and scan within the files…

A Microsoft Windows Process Lockdown Tool using Job Objects, developed by Ollie Whitehouse.  To download the tool visit our GitHub page here.

Vendor: ManageEngineVendor URL: https://www.manageengine.com/products/desktop-central/Versions affected: 10.0.124 and 10.0.184 verified, all versions <= 10.0.184 suspectedSystems Affected: AllAuthor: Ben Lincoln <ben.lincoln[at]nccgroup[dot]trust>Advisory URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5337, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5338, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5339, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5340, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5341, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5342Risk: Critical (unauthenticated remote code execution) Summary Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones,…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: products before July 2018 patchSystems Affected: Visual Studio, .NET Framework, SharePointAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8260 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8300Risk: Medium to High Summary A number of deserialisation issues within the resource files (.resx and .resources) were reported to Microsoft in January 2018 by…

Vendor: RedgateVendor URL: https://www.red-gate.com/Versions affected: prior to 10.0.7.774 (24th July, 2018)Systems Affected: .NET ReflectorAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://documentation.red-gate.com/ref10/release-notes-and-other-versions/net-reflector-10-0-release-notes (CVE-2018-14581)Risk: Critical Summary It was possible to execute code by decompiling a compiled .Net object (such as DLL or EXE) with an embedded resource file. An attacker could…

Vendor: Jenkins Delivery Pipeline Plugin Vendor URL: https://plugins.jenkins.io/delivery-pipeline-plugin Versions affected: 1.0.7 (up to and including) Systems Affected: Jenkins Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust Advisory URL / CVE Identifier: https://jenkins.io/security/advisory/2017-11-16/ Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting) Summary The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build…

While there are many claims that cyber security is an indispensable necessary cost, there is also a body of opinion that cyber security does not always justify its costs and the financial impacts of a breach are frequently either exaggerated or unclear. As a response to these concerns, this whitepaper…

“We’re entering a new world in which data may be more important than software.” Tim O’Reilly Following from our recent CISO research council, our research team have put together this whitepaper, which explores the evolutionary steps in ransomware and malicious code and what NCC Group’s current perspective is. Ransomware as…

With the exponential increase of online services over the last decade, it is no surprise that the theft of credentials from poorly-secured applications is a growing concern and data breaches are becoming more of a regular occurrence. Even if we manage to secure and lock down these applications, do we…

Security is a high priority for most organisations. A string of high priority breaches in big multinational companies has brought home the threat that all organisations face in the modern world. Therefore, a growing number of companies are considering how to best protect themselves and reduce the impact of a…

Most of us interact with Artificial Intelligence (AI) or Machine Learning (ML) on a daily basis without even knowing; from Google translate, to facial recognition software on our mobile phones and digital assistance in financial services or call centres. It is a growing market with ever increasing possibilities across all…

Working closely with our clients both on site or at events, we are finding that several remain unclear on the topic of breach notification under GDPR. There seems to be little, focused guidance on the topic despite the fact that the new regulation will be enforced from May 2018. This…

Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11284Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…

Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11283Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…

Following from our recent CISO research council, our research team have put together this whitepaper, which explores the use of PowerShell in a modern corporate environment and how to mitigate the associated threats. Since its incarnation in 2006, PowerShell has grown to be a powerful and extensible management tool, allowing for…

Vendor: tsl0922Vendor URL: https://github.com/tsl0922/ttyd/ (https://tsl0922.github.io/ttyd/)Versions affected: 1.3.0 (<=)Author: Donato Ferrante <donato.ferrante[at]nccgroup[dot]trust>Patch URL: https://github.com/tsl0922/ttyd/commit/4d31e534c0ec20582d91210990969c19b68ab3b0Risk: Critical Summary ttyd is a cross platform (e.g. macOS, Linux, FreeBSD, OpenWrt/LEDE, Windows) tool for sharing a terminal over the web, inspired by GoTTY. ttyd may allow remote attackers to execute shell commands on a victim’s system,…

Continuous integration (CI) has long left the stage of experimental practices and moved into mainstream software development. It is used everywhere from start-ups to large organisations, in a variety of technology stacks and problem domains, from web applications to embedded software. However, the security implications of introducing CI are often…

The popularity of USB usage has grown and it has become a common vehicle for spreading malware. As such, the need to protect IT assets from a cyber attack is paramount and from a physical endpoint perspective, this presents a challenging dynamic when wanting to prevent a data breach via…

On the 17th April 2007 Oracle released their 10th Critical Patch Update. This brief discusses the database flaws and EM01 which relates to the Intelligent Agent. Many of the flaws being patched are old issues. For example, DB01 relates to an issue first reported to Oracle in 2002 and another in June…

Buffer Underruns and Stack Protection Starting with Windows 2003 Server, Microsoft introduced a number of Exploitation Prevention Mechanisms (XPMs) into their software. Over time these XPMs were refined as weaknesses were discovered [1][2] and more XPMs were introduced. Today the XPMs have been added to Windows XP Service Pack 2…

When drilling for data via SQL injection there are three classes of attack – inband, out-of-band and the relatively unknown inference attack. Inband attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select. Out-of-band attacks employ…

Exploiting well knows flaws in DNS services and the way in which host names are resolved to IP addresses, Phishers have upped the ante in the cyber war for control of a customer’s online identity for financial gain. A grouping attack vectors now referred to as “Pharming”, affects the fundamental…

The objective of this series of papers is to describe the mathematical properties of some of the more common pseudo-random sequence generators and to show how they can be attacked by illustrating the principles with real-world bugs. The series demonstrates how weak randomness can be identified, used to compromise real-world systems, and defended against.…

When exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code – for example EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’. Of course, if the attacker can’t create their own…

This paper presents a number of technical discussion points relating to the potential for exploiting stack overflow vulnerabilities without having direct access to the application which is to be exploited. The points raised in this paper discuss the key issues which would need to be overcome in order to do this, as well…

Technology trail-blazing organisations such as large financial institutions have been working to secure their custom applications for several years, but the second-tier “technology following” organisations have been too slow to follow. This is now rapidly changing due to recent bad press following many highly publicised security compromises. In many of…

The paper is intended to be read by the portion of the security community responsible for creating protective mechanisms to guard against “shellcode” type security flaws; the intention is to remove the perception that Unicode buffer overflows are non exploitable and thereby improve the general state of network security. It…

This paper discusses the feasibility of violating the access control, authentication and audit mechanisms of a running process in the Windows server operating systems. Specifically, it discusses the feasibility of totally disabling application – enforced access control in a running service, taking SQL Server 2000 as a sizeable and meaningful…

Agenda The role of the BIOS Attacking a legacy BIOS Limitations of the legacy BIOS Introduction to the EFI environment Attacking the EFI environment UEFI, summary and conclusions Some Caveats… This talk is about rootkit persistenceThis persistence How to deploy a rootkit from the BIOS/EFIHow EFI Not concerned with what…

Objectives Discuss current “threat landscape” Introduce a new class of vulnerability Introduce a new method of attack Show practical demonstrations Look at some defences Download presentation Author: David Litchfield

Agenda Recap of ACPI BIOS rootkit and limitations Brief overview of the PCI Bus Abusing expansion ROMs Abusing PXE Detection, Prevention and the TPM Summary and conclusions Download presentation Author: John Heasman

The Past, Present and Future of Database Security In 2006 there were 335 publicized data breaches in the U.S. So far in 2007 there have been 276. With the 5th anniversary of the SQL Slammer worm drawing near, now is a good a time as any to look back on…

This paper presents several methods of bypassing the protection mechanism built into Microsoft’s Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows. Recommendations about how to thwart these attacks are made where appropriate. Microsoft is committed to security. I’ve been playing with Microsoft products, as…

Over the last two decades, both Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been growing in frequency, complexity and volume. Traditionally, these attacks are associated with botnets and large amounts of traffic aimed at disrupting Internet-facing services. However, while the goal of these attacks remains…

VoIP Security Issues The issues brought up in VoIP security and throughout this presentation are not new and are not a surprise. Telephony experience and IP experience combined with a security focused mindset are enough to combat these issues. There is a lot of public coverage of VoIP issues, however…

Many IIS web servers running ASP applications will use the CDONTS.NEWMAIL object to provide the functionality for feedback or contact forms. This paper will examine how the CDONTS.NEWMAIL object can be used by attackers to send arbitrary e-mails via the vulnerable web server and what must be done to prevent an online ASP…

In Oracle, a failure to close cursors created and used by DBMS_SQL or a failure to clean up open cursors in the event of an exception can lead to a security hole. If the cursor in question has been created by higher privileged code and left hanging then it’s possible for a low…

This paper presents some unexpected consequences of running database servers on Windows XP with Simple File Sharing enabled. In the real world, this kind of setup would typically be a developer’s system and as it turns out, in some cases depending on the database software, you might not just be sharing your files…

DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within…

Vendor: Microsoft Vendor URL: https://www.microsoft.com/ Versions affected: IE 10, 11, and Edge prior to July 2017 patch Systems Affected: Windows with above versions affected Author: Soroush Dalili Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8592 Risk: Low Summary Internet Explorer (or Edge) could be used to send arbitrary messages to a target…

This paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. Only flaws affecting the database server software itself have been considered in compiling this data so issues that affect, for example,…

This paper will examine the differences and commonality in the way a vulnerability common to both Windows and Linux is exploited on each system. The VulnerabilityThe vulnerability that will be discussed in this paper is a classic stack based overflow in OracleÕs RDBMS 9.2.0.1. As well as offering the standard SQL service,…

“Security within the Internet of Things (IoT) is currently below par.” The statement above derives from many observations across our work in IoT (and that of the wider security research community) in addition to a myriad of regular, publicly reported issues and security concerns with IoT devices and their infrastructures.…

Data Loss Prevention (DLP) is a security control aimed at highlighting when sensitive data leaves the corporate network or is accessed without authorisation. A DLP solution can be a great asset to a business and support a range of security goals and compliance. It can be an invaluable safety net…

With one click, his entire business was in the hands of someone else. Sensitive company information, bank account details, social media profiles, various other usernames and passwords. All stolen by a cyber criminal in a convincing phishing attempt. The email he’d received looked legitimate. It was just a simple request…

“By far the greatest danger of Artificial Intelligence is that people conclude too early that they understand it.”  Eliezer Yudkowsky At NCC Group, we are researching Machine Learning (ML) and Artificial Intelligence (AI) from a number of different angles in order to fully understand the pros and cons of ML…

The modern vehicle has become increasingly computerised as the demand for cleaner emissions and better transport safety for drivers and pedestrians has grown. Numerous initiatives are currently underway to begin to address this threat and to bring the principles used within traditional enterprise environments (such as the Secure Development Lifecycle)…

It is a widely held belief that the vast majority of threats to businesses are from outside attackers, with the stereotypical view of hackers trying to make money through crime.  The problem with this viewpoint is that it does not consider the threat from a malicious insider. There is a…

Biometric facial recognition is becoming an increasingly popular mechanism for authenticating users in online and mobile environments. In addition, it is continually being adopted for physical access control, whether at border controls such as airports or within secure facilities to enforce strict access control (and/or time and attendance tracking) to…

Following from our recent CISO research council, our research team have put together this whitepaper, which explores encryption at rest. Encryption at rest is not a panacea to data protection due to its complexity and the utility of data. Often, misconceptions can (and do) arise whereby it is believed that…

An NCC Group whitepaper: Applying normalised compression distance for architecture classification When working with malware research and black box penetration testing, it is not always clear what data you are working on and in order to disassemble binaries properly, one needs to know the architecture that the binary has been…

Title                                  D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow Reference                         VT-95 Discoverer                …

Vendor: Oracle Vendor URL: http://www.oracle.com/  Versions affected: 11.1.2.4 (previous versions may also be affected) Systems Affected: Oracle Hyperion Financial Reporting Web Studio Author: Mathew Nash Mathew.Nash[at]nccgroup[dot]trust, Fabio Pires Fabio.pires[at]nccgroup[dot]trust Advisory URL: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html  CVE Identifier: CVE-2017-10310 Risk: High (Unauthenticated local file read, server-side request forgery or denial of service) Summary The…

Vendor: macvim-dev Vendor URL: http://macvim.org Versions affected: snapshot-110 Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Bug discovery credit: Anonymous Advisory URL / CVE Identifier: TBD Risk: Critical Summary MacVim is a Mac OS port of Vim. MacVim is vulnerable to shell injection in mvim:// URIs through the column parameter, allowing attacks through a…

Vendor: Atlassian Vendor URL: http://atlassian.com Versions affected: v1.9.8 known affected version, earlier versions possible Systems Affected: Mac OS X known affected, others possible Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: https://jira.atlassian.com/browse/SRCTREE-4481 Risk: Critical (reliable remote code execution) Summary SourceTree is a product for working with various types of…

Vendor: Accellion, Inc. Vendor URL: http://www.accellion.com/ Versions affected: FTA_9_12_40, FTA_9_12_51, FTA_9_12_110, others likely Systems Affected: Accellion File Transfer Appliance Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: TBD Risk: Critical Summary The Accellion File Transfer Appliance (FTA) is an alternative to traditional email and FTP services for file transfers.…

An NCC Group whitepaper Regardless of the size, scope, geography or sector of your organisation, there are common elements that should be considered when it comes to cyber security due diligence during the M A process. This whitepaper aims to cover the risks, opportunities and responsibilities associated with cyber security…

Title                                  Privilege Escalation in CA Common Services casrvc due to Arbitrary WriteReference                        VT-37Discoverer                      …

In today’s modern society the requirement for employees to be based within a corporate office is minimal, largely due to remote working gaining prominence. The cost to provide remote working or mobile technology to employees can, however, be expensive. An ideal solution to this cost issue is enabling the employee…

Vendor: Rapid7, Inc.Vendor URL: http://rapid7.comVersions affected: 6.4.9 2016-11-30 and potentially all prior releases.Systems Affected: Nexpose Vulnerability ScannerAuthor: Noah Beddome, Justin Lemay, and Ben LincolnAdvisory URL / CVE Identifier: 2017-5230Risk: Medium - Requires specific access criteria Summary The Nexpose vulnerability scanner by Rapid7 is widely used to identify network and application…

Title                             Java RMI Registry.bind() Unvalidated DeserializationReference                   VT-87Discoverer                  Nick Bloor (@NickstaDB)Vendor                  …

Every organisation faces uncertainty and this is often a key challenge in achieving its objectives. Much of this uncertainty comes from an inability to accurately predict future events. Generally, we can define a potential future event that could affect an organisation’s objectives as a ‘risk’ and the process of forecasting…

Title                           iOS MobileSlideShow USB Image Class arbitrary code executionRelease Date           15 December 2016Reference                 NCC00249Discoverer                Andy DavisVendor  …

Title                             Denial of Service in Parsing a URL by ierutil.dllReference                   VT-20Discoverer                  Soroush DaliliVendor            …

These slides are from David Middlehurst’s presentation at the BSides Manchester conference. The presentation includes information on a new open source tool called ‘UPnP Pentest Tookit’. Download Presentation

These slides are from Jerome Smith’s presentation at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible). Download presentation

These slides are from Robert Ray’s presentation at the Trust Forum in Edinburgh. The presentation looks at the common social engineering tactics and provides hints and tips on how to detect, prevent and respond to a social engineering attack. Download presentation

Ben Williams, security consultant at NCC Group, presented his talk, External Enumeration and Exploitation of Email and Web Security Solutions at Black Hat USA. He also produced two whitepapers which include statistical analysis of the filtering products, services and policies used by some of the world’s top companies. Download presentation…

These slides are from Panagiotis Gkatziroulis’ presentation at the Trust Forum in London. It looks at the common social engineering methods, tools and mitigation involved in social engineering attacks. Download presentation

These slides are from Shaun Jones’ presentation at the Trust Forum in Manchester. He gave examples of real-life phishing attacks and provided tips on how you can protect yourself. Download presentation

These slides are from David Cannings presentation at the 44CON Breakfast Briefing. The talk is titled Automating extraction from malware and recent campaign analysis, and includes an overview of some recent targeted campaigns. Download presentation

DDoS Common Approaches and Failings This webinar looks at the reasons that DDoS mitigation may not be working and what you should be thinking about to protect your business from a DDoS attack, including examples of some testing we have done and common approaches. Download presentation

These slides are from Rory McCunes’ presentation at the Trust Forum in Edinburgh. In his presentation he looked at everything from celebrity hacking to the Heartbleed bug can be explained by a lack of context, and what you can do to avoid the trap of absolute security. Download presentation

These slides are from Irene Michlin’s presentation at the Trust Forum in London. It looked at how much training staff should have on cyber security. Download presentation

Andy Davis, research director at NCC Group, delivered this presentation at the  escar Embedded Security in Cars Conference in Hamburg. His talk focused on how USB security affects embedded systems within vehicles. It covered an overview of USB basics and some classic examples of where vulnerabilities have been previously identified.…

Cyber Essentials Scheme These slides are from Matt Storey’ presentation at the Trust Forum in Manchester. He discussed what Cyber Essentials is, who it is for and the benefits it has to your organisation. Download presentation

This webinar talked through the changes to the new PCI SSC version 3.0 standard in detail and how they will affect your business, the things you need to be thinking about now and the timescales in which you have to react to the changes. Download our presentation Download the presentation…

David Cannings, Principal Consultant at NCC Group, delivered a fantastic webinar on four key considerations when building a robust incident response plan.  The webinar covered: An introduction – why a plan is needed What the risks are Four key considerations Case studies for each consideration More resources on incident response…

These slides are from David FB.Page presentation at the Manchester Trust Forum. The presentation includes information on cloud security and how the different types of cloud implementations could affect your organisation’s security. Download presentation

These slides were presented as part of the SMACK, SKIP-TLS FREAK SSL/TLS vulnerabilities webinar series Our Technical Director, Ollie Whitehouse covered: High level overview of the threat Impact of the threat What is affected/impacted by it Details on how the exploitation works Details on Man in the Middle How to…

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions These slides come from Andy Davis’ presentation at Black Hat USA 2013. Andy’s presentation covers the topic of using techniques to analyse USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed…

A memory searching utility across multiple processes, that allows you to: Opens each process. Works out the valid memory pages. Search for ascii and unicode incarnation of the string. To download the tool, visit our GitHub page here.

The NCC Group Game from 44CON 2013 – a knowledge based multiple choice game for conferences.  For more information and to download the game, visit our GitHub page here. 

A primitive website scanner currently under development by an NCC Group employee and University graduate with 20% research time. creep currently crawls a site, and searches for potentially interesting information within each page. creep will crawl your (HTTP only) target and pull interesting info on the site, including: Source code…

NCC Code Navi the Text Viewer and Searcher for Code Reviewers, which allows: Easily search across code Ability to have multiple instances of the same file / search queries open concurrently Inbuilt note keeper Send different aspects of filenames, path, code to the note keep easily Select a word or…

Raw bytes manipulation utility, able to apply well known and less well-known transformations. For more information and to download the tool, visit our GitHub page here. 

A web service written in Python designed to identify registered yet mistyped DNS domains. This utility will check if web server, mobile and mail handling DNS records have also been registered. In addition geo IP is used to locate the country that the registered IPv4 and IPv4 addresses are present…

This tool encompasses two distinct features. It guesses the IOCTL values that the driver accepts and also their valid size limitations and store the results are in a file for future reuse. The second feature is comprised of 3 dumb fuzzers: a pure random fuzzer, a sliding DWORD fuzzer and…

IODIDE – The IOS Debugger and Integrated Disassembler Environment Released as open source by NCC Group Plc Developed by Andy Davis, andy dot davis at nccgroup dot com To download visit: https://github.com/nccgroup/IODIDE Released under AGPL see LICENSE for more information Includes the PowerPC disassembler from cxmon by Christian Bauer, Marc…

CECSTeR is the Consumer Electronics Control Security Testing Resource – a GUI-based tool to perform security testing against the HDMI CEC (Consumer Electronics Control) and HEC (HDMI Ethernet Channel) protocols.  For more information and to download the tool visit our GitHub page here.

Cisco SNMP enumeration, brute force, config downloader and password cracking script. For more information and to download the tool, visit our GitHub page here.

Small script to check if the .NET web application is vulnerable to padding Oracle. This script actually verify if the oracle is present and exploitable, not just if the patch has been installed. For more information and to download the tool, visi out GitHub page here.

NCC Code Navi the Text Viewer and Searcher for Code Reviewers. For more information and to download the tool, visit our GitHub page here. 

This tool is an Easy Windows Domain Access Script which finds common password hashes on Windows networks (pass the hash), and Locates logged in Domain Administrator accounts.  For more information and to download the tool, vist our GitHub page here. 

A tool for fuzzing Enhanced Display Identification Data, developed by Andy Davis. For more information and to download the tool visit our GitHub page here.

Fat-Finger extends the original finger.nse and attempts to enumerate current logged on users through a full match of the username and a partial match of the GECOS field in /etc/passwd.  For more information and to download the tool, visit our GitHub page here. 

firstexecution is a collection of different ways to execute code outside of the expected entry points.  For more information and to download the tool, visit our GitHub page here. 

Grepify the GUI Regex Text Scanner for Code Reviewers.  For more information and to download the tool, visit our GitHub page here.

FrisbeeLite is a GUI-based USB device fuzzer, developed by Andy Davis.  For more information and to download the tool, visit our GitHub page here.

Email was not designed to be used the way it is today. Organisations rely on email for daily business communication and while most are protecting against low-level threats, more sophisticated email-based attacks are on the rise. This NCC Group whitepaper highlights the overall risks that organisations face when using email…

We’ve published a short eBook based on our experience of dealing with numerous ransomware cases in the last few years. The eBook is designed to provide real-world advice as to what organisations should do to minimise the likelihood of initial infection as well as limit any impact should that fail.…

A Windows application to help out with external infrastructure scans that can be used for the following: Convert a file of IP addresses to hostnames (output a straight list of hostnames or comma separated list of IP Address, Hostname) Convert a file of hostnames to IP addresses (output a straight…

Lapith is a Python GUI tool that presents Nessus results in a format more useful for penetration testers. Results can be viewed by issue as opposed to by host. It is therefore easier to report all the hosts affected by an issue, rather than all of the issues affecting the…

Metasploit payload generator that avoids most Anti-Virus products. For more information and to download the tool, visit our GitHub page here.

This presentation about maritime cyber security, delivered at the CIRM Annual Meeting in Cyprus, looks at the cyber threats to the maritime industry, an overview of the attack surface, the impact of some of the risks they face and a look at what solutions are available in the short, medium…

A tool to generate Snort rules or Cisco IDS signatures based on public IP/domain reputation data.  For more information and to download the tool, visit our GitHub page here.

This presentation about the “lameness of passwords” was delivered by Ben Williams, senior security consultant at NCC Group, at the 44Con Café event at the IP Expo in Manchester. Williams talked about his experience of breaking into networks and applications with a variety of password attack tools and techniques. It…

These slides are from Matt Storey’s presentation at the Edinburgh Trust Forum. This presentation looks at security testing frameworks, the scheduling aspects of the various forms of testing and other options, such as using STAR or red team assessments to test gaps in IT security controls. Download presentation

These slides are from Jason Geffner’s presentation “Exporting Non-Exportable RSA Keys” that he presented at Black Hat Europe in 2011. In this presentation Jason will cover security issues surrounding RSA keys and Digital Certificates. Download presentation To read the white paper that accompanies these slides click here.

Broadcasting your attack – DAB security This presentation was presented at Black Hat USA 2015  Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are often integrated into what has become known as the “infotainment system” – typically a large screen in the dashboard that…

These slides are from a presentation, “The Role of Security Research in Improving Cyber Security” by Andy Davis. The presentation discusses the role of security research in helping to improve cyber security.  Download presentation

Matt Lewis, associate director at NCC Group presented a talk at the Oredev conference in Sweden on how self-driving cars is no longer science fiction. Investment is already being made into this area and commercially available vehicles will be available in the next decade. Matt’s talk discusses the possibilities and…

These slides are from Ben Williams’ presentation “They ought to know better: Exploiting Security Gateways via their Web Interfaces”, that he presented at Black Hat Europe in 2012. In this presentation Ben will discuss the 40+ exploits that have been discovered and ways that some of these can be used…

In this presentation Ollie Whitehouse will be discussing How to develop or purchase COTS mobile apps for my enterprise while ensuring security.  Download presentation

These slides come from Alex Stamos Tom Ritter’s presentation, “The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet” from Black Hat USA in 2012. In this presentation will cover the new changes to the internet’s infrastructure and the concerns around this. Download presentation

These slides come from Justine Osborne Alban Diquet’s presentation from Black Hat USA 2012. In this presentation they will explain what certificate pinning is and how it works in the IOS and Android systems. Download Presentation

These slides come from Andy Davis’ presentation from Black Hat USA in 2011. In this presentation Andy will discuss some of the security vulnerabilities around using USBs and the impact these vulnerabilities could have on your organisation.  Dowload Presentation There is also a white paper on this subject, you can…

These slides come from Ollie Whitehouse’s presentation “Software Security Austerity Security Debt in Modern Software Development” that he gave at 44Con in 2012. In this presentation Ollie will explain software security debt and ways that this debt can be managed. Download presentation

These slides are from Ollie Whitehouse’s presentation from the 2012 RSA Conference, eFraud Global Forum in London. In this presentation Ollie will discuss some of the big trends in mobile security form 2012, providing some technical details and real world examples, and then he will give his predictions for threats…

These slides are from Ollie Whitehouse’s presentation from Hack in the Box in Kuala Lumpur. In the presentation Ollie will discuss the What, Why and How of discovering weak link in binaries.  Download presentation

These slides come from Andy Davis’ presentation from BlackHat Europe 2013. In this presentation he will explain why docking stations are an attractive target for an attacker, how they can be attacked and discuss ways to detect and prevent such attacks.  Download Presentation You can also read the white paper…

These slides come from Marc Blanchou’s presentation at Black Hat Europe, Harnessing GP Us: Building Better Browser Based Botnets. In the presentation Marc discusses Harnessing GPUs with browser-based botnets for distributed and cheaper cracking, and will consider botnet impact, cost, stealth requirements and portability when building better browser based botnets.…

Author: Wade Alcorn, Christian Frichot, Michele Orru Michele Orru, from the Group’s  Fort Consult Division, has co-authored The Browser Hacker’s Handbook, with former NCC Group security consultant Wade Alcorn. The book gives practical understanding of hacking the everyday web browser. It contains expert advice on topics such as ARP spoofing,…

Author: Bill Grindlay , David Litchfield Bill Grindlay, principal software architect at NCC Group, has co-authored SQL Server Security. The book provides in-depth coverage of the installation, administration, and programming of secure Microsoft SQL Server environments and applications. It covers some of the latest techniques such as Installing and configuring…

Author: David Litchfield, Chris Anley, John Heasman, Bill Grindlay  NCC Group’s Bill Grindlay, principal software architect and Chris Anley, chief technical scientist, has co-authored The Database Hacker’s Handbook. The book helps readers to understand how to break into and defend the seven most popular database servers. It contains expert advice…

Author: Gavin Watson, Richard Ackroyd, Andrew Mason Gavin Watson and Richard Ackroyd, security engineers at RandomStorm, part of NCC Group, have co-authored a book with former RandomStorm engineer Andrew Mason. The book includes information on practical methodology and everything you need to plan and execute a social engineering penetration test…

Peeling back the layers on defence in depth…knowing your onions An NCC Group whitepaper Is your organisation fully prepared for malicious attacks from both motivated external attackers and internal threat actors? As the threat landscape continues to evolve it is vital that organisations understand where the threats are and how…

End-of-life pragmatism – an NCC Group whitepaper Does your organisation have a robust IT Refresh Policy in place? One of the main concerns relating to the replacement of IT infrastructure is the cost.  The risk of introducing compatibility issues and, ultimately, downtime  also causes anxiety. However, exploitation of vulnerabilities in…

Vulnerability Summary Title: Microsoft Office Memory Corruption VulnerabilityRelease Date: 10 March 2016Reference: NCC00886Discoverer: Richard WarrenVendor: MicrosoftVendor: Reference MS16-029Systems Affected: Tested on Microsoft Office 2010 on Windows 7CVE Reference: CVE-2016-0021Risk: MediumStatus: Fixed Download technical advisory

Vulnerability Summary Title                                     Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode Release Date                     10 March 2016 Reference  …

UK plc wants tougher cyber regulation and more punishment for failings 71% of UK board directors want companies to be penalised for failing to meet basic cyber security requirements, according to new research from global cyber security and risk mitigation expert NCC Group. In what appears to be a sea…

Title                           Flash local-with-filesystem Bypass in navigateToURLReference                 VT-19Discoverer                Soroush Dalili and Matthew EvansVendor                    …

Title                                  D-Link routers vulnerable to Remote Code Execution (RCE) Release Date                   11 Aug 2016 Reference                    …

Author: David Thiel This book is the definitive guide for hackers and developers allowing readers to understand and eliminate security holes in iOS Application Security. Former NCC Group security consultant, David Thiel, authored this book, which includes information about common iOS coding mistakes that create serious security problems and how…

Author: Dominic Chell, Tyrone Erasmus, Shaun Colley, Ollie Whitehouse.  Ollie Whitehouse, technical director at NCC Group, has co-authored The Mobile Application Hacker’s Handbook.  The book helps readers to understand how to secure mobile phones by approaching the issue from a hacker’s point of view. It contains expert guidance on topics…

NCC Group’s latest Research Insights paper provides a view on modern vulnerability discovery approaches.The identification of vulnerabilities and understanding what is involved in their exploitation has numerous applications in both the attack and defence side of cyber security. The way in which software vulnerabilities are discovered has evolved considerably over…

Organisations that need to keep long-term secrets, or which are designing systems that will be in use for ten or more years, need to plan for a post-quantum-computing world. This whitepaper gives a short introduction and overview of post-quantum cryptography. We discuss why post-quantum crypto is needed and provide handles…

Author(s): Chris Anley, John Heasman, Felix Lindner and Gerardo Richarte. The Shellcoder’s Handbook takes a detailed look at why security holes appear, how to discover them and how to close them so that they can’t be exploited. In this revised 2007 second edition, many new exploitation techniques are explored that were…

Vulnerability Summary Title                               Potential false redirection of web site content in Internet in SAP NetWeaver web applications Release Date               8 March 2016 Reference              …

Vulnerability Summary Title                               Multiple security vulnerabilities in SAP NetWeaver BSP Logon Release Date               8 March 2016 Reference                    NCC00837 Discoverer      …

Voice biometrics are becoming an attractive mechanism for authenticating users in online and mobile environments. They may, however, not always be the best choice of authentication mechanism, depending on the performance and assurance requirements of the underlying application. A feasibility study should always be performed on the use of biometrics…

A common misconception by Windows system administrators is that keeping operating systems fully updated is sufficient to keep them secure. However, even on a network which is fully patched and using the latest Windows operating systems, it is often trivial for an internal attacker to obtain user credentials, and in…

In this paper, Justin Engler discusses the challenges of secure messaging for normal people based on his presentation entitled “Secure Messaging” from DEF CON 23. “Secure” messaging programs and protocols continue to proliferate, and crypto expertscan debate their minutiae, but there is very little information available to help therest of…