Cyber Security
Medical Devices: A Hardware Security Perspective
Medical device security is gaining more attention for several reasons. The conversation often gets connected to device safety, that is, the degree to which the risk of patient harm is limited by preventing or controlling for device malfunction. Device security expands the scope of safety by supposing a malicious attacker…
Fuzzing the Easy Way Using Zulu
Andy Davis, NCC Group’s Research Director presented Fuzzing the Easy Way Using Zulu at the 2014 Nullcon conference in Goa, India. The presentation describes how Zulu has been successfully used to discover high profile bugs and details the motivations for developing the tool. Download our slides
Building WiMap the Wi-Fi Mapping Drone
We’ve published a whitepaper about how we built WiMap, which is a Wi-Fi mapping drone. The paper includes details of the methods used to create, from parts, a hexacopter capable of being controlled over 3/4G and equipped to perform wireless and infrastructure assessments. We’d love to hear your feedback via…
Exploiting CVE-2014-0282
This whitepaper details the vulnerability and examines some of the concepts needed for browser exploitation before describing how to construct a working exploit that exits gracefully. Download whitepaper Authored by Katy Winterborn
Technical Advisory: Command Injection
Vendor: KineticaVendor URL: https://www.kinetica.com/Versions affected: 7.0.9.2.20191118151947Systems Affected: AllAuthor: Gary Swales Gary.Swales@nccgroup.com Advisory URL / CVE Identifier: CVE-2020-8429Risk: High (Command Injection on the underlying operating system) Summary The Kinetica Admin web application version 7.0.9.2.20191118151947 did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited…
Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet; and Unprotected client and server data transmission between Android and IOS clients
Vendor: SumppleVendor URL: http://www.sumpple.comVersions affected: S610 firmware 9063.SUMPPLE.7601 - 9067.SUMPPLE.7601 Sumpple IP Cam Android V1.1.33 – V1.11 IOS 1.51.5986 (Previous versions are also likely to be affected)Systems Affected: Sumpple S610 WiFi Wireless PTZ Outdoor Security Video Network IP Camera Summple IP Cam Android and IOS mobile application.Author: Sebastian Parker-Fitch (@scorpioitsec)Advisory…
Security impact of IoT on the Enterprise
We are moving to a time where many ‘things’ that we know and use have the capability to be connected to a network either wired or wirelessly. The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise…
An Introduction to Ultrasound Security Research
Over the past few years there has been an increase in the use of sound as a communications channel for device-to-device communications. This practice has been termed Data-Over-Sound (DOS) and has been billed as a cheap and easy to use alternative to traditional communications protocols such as Wi-Fi and Bluetooth.…
An Introduction to Quantum Computing for Security Professionals
Quantum computing is still in its infancy but is expected to cause major changes to the technology landscape in coming years. Its ability to massively reduce the time taken for processes normally requiring large amounts of processing power is already causing concerns about the future of cryptography and the resistance…
Technical Advisory: Unauthenticated SQL Injection in Lansweeper
Vendor: LansweeperVendor URL: https://www.lansweeper.com/Versions affected: prior to 7.1.117.4Systems Affected: Lansweeper applicationAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://www.lansweeper.com/changelog/ - CVE-2019-13462Risk: Critical when MSSQL database is in use (not default) Summary The Lansweeper application is agentless network inventory software that can be used for IT asset management. It uses the…
Jenkins Plugins and Core Technical Summary Advisory
15 Security Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability118 CVEs, 1 CVE pending, 10 issues with no CVE requested About the Vulnerabilities NCC Group Security Consultant Viktor Gazdag has identified 128 security vulnerabilities across Jenkins plugins and one within the Jenkins core with the following distribution: Credentials stored…
Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in some Ricoh printers. The vulnerability list below was found affecting to some Ricoh printers: Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300) Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307) Buffer Overflow Parsing LPD Packets (CVE-2019-14308) No…
Technical Advisory: Multiple Vulnerabilities in Brother Printers
Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Brother printers. The vulnerability list below was found affecting to several Brother printers: Stack Buffer Overflow in Cookie Values (CVE-2019-13193) Heap Overflow in IPP Attribute Name (CVE-2019-13192) Information Disclosure Vulnerability (CVE-2019-13194) Technical Advisories: Stack Buffer Overflow…
Technical Advisory: Multiple Vulnerabilities in Xerox Printers
Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Xerox printers. The vulnerability list below was found affecting to several Xerox printers: Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171) Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168) Multiple Buffer Overflows in Web Server (CVE-2019-13169,…
Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Kyocera printers. The vulnerability list below was found affecting to several Kyocera printers: Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206) Multiple Buffer Overflows in IPP Service (CVE-2019-13204) Buffer Overflow in LPD Service…
Technical Advisory: Multiple Vulnerabilities in HP Printers
Multiple vulnerabilities, ranging Cross-Site Scripting to buffer overflows, were found in several HP printers: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Buffer Overflow in Web Server (CVE-2019-6326) Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324) Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325) Technical Advisories: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Vendor:…
Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers. The vulnerability list below was found affecting to several Lexmark printers: SNMP Denial of Service Vulnerability (CVE-2019-9931) Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933) Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935) Information Disclosure Vulnerability…
Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation
Vendor: IntelVendor URL: http://www.intel.com/Versions affected: Intel Driver Support Assistance prior to version 19.4.18Systems Affected: Microsoft WindowsAuthor: Richard Warren <richard.warren[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11114.Risk: Medium Summary This vulnerability allows a low privileged user to escalate their privileges to SYSTEM. Location Intel Driver Support Assistance – DSAService (DSACore.dll) Impact Upon successful…
Technical Advisory: Citrix Workspace / Receiver Remote Code Execution Vulnerability
Vendor: CitrixVendor URL: http://www.citrix.com/Versions affected: Citrix Workspace App versions prior to 1904 and Receiver for Windows versions prior to LTSR 4.9 CU6 version 4.9.6001Systems Affected: Microsoft WindowsAuthor: Ollie Whitehouse <ollie.whitehouse[at]nccgroup[dot]com> Richard Warren <richard.warren[at]nccgroup[dot]com> Martin Hill <martin.hill[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11634.Risk: Critical Summary The Citrix Workspace / Receiver client suffers…
Cyber Security in UK Agriculture
This whitepaper addresses the cyber security threat to agriculture and the wider food network. The perspective and primary focus is the United Kingdom but the majority of observations on the structure of markets, technologies and related issues are largely applicable to other countries. Furthermore, some of the recommended actions identified in…
NCC Group Connected Health Whitepaper July 2019
Connected Health is a rapidly growing area with huge innovative possibilities and potential. This is mostly due to the uptake of digital technologies in the health and medical fields that support diagnosis, treatment and management of health conditions. It is however crucially important that security of Connected Health products, systems…
Technical Advisory: Multiple Vulnerabilities in SmarterMail
Vendor: SmarterToolsVendor URL: https://www.smartertools.com/ Versions affected: prior to Build 6985 (CVE-2019-7214), prior to Build 7040 (CVE-2019-7211, CVE-2019-7212, CVE-2019-7213)Systems Affected: SmarterMailAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-7214, CVE-2019-7213, CVE-2019-7212, CVE-2019-7211 https://www.smartertools.com/smartermail/release-notes/current Risk: Critical and High Summary The SmarterMail application is a popular mail server with rich features for normal…
Technical Advisory: Multiple Vulnerabilities in MailEnable
Vendor: MailEnableVendor URL: https://www.mailenable.com/ Versions affected: versions before 10.24, 9.83, 8.64, 7.62, 6.90 (20th June 2019)Systems Affected: tested on Enterprise Premium but all versions have been patchedAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-12923, CVE-2019-12924, CVE-2019-12925, CVE-2019-12926, CVE-2019-12927 http://www.mailenable.com/Premium-ReleaseNotes.txt http://www.mailenable.com/Premium-ReleaseNotes9.txt http://www.mailenable.com/Premium-ReleaseNotes8.txt http://www.mailenable.com/Premium-ReleaseNotes7.txt http://www.mailenable.com/Premium-ReleaseNotes6.txtRisk: Critical, High, Medium Summary The MailEnable…
Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
Vendor: AvayaVendor URL: https://www.avaya.com/Versions affected: 10.0 through 10.1 SP3, 11.0Systems Affected: Avaya IP OfficeAuthor: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]comAdvisory URL: https://downloads.avaya.com/css/P8/documents/101054317Advisory URL / CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15614Risk: Medium Summary The One-X Web Portal was vulnerable to multiple persistent or stored cross-site scripting (XSS) vulnerabilities. This occurs when JavaScript or HTML code entered as…
Use of Deserialisation in .NET Framework Methods and Classes
These days it is quite common to see a deserialisation flaw in a product. Although awareness around finding and exploiting this type of vulnerability is out there for security researchers, developers can still struggle with securing their code especially when they are not fully aware of dangerous methods and functionalities…
Nine years of bugs at NCC Group
As part of our vulnerability research work at NCC Group we find many vulnerabilities (bugs) in commercial products and systems and for the past nine years we have kept a detailed internal log of these bugs. In this whitepaper prepared by Matt Lewis, Research Director at NCC Group, we…
Third party assurance
Third parties can provide an invaluable resource and service for your organisation. But how far should you go when validating a third party supplier? What does the third party need to be validated against? How can you be confident that the validation process is effective? Is the validating process detrimental…
Public cloud
Whenever an outage on one of these cloud providers occurs, or a data breach of information held by them, the immediate press coverage starts asking whether they really are as secure and reliable as traditionally managed servers. This whitepaper provides an overview of public cloud services and the steps to…
Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
Vendor: MicrosoftVendor URL: https://www.microsoft.com/Systems Affected: Microsoft OutlookAuthor: Soroush DaliliCVE Identifiers: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8572, https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11927Risk: Medium – Possible SMB Hash Hijacking or User Tracking Summary Microsoft Outlook could be abused to send SMB handshakes externally after a victim opening or simply viewing an email. A WebDAV request was sent even when the SMB…
Technical Advisory: Authentication Bypass in libSSH
Vendor: libSSHVendor URL: https://www.libssh.org/Versions affected: Versions of libSSH 0.6 and above, prior to 0.7.6 or 0.8.4.Author: Peter Winter-Smith peter.winter-smith[at]nccgroup.comAdvisory URL / CVE Identifier: CVE-2018-10933 - https://www.libssh.org/security/advisories/CVE-2018-10933.txtRisk: Critical – Authentication Bypass Summary libSSH is a library written in C which implements the SSH protocol and can be used to implement both…
Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code Execution on SharePoint
Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before July 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8284 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…
Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
Vendor: Mitel Vendor URL: https://www.mitel.com Versions affected: 5330e IP Phone Systems Affected: Mitel MiVoice Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]trust Advisory URL: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0009 CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15497 Risk: Low-High (case dependent) – Denial of Service and possible Remote Code Execution Summary The Mitel MiVoice 5330e VoIP device is affected by a memory corruption…
Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before September 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8421 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…
The disadvantages of a blacklist-based approach to input validation
It’s not uncommon to find websites that attempt to validate user input and block code injection attacks using a blacklist of dangerous characters or keywords. Superficially, this might seem like a common-sense way to protect a website with minimum effort but it can prove to be extremely difficult to comprehensively…
Technical Advisory: Unauthenticated Remote Command Execution through Multiple Vulnerabilities in Virgin Media Hub 3.0
Vendor: Virgin MediaVendor URL: https://www.virginmedia.com/Versions affected: products before Aug 2018 rollout / 9.1.116V and 9.1.885JSystems Affected: Hub 3.0Author: Balazs Bucsay (@xoreipeip)Advisory URL / CVE Identifier: NoneRisk: Critical Summary Multiple security vulnerabilities were found in the device’s firmware that could be chained and led to unauthenticated remote command execution. Location Multiple…
Ethics in Security Testing
This paper discusses the similarities and differences between professional ethics in the information security industry and ethics in the hacker community. Sources of conflict and shared values of the two are discussed in order to find some reconciliation and come to an understanding of how a shared set of ethics…
Freddy: An extension for automatically identifying deserialisation issues in Java and .NET applications
It has been known for a while that deserialisation of untrusted data can often lead to serious security issues such as code execution. However, finding such issues might not be a trivial task during time-limited penetration testing. As a result, NCC Group has developed a Burp Suite extension called Freddy [1]…
Open Banking: Security considerations & potential risks
The concept of Open Banking is an innovative one. However, as with any new developments surrounding sensitive financial information it is imperative to assess the security implications of these actions. Matthew Pettitt discusses the pros and cons of the planned implementation and potential risks of Open Banking in NCC Group’s…
scenester
Scenester – a tool to visually snapshot a website by supplying multiple user-agent. Designed to aid in discovery of different entry points into an application. For more information and to download the tool, visit our GitHub page here.
port-scan-automation
Automate NMAP scans and custom Nessus polices. Features include: Discovers live devices Auto launches port scans on only the discoverd live devices Can run mulitple instances on multiple adaptors at once Creates client Ref directory for each scan Outputs all unique open ports in a Nessus ready format. Much faster…
Windows DACL Enum Project
A collection of tools to enumerate and analyse Windows DACLs: Tool 1: Process Perms Tool 2: Windows Stations and Desktops Tool 3: Services Tool 4: File Sytem Tool 5 Registry For more information and to download the tool visit our GitHub page here.
umap
umap is a USB host security assessment tool, based on Facedancer by Travis Goodspeed. For more information and to download the tool visit our GitHub page here.
Shocker
A tool to find and exploit servers vulnerable to Shellshock. To download the tool, please visit our Github page here.
Zulu
Zulu is an interactive GUI based fuzzer. The tool is input and output agnostic, therefore when you are happy with using the fuzzing engine that’s driven by the GUI you are only limited by the input and output modules that have been developed for it. To download the tool, please…
whitebox
This proto-type was originally designed a developed during Christmas 2008 / 2009 to show how a non signature based AV could reliably detect malicious code. For more information and to download the tool, visit our GitHub page here.
vlan-hopping
vlan-hopping is a simple VLAN enumeration and hopping script, developed by Daniel Compton. For more information and to download the tool, visit our GitHub page here.
tybocer
Tybocer is a new view on code review. When presented with a new piece of code to review it is useful to search through for common terms, or to hunt down specific definitions of particular functions. For more information and to download the tool visit our GitHub page here.
xcavator
A network data locator using credentials obtained during penetration tests. Xcavator is a tool that scans a range of IP addresses for services that host files (FTP, FTPS and SMB at the moment) and for given credentials it will try to download everything it can and scan within the files…
WindowsJobLock
A Microsoft Windows Process Lockdown Tool using Job Objects, developed by Ollie Whitehouse. To download the tool visit our GitHub page here.
Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
Vendor: ManageEngineVendor URL: https://www.manageengine.com/products/desktop-central/Versions affected: 10.0.124 and 10.0.184 verified, all versions <= 10.0.184 suspectedSystems Affected: AllAuthor: Ben Lincoln <ben.lincoln[at]nccgroup[dot]trust>Advisory URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5337, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5338, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5339, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5340, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5341, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5342Risk: Critical (unauthenticated remote code execution) Summary Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones,…
Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple Microsoft Products
Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: products before July 2018 patchSystems Affected: Visual Studio, .NET Framework, SharePointAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8260 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8300Risk: Medium to High Summary A number of deserialisation issues within the resource files (.resx and .resources) were reported to Microsoft in January 2018 by…
Technical Advisory: Code Execution by Viewing Resource Files in .NET Reflector
Vendor: RedgateVendor URL: https://www.red-gate.com/Versions affected: prior to 10.0.7.774 (24th July, 2018)Systems Affected: .NET ReflectorAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://documentation.red-gate.com/ref10/release-notes-and-other-versions/net-reflector-10-0-release-notes (CVE-2018-14581)Risk: Critical Summary It was possible to execute code by decompiling a compiled .Net object (such as DLL or EXE) with an embedded resource file. An attacker could…
Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin
Vendor: Jenkins Delivery Pipeline Plugin Vendor URL: https://plugins.jenkins.io/delivery-pipeline-plugin Versions affected: 1.0.7 (up to and including) Systems Affected: Jenkins Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust Advisory URL / CVE Identifier: https://jenkins.io/security/advisory/2017-11-16/ Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting) Summary The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build…
The economics of defensive security
While there are many claims that cyber security is an indispensable necessary cost, there is also a body of opinion that cyber security does not always justify its costs and the financial impacts of a breach are frequently either exaggerated or unclear. As a response to these concerns, this whitepaper…
Integrity destroying malicious code for financial or geopolitical gain: A vision of the future?
“We’re entering a new world in which data may be more important than software.” Tim O’Reilly Following from our recent CISO research council, our research team have put together this whitepaper, which explores the evolutionary steps in ransomware and malicious code and what NCC Group’s current perspective is. Ransomware as…
Mobile & web browser credential management: Security implications, attack cases & mitigations
With the exponential increase of online services over the last decade, it is no surprise that the theft of credentials from poorly-secured applications is a growing concern and data breaches are becoming more of a regular occurrence. Even if we manage to secure and lock down these applications, do we…
SOC maturity & capability
Security is a high priority for most organisations. A string of high priority breaches in big multinational companies has brought home the threat that all organisations face in the modern world. Therefore, a growing number of companies are considering how to best protect themselves and reduce the impact of a…
Adversarial Machine Learning: Approaches & defences
Most of us interact with Artificial Intelligence (AI) or Machine Learning (ML) on a daily basis without even knowing; from Google translate, to facial recognition software on our mobile phones and digital assistance in financial services or call centres. It is a growing market with ever increasing possibilities across all…
eBook: Breach notification under GDPR – How to communicate a personal data breach
Working closely with our clients both on site or at events, we are finding that several remain unclear on the topic of breach notification under GDPR. There seems to be little, focused guidance on the topic despite the fact that the new regulation will be enforced from May 2018. This…
Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11284Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…
Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11283Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…
Managing PowerShell in a modern corporate environment
Following from our recent CISO research council, our research team have put together this whitepaper, which explores the use of PowerShell in a modern corporate environment and how to mitigate the associated threats. Since its incarnation in 2006, PowerShell has grown to be a powerful and extensible management tool, allowing for…
Technical advisory: Remote shell commands execution in ttyd
Vendor: tsl0922Vendor URL: https://github.com/tsl0922/ttyd/ (https://tsl0922.github.io/ttyd/)Versions affected: 1.3.0 (<=)Author: Donato Ferrante <donato.ferrante[at]nccgroup[dot]trust>Patch URL: https://github.com/tsl0922/ttyd/commit/4d31e534c0ec20582d91210990969c19b68ab3b0Risk: Critical Summary ttyd is a cross platform (e.g. macOS, Linux, FreeBSD, OpenWrt/LEDE, Windows) tool for sharing a terminal over the web, inspired by GoTTY. ttyd may allow remote attackers to execute shell commands on a victim’s system,…
Securing the continuous integration process
Continuous integration (CI) has long left the stage of experimental practices and moved into mainstream software development. It is used everywhere from start-ups to large organisations, in a variety of technology stacks and problem domains, from web applications to embedded software. However, the security implications of introducing CI are often…
Endpoint connectivity
The popularity of USB usage has grown and it has become a common vehicle for spreading malware. As such, the need to protect IT assets from a cyber attack is paramount and from a physical endpoint perspective, this presents a challenging dynamic when wanting to prevent a data breach via…
Database Security Brief: The Oracle Critical Patch Update for April 2007
On the 17th April 2007 Oracle released their 10th Critical Patch Update. This brief discusses the database flaws and EM01 which relates to the Intelligent Agent. Many of the flaws being patched are old issues. For example, DB01 relates to an issue first reported to Oracle in 2002 and another in June…
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Buffer Underruns and Stack Protection Starting with Windows 2003 Server, Microsoft introduced a number of Exploitation Prevention Mechanisms (XPMs) into their software. Over time these XPMs were refined as weaknesses were discovered [1][2] and more XPMs were introduced. Today the XPMs have been added to Windows XP Service Pack 2…
Data-mining with SQL Injection and Inference
When drilling for data via SQL injection there are three classes of attack – inband, out-of-band and the relatively unknown inference attack. Inband attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select. Out-of-band attacks employ…
The Pharming Guide – Understanding and preventing DNS related attacks by phishers
Exploiting well knows flaws in DNS services and the way in which host names are resolved to IP addresses, Phishers have upped the ante in the cyber war for control of a customer’s online identity for financial gain. A grouping attack vectors now referred to as “Pharming”, affects the fundamental…
Weak Randomness Part I – Linear Congruential Random Number Generators
The objective of this series of papers is to describe the mathematical properties of some of the more common pseudo-random sequence generators and to show how they can be attacked by illustrating the principles with real-world bugs. The series demonstrates how weak randomness can be identified, used to compromise real-world systems, and defended against.…
Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
When exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code – for example EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’. Of course, if the attacker can’t create their own…
Blind Exploitation of Stack Overflow Vulnerabilities
This paper presents a number of technical discussion points relating to the potential for exploiting stack overflow vulnerabilities without having direct access to the application which is to be exploited. The points raised in this paper discuss the key issues which would need to be overcome in order to do this, as well…
Slotting Security into Corporate Development
Technology trail-blazing organisations such as large financial institutions have been working to secure their custom applications for several years, but the second-tier “technology following” organisations have been too slow to follow. This is now rapidly changing due to recent bad press following many highly publicised security compromises. In many of…
Creating Arbitrary Shellcode In Unicode Expanded Strings
The paper is intended to be read by the portion of the security community responsible for creating protective mechanisms to guard against “shellcode” type security flaws; the intention is to remove the perception that Unicode buffer overflows are non exploitable and thereby improve the general state of network security. It…
Violating Database – Enforced Security Mechanisms
This paper discusses the feasibility of violating the access control, authentication and audit mechanisms of a running process in the Windows server operating systems. Specifically, it discusses the feasibility of totally disabling application – enforced access control in a running service, taking SQL Server 2000 as a sizeable and meaningful…
Hacking the Extensible Firmware Interface
Agenda The role of the BIOS Attacking a legacy BIOS Limitations of the legacy BIOS Introduction to the EFI environment Attacking the EFI environment UEFI, summary and conclusions Some Caveats… This talk is about rootkit persistenceThis persistence How to deploy a rootkit from the BIOS/EFIHow EFI Not concerned with what…
Advanced Exploitation of Oracle PL/SQL Flaws
Objectives Discuss current “threat landscape” Introduce a new class of vulnerability Introduce a new method of attack Show practical demonstrations Look at some defences Download presentation Author: David Litchfield
Firmware Rootkits: The Threat to the Enterprise
Agenda Recap of ACPI BIOS rootkit and limitations Brief overview of the PCI Bus Abusing expansion ROMs Abusing PXE Detection, Prevention and the TPM Summary and conclusions Download presentation Author: John Heasman
Database Security: A Christmas Carol
The Past, Present and Future of Database Security In 2006 there were 335 publicized data breaches in the U.S. So far in 2007 there have been 276. With the 5th anniversary of the SQL Slammer worm drawing near, now is a good a time as any to look back on…
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
This paper presents several methods of bypassing the protection mechanism built into Microsoft’s Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows. Recommendations about how to thwart these attacks are made where appropriate. Microsoft is committed to security. I’ve been playing with Microsoft products, as…
Non-flood/non-volumetric Distributed Denial of Service (DDoS)
Over the last two decades, both Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been growing in frequency, complexity and volume. Traditionally, these attacks are associated with botnets and large amounts of traffic aimed at disrupting Internet-facing services. However, while the goal of these attacks remains…
VoIP Security Methodology and Results
VoIP Security Issues The issues brought up in VoIP security and throughout this presentation are not new and are not a surprise. Telephony experience and IP experience combined with a security focused mindset are enough to combat these issues. There is a lot of public coverage of VoIP issues, however…
E-mail Spoofing and CDONTS.NEWMAIL
Many IIS web servers running ASP applications will use the CDONTS.NEWMAIL object to provide the functionality for feedback or contact forms. This paper will examine how the CDONTS.NEWMAIL object can be used by attackers to send arbitrary e-mails via the vulnerable web server and what must be done to prevent an online ASP…
Dangling Cursor Snarfing: A New Class of Attack in Oracle
In Oracle, a failure to close cursors created and used by DBMS_SQL or a failure to clean up open cursors in the event of an exception can lead to a security hole. If the cursor in question has been created by higher privileged code and left hanging then it’s possible for a low…
Database Servers on Windows XP and the unintended consequences of simple file sharing
This paper presents some unexpected consequences of running database servers on Windows XP with Simple File Sharing enabled. In the real world, this kind of setup would typically be a developer’s system and as it turns out, in some cases depending on the database software, you might not just be sharing your files…
DNS Pinning and Web Proxies
DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within…
Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307 redirections with additional or customised headers
Vendor: Microsoft Vendor URL: https://www.microsoft.com/ Versions affected: IE 10, 11, and Edge prior to July 2017 patch Systems Affected: Windows with above versions affected Author: Soroush Dalili Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8592 Risk: Low Summary Internet Explorer (or Edge) could be used to send arbitrary messages to a target…
Which database is more secure? Oracle vs. Microsoft
This paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. Only flaws affecting the database server software itself have been considered in compiling this data so issues that affect, for example,…
Variations in Exploit methods between Linux and Windows
This paper will examine the differences and commonality in the way a vulnerability common to both Windows and Linux is exploited on each system. The VulnerabilityThe vulnerability that will be discussed in this paper is a classic stack based overflow in OracleÕs RDBMS 9.2.0.1. As well as offering the standard SQL service,…
Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things
“Security within the Internet of Things (IoT) is currently below par.” The statement above derives from many observations across our work in IoT (and that of the wider security research community) in addition to a myriad of regular, publicly reported issues and security concerns with IoT devices and their infrastructures.…
Beyond data loss prevention
Data Loss Prevention (DLP) is a security control aimed at highlighting when sensitive data leaves the corporate network or is accessed without authorisation. A DLP solution can be a great asset to a business and support a range of security goals and compliance. It can be an invaluable safety net…
How to protect yourself & your organisation from phishing attacks
With one click, his entire business was in the hands of someone else. Sensitive company information, bank account details, social media profiles, various other usernames and passwords. All stolen by a cyber criminal in a convincing phishing attempt. The email he’d received looked legitimate. It was just a simple request…
Rise of the machines: Machine Learning & its cyber security applications
“By far the greatest danger of Artificial Intelligence is that people conclude too early that they understand it.” Eliezer Yudkowsky At NCC Group, we are researching Machine Learning (ML) and Artificial Intelligence (AI) from a number of different angles in order to fully understand the pros and cons of ML…
Latest threats to the connected car & intelligent transport ecosystem
The modern vehicle has become increasingly computerised as the demand for cleaner emissions and better transport safety for drivers and pedestrians has grown. Numerous initiatives are currently underway to begin to address this threat and to bring the principles used within traditional enterprise environments (such as the Secure Development Lifecycle)…
Understanding the insider threat & how to mitigate it
It is a widely held belief that the vast majority of threats to businesses are from outside attackers, with the stereotypical view of hackers trying to make money through crime. The problem with this viewpoint is that it does not consider the threat from a malicious insider. There is a…
Matty McMattface: Security implications, mitigations & testing strategies for biometric facial recognition systems
Biometric facial recognition is becoming an increasingly popular mechanism for authenticating users in online and mobile environments. In addition, it is continually being adopted for physical access control, whether at border controls such as airports or within secure facilities to enforce strict access control (and/or time and attendance tracking) to…
Encryption at rest: Not the panacea to data protection
Following from our recent CISO research council, our research team have put together this whitepaper, which explores encryption at rest. Encryption at rest is not a panacea to data protection due to its complexity and the utility of data. Often, misconceptions can (and do) arise whereby it is believed that…
Applying normalised compression distance for architecture classification
An NCC Group whitepaper: Applying normalised compression distance for architecture classification When working with malware research and black box penetration testing, it is not always clear what data you are working on and in order to disassemble binaries properly, one needs to know the architecture that the binary has been…
D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
Title D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow Reference VT-95 Discoverer …
Unauthenticated XML eXternal Entity (XXE) vulnerability
Vendor: Oracle Vendor URL: http://www.oracle.com/ Versions affected: 11.1.2.4 (previous versions may also be affected) Systems Affected: Oracle Hyperion Financial Reporting Web Studio Author: Mathew Nash Mathew.Nash[at]nccgroup[dot]trust, Fabio Pires Fabio.pires[at]nccgroup[dot]trust Advisory URL: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html CVE Identifier: CVE-2017-10310 Risk: High (Unauthenticated local file read, server-side request forgery or denial of service) Summary The…
Technical Advisory: Shell Injection in MacVim mvim URI Handler
Vendor: macvim-dev Vendor URL: http://macvim.org Versions affected: snapshot-110 Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Bug discovery credit: Anonymous Advisory URL / CVE Identifier: TBD Risk: Critical Summary MacVim is a Mac OS port of Vim. MacVim is vulnerable to shell injection in mvim:// URIs through the column parameter, allowing attacks through a…
Technical Advisory: Shell Injection in SourceTree
Vendor: Atlassian Vendor URL: http://atlassian.com Versions affected: v1.9.8 known affected version, earlier versions possible Systems Affected: Mac OS X known affected, others possible Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: https://jira.atlassian.com/browse/SRCTREE-4481 Risk: Critical (reliable remote code execution) Summary SourceTree is a product for working with various types of…
Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer Appliance
Vendor: Accellion, Inc. Vendor URL: http://www.accellion.com/ Versions affected: FTA_9_12_40, FTA_9_12_51, FTA_9_12_110, others likely Systems Affected: Accellion File Transfer Appliance Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: TBD Risk: Critical Summary The Accellion File Transfer Appliance (FTA) is an alternative to traditional email and FTP services for file transfers.…
Mergers & Acquisitions (M&A) cyber security due diligence
An NCC Group whitepaper Regardless of the size, scope, geography or sector of your organisation, there are common elements that should be considered when it comes to cyber security due diligence during the M A process. This whitepaper aims to cover the risks, opportunities and responsibilities associated with cyber security…
Advisory-CraigSBlackie-CVE-2016-9795
Title Privilege Escalation in CA Common Services casrvc due to Arbitrary WriteReference VT-37Discoverer …
Best practices with BYOD
In today’s modern society the requirement for employees to be based within a corporate office is minimal, largely due to remote working gaining prominence. The cost to provide remote working or mobile technology to employees can, however, be expensive. An ideal solution to this cost issue is enabling the employee…
Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows Decryption of Stored Credentials
Vendor: Rapid7, Inc.Vendor URL: http://rapid7.comVersions affected: 6.4.9 2016-11-30 and potentially all prior releases.Systems Affected: Nexpose Vulnerability ScannerAuthor: Noah Beddome, Justin Lemay, and Ben LincolnAdvisory URL / CVE Identifier: 2017-5230Risk: Medium - Requires specific access criteria Summary The Nexpose vulnerability scanner by Rapid7 is widely used to identify network and application…
Java RMI Registry.bind() Unvalidated Deserialization
Title Java RMI Registry.bind() Unvalidated DeserializationReference VT-87Discoverer Nick Bloor (@NickstaDB)Vendor …
Understanding cyber risk management vs uncertainty with confidence in 2017
Every organisation faces uncertainty and this is often a key challenge in achieving its objectives. Much of this uncertainty comes from an inability to accurately predict future events. Generally, we can define a potential future event that could affect an organisation’s objectives as a ‘risk’ and the process of forecasting…
iOS MobileSlideShow USB Image Class arbitrary code execution.txt
Title iOS MobileSlideShow USB Image Class arbitrary code executionRelease Date 15 December 2016Reference NCC00249Discoverer Andy DavisVendor …
Denial of Service in Parsing a URL by ierutil.dll
Title Denial of Service in Parsing a URL by ierutil.dllReference VT-20Discoverer Soroush DaliliVendor …
U plug, we play
These slides are from David Middlehurst’s presentation at the BSides Manchester conference. The presentation includes information on a new open source tool called ‘UPnP Pentest Tookit’. Download Presentation
SSL checklist for pentesters
These slides are from Jerome Smith’s presentation at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible). Download presentation
Dissecting social engineering attacks
These slides are from Robert Ray’s presentation at the Trust Forum in Edinburgh. The presentation looks at the common social engineering tactics and provides hints and tips on how to detect, prevent and respond to a social engineering attack. Download presentation
External Enumeration and Exploitation of Email and Web Security Solutions
Ben Williams, security consultant at NCC Group, presented his talk, External Enumeration and Exploitation of Email and Web Security Solutions at Black Hat USA. He also produced two whitepapers which include statistical analysis of the filtering products, services and policies used by some of the world’s top companies. Download presentation…
Social Engineering
These slides are from Panagiotis Gkatziroulis’ presentation at the Trust Forum in London. It looks at the common social engineering methods, tools and mitigation involved in social engineering attacks. Download presentation
Phishing Stories
These slides are from Shaun Jones’ presentation at the Trust Forum in Manchester. He gave examples of real-life phishing attacks and provided tips on how you can protect yourself. Download presentation
Automating extraction from malware and recent campaign analysis
These slides are from David Cannings presentation at the 44CON Breakfast Briefing. The talk is titled Automating extraction from malware and recent campaign analysis, and includes an overview of some recent targeted campaigns. Download presentation
DDoS Common Approaches and Failings
DDoS Common Approaches and Failings This webinar looks at the reasons that DDoS mitigation may not be working and what you should be thinking about to protect your business from a DDoS attack, including examples of some testing we have done and common approaches. Download presentation
Absolute Security
These slides are from Rory McCunes’ presentation at the Trust Forum in Edinburgh. In his presentation he looked at everything from celebrity hacking to the Heartbleed bug can be explained by a lack of context, and what you can do to avoid the trap of absolute security. Download presentation
How much training should staff have on cyber security?
These slides are from Irene Michlin’s presentation at the Trust Forum in London. It looked at how much training staff should have on cyber security. Download presentation
USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems
Andy Davis, research director at NCC Group, delivered this presentation at the escar Embedded Security in Cars Conference in Hamburg. His talk focused on how USB security affects embedded systems within vehicles. It covered an overview of USB basics and some classic examples of where vulnerabilities have been previously identified.…
Cyber Essentials Scheme
Cyber Essentials Scheme These slides are from Matt Storey’ presentation at the Trust Forum in Manchester. He discussed what Cyber Essentials is, who it is for and the benefits it has to your organisation. Download presentation
Webinar – PCI Version 3.0: Are you ready?
This webinar talked through the changes to the new PCI SSC version 3.0 standard in detail and how they will affect your business, the things you need to be thinking about now and the timescales in which you have to react to the changes. Download our presentation Download the presentation…
Webinar: 4 Secrets to a Robust Incident Response Plan
David Cannings, Principal Consultant at NCC Group, delivered a fantastic webinar on four key considerations when building a robust incident response plan. The webinar covered: An introduction – why a plan is needed What the risks are Four key considerations Case studies for each consideration More resources on incident response…
Cloud Security Presentation
These slides are from David FB.Page presentation at the Manchester Trust Forum. The presentation includes information on cloud security and how the different types of cloud implementations could affect your organisation’s security. Download presentation
Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
These slides were presented as part of the SMACK, SKIP-TLS FREAK SSL/TLS vulnerabilities webinar series Our Technical Director, Ollie Whitehouse covered: High level overview of the threat Impact of the threat What is affected/impacted by it Details on how the exploitation works Details on Man in the Middle How to…
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions These slides come from Andy Davis’ presentation at Black Hat USA 2013. Andy’s presentation covers the topic of using techniques to analyse USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed…
Memory Gap
A memory searching utility across multiple processes, that allows you to: Opens each process. Works out the valid memory pages. Search for ascii and unicode incarnation of the string. To download the tool, visit our GitHub page here.
44Con2013Game
The NCC Group Game from 44CON 2013 – a knowledge based multiple choice game for conferences. For more information and to download the game, visit our GitHub page here.
creep-web-app-scanner
A primitive website scanner currently under development by an NCC Group employee and University graduate with 20% research time. creep currently crawls a site, and searches for potentially interesting information within each page. creep will crawl your (HTTP only) target and pull interesting info on the site, including: Source code…
ncccodenavi
NCC Code Navi the Text Viewer and Searcher for Code Reviewers, which allows: Easily search across code Ability to have multiple instances of the same file / search queries open concurrently Inbuilt note keeper Send different aspects of filenames, path, code to the note keep easily Select a word or…
Pip3line
Raw bytes manipulation utility, able to apply well known and less well-known transformations. For more information and to download the tool, visit our GitHub page here.
typofinder
A web service written in Python designed to identify registered yet mistyped DNS domains. This utility will check if web server, mobile and mail handling DNS records have also been registered. In addition geo IP is used to locate the country that the registered IPv4 and IPv4 addresses are present…
DIBF – Updated
This tool encompasses two distinct features. It guesses the IOCTL values that the driver accepts and also their valid size limitations and store the results are in a file for future reuse. The second feature is comprised of 3 dumb fuzzers: a pure random fuzzer, a sliding DWORD fuzzer and…
IODIDE
IODIDE – The IOS Debugger and Integrated Disassembler Environment Released as open source by NCC Group Plc Developed by Andy Davis, andy dot davis at nccgroup dot com To download visit: https://github.com/nccgroup/IODIDE Released under AGPL see LICENSE for more information Includes the PowerPC disassembler from cxmon by Christian Bauer, Marc…
CECSTeR
CECSTeR is the Consumer Electronics Control Security Testing Resource – a GUI-based tool to perform security testing against the HDMI CEC (Consumer Electronics Control) and HEC (HDMI Ethernet Channel) protocols. For more information and to download the tool visit our GitHub page here.
cisco-SNMP-enumeration
Cisco SNMP enumeration, brute force, config downloader and password cracking script. For more information and to download the tool, visit our GitHub page here.
dotnetpaddingoracle
Small script to check if the .NET web application is vulnerable to padding Oracle. This script actually verify if the oracle is present and exploitable, not just if the patch has been installed. For more information and to download the tool, visi out GitHub page here.
dotnetpefuzzing
NCC Code Navi the Text Viewer and Searcher for Code Reviewers. For more information and to download the tool, visit our GitHub page here.
easyda
This tool is an Easy Windows Domain Access Script which finds common password hashes on Windows networks (pass the hash), and Locates logged in Domain Administrator accounts. For more information and to download the tool, vist our GitHub page here.
EDIDFuzzer
A tool for fuzzing Enhanced Display Identification Data, developed by Andy Davis. For more information and to download the tool visit our GitHub page here.
Fat-Finger
Fat-Finger extends the original finger.nse and attempts to enumerate current logged on users through a full match of the username and a partial match of the GECOS field in /etc/passwd. For more information and to download the tool, visit our GitHub page here.
firstexecution
firstexecution is a collection of different ways to execute code outside of the expected entry points. For more information and to download the tool, visit our GitHub page here.
grepify
Grepify the GUI Regex Text Scanner for Code Reviewers. For more information and to download the tool, visit our GitHub page here.
FrisbeeLite
FrisbeeLite is a GUI-based USB device fuzzer, developed by Andy Davis. For more information and to download the tool, visit our GitHub page here.
State-of-the-art email risk
Email was not designed to be used the way it is today. Organisations rely on email for daily business communication and while most are protecting against low-level threats, more sophisticated email-based attacks are on the rise. This NCC Group whitepaper highlights the overall risks that organisations face when using email…
Ransomware: what organisations can do to survive
We’ve published a short eBook based on our experience of dealing with numerous ransomware cases in the last few years. The eBook is designed to provide real-world advice as to what organisations should do to minimise the likelihood of initial infection as well as limit any impact should that fail.…
hostresolver
A Windows application to help out with external infrastructure scans that can be used for the following: Convert a file of IP addresses to hostnames (output a straight list of hostnames or comma separated list of IP Address, Hostname) Convert a file of hostnames to IP addresses (output a straight…
lapith
Lapith is a Python GUI tool that presents Nessus results in a format more useful for penetration testers. Results can be viewed by issue as opposed to by host. It is therefore easier to report all the hosts affected by an issue, rather than all of the issues affecting the…
metasploitavevasion
Metasploit payload generator that avoids most Anti-Virus products. For more information and to download the tool, visit our GitHub page here.
Maritime Cyber Security: Threats and Opportunities
This presentation about maritime cyber security, delivered at the CIRM Annual Meeting in Cyprus, looks at the cyber threats to the maritime industry, an overview of the attack surface, the impact of some of the risks they face and a look at what solutions are available in the short, medium…
IP-reputation-snort-rule-generator
A tool to generate Snort rules or Cisco IDS signatures based on public IP/domain reputation data. For more information and to download the tool, visit our GitHub page here.
The L4m3ne55 of Passw0rds: Notes from the field
This presentation about the “lameness of passwords” was delivered by Ben Williams, senior security consultant at NCC Group, at the 44Con Café event at the IP Expo in Manchester. Williams talked about his experience of breaking into networks and applications with a variety of password attack tools and techniques. It…
Mature Security Testing Framework
These slides are from Matt Storey’s presentation at the Edinburgh Trust Forum. This presentation looks at security testing frameworks, the scheduling aspects of the various forms of testing and other options, such as using STAR or red team assessments to test gaps in IT security controls. Download presentation
Exporting non-exportable RSA keys
These slides are from Jason Geffner’s presentation “Exporting Non-Exportable RSA Keys” that he presented at Black Hat Europe in 2011. In this presentation Jason will cover security issues surrounding RSA keys and Digital Certificates. Download presentation To read the white paper that accompanies these slides click here.
Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
Broadcasting your attack – DAB security This presentation was presented at Black Hat USA 2015 Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are often integrated into what has become known as the “infotainment system” – typically a large screen in the dashboard that…
The role of security research in improving cyber security
These slides are from a presentation, “The Role of Security Research in Improving Cyber Security” by Andy Davis. The presentation discusses the role of security research in helping to improve cyber security. Download presentation
Self-Driving Cars- The future is now…
Matt Lewis, associate director at NCC Group presented a talk at the Oredev conference in Sweden on how self-driving cars is no longer science fiction. Investment is already being made into this area and commercially available vehicles will be available in the next decade. Matt’s talk discusses the possibilities and…
They Ought to Know Better: Exploiting Security Gateways via their Web Interfaces
These slides are from Ben Williams’ presentation “They ought to know better: Exploiting Security Gateways via their Web Interfaces”, that he presented at Black Hat Europe in 2012. In this presentation Ben will discuss the 40+ exploits that have been discovered and ways that some of these can be used…
Mobile apps and security by design
In this presentation Ollie Whitehouse will be discussing How to develop or purchase COTS mobile apps for my enterprise while ensuring security. Download presentation
The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
These slides come from Alex Stamos Tom Ritter’s presentation, “The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet” from Black Hat USA in 2012. In this presentation will cover the new changes to the internet’s infrastructure and the concerns around this. Download presentation
When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate Pinning
These slides come from Justine Osborne Alban Diquet’s presentation from Black Hat USA 2012. In this presentation they will explain what certificate pinning is and how it works in the IOS and Android systems. Download Presentation
USB Undermining Security Barriers:further adventures with USB
These slides come from Andy Davis’ presentation from Black Hat USA in 2011. In this presentation Andy will discuss some of the security vulnerabilities around using USBs and the impact these vulnerabilities could have on your organisation. Dowload Presentation There is also a white paper on this subject, you can…
Software Security Austerity Security Debt in Modern Software Development
These slides come from Ollie Whitehouse’s presentation “Software Security Austerity Security Debt in Modern Software Development” that he gave at 44Con in 2012. In this presentation Ollie will explain software security debt and ways that this debt can be managed. Download presentation
RSA Conference – Mobile Threat War Room
These slides are from Ollie Whitehouse’s presentation from the 2012 RSA Conference, eFraud Global Forum in London. In this presentation Ollie will discuss some of the big trends in mobile security form 2012, providing some technical details and real world examples, and then he will give his predictions for threats…
Finding the weak link in binaries
These slides are from Ollie Whitehouse’s presentation from Hack in the Box in Kuala Lumpur. In the presentation Ollie will discuss the What, Why and How of discovering weak link in binaries. Download presentation
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms
These slides come from Andy Davis’ presentation from BlackHat Europe 2013. In this presentation he will explain why docking stations are an attractive target for an attacker, how they can be attacked and discuss ways to detect and prevent such attacks. Download Presentation You can also read the white paper…
Harnessing GPUs Building Better Browser Based Botnets
These slides come from Marc Blanchou’s presentation at Black Hat Europe, Harnessing GP Us: Building Better Browser Based Botnets. In the presentation Marc discusses Harnessing GPUs with browser-based botnets for distributed and cheaper cracking, and will consider botnet impact, cost, stealth requirements and portability when building better browser based botnets.…
The Browser Hacker’s Handbook
Author: Wade Alcorn, Christian Frichot, Michele Orru Michele Orru, from the Group’s Fort Consult Division, has co-authored The Browser Hacker’s Handbook, with former NCC Group security consultant Wade Alcorn. The book gives practical understanding of hacking the everyday web browser. It contains expert advice on topics such as ARP spoofing,…
SQL Server Security
Author: Bill Grindlay , David Litchfield Bill Grindlay, principal software architect at NCC Group, has co-authored SQL Server Security. The book provides in-depth coverage of the installation, administration, and programming of secure Microsoft SQL Server environments and applications. It covers some of the latest techniques such as Installing and configuring…
The Database Hacker’s Handbook
Author: David Litchfield, Chris Anley, John Heasman, Bill Grindlay NCC Group’s Bill Grindlay, principal software architect and Chris Anley, chief technical scientist, has co-authored The Database Hacker’s Handbook. The book helps readers to understand how to break into and defend the seven most popular database servers. It contains expert advice…
Social Engineering Penetration Testing
Author: Gavin Watson, Richard Ackroyd, Andrew Mason Gavin Watson and Richard Ackroyd, security engineers at RandomStorm, part of NCC Group, have co-authored a book with former RandomStorm engineer Andrew Mason. The book includes information on practical methodology and everything you need to plan and execute a social engineering penetration test…
Peeling back the layers on defence in depth…knowing your onions
Peeling back the layers on defence in depth…knowing your onions An NCC Group whitepaper Is your organisation fully prepared for malicious attacks from both motivated external attackers and internal threat actors? As the threat landscape continues to evolve it is vital that organisations understand where the threats are and how…
End-of-life pragmatism
End-of-life pragmatism – an NCC Group whitepaper Does your organisation have a robust IT Refresh Policy in place? One of the main concerns relating to the replacement of IT infrastructure is the cost. The risk of introducing compatibility issues and, ultimately, downtime also causes anxiety. However, exploitation of vulnerabilities in…
Microsoft Office Memory Corruption Vulnerability
Vulnerability Summary Title: Microsoft Office Memory Corruption VulnerabilityRelease Date: 10 March 2016Reference: NCC00886Discoverer: Richard WarrenVendor: MicrosoftVendor: Reference MS16-029Systems Affected: Tested on Microsoft Office 2010 on Windows 7CVE Reference: CVE-2016-0021Risk: MediumStatus: Fixed Download technical advisory
Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
Vulnerability Summary Title Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode Release Date 10 March 2016 Reference …
Elephant in the Boardroom Survey 2016
UK plc wants tougher cyber regulation and more punishment for failings 71% of UK board directors want companies to be penalised for failing to meet basic cyber security requirements, according to new research from global cyber security and risk mitigation expert NCC Group. In what appears to be a sea…
Flash local-with-filesystem Bypass in navigateToURL
Title Flash local-with-filesystem Bypass in navigateToURLReference VT-19Discoverer Soroush Dalili and Matthew EvansVendor …
D-Link routers vulnerable to Remote Code Execution (RCE)
Title D-Link routers vulnerable to Remote Code Execution (RCE) Release Date 11 Aug 2016 Reference …
iOS Application Security: The Definitive Guide for Hackers and Developers
Author: David Thiel This book is the definitive guide for hackers and developers allowing readers to understand and eliminate security holes in iOS Application Security. Former NCC Group security consultant, David Thiel, authored this book, which includes information about common iOS coding mistakes that create serious security problems and how…
The Mobile Application Hacker’s Handbook
Author: Dominic Chell, Tyrone Erasmus, Shaun Colley, Ollie Whitehouse. Ollie Whitehouse, technical director at NCC Group, has co-authored The Mobile Application Hacker’s Handbook. The book helps readers to understand how to secure mobile phones by approaching the issue from a hacker’s point of view. It contains expert guidance on topics…
Research Insights Volume 9 – Modern Security Vulnerability Discovery
NCC Group’s latest Research Insights paper provides a view on modern vulnerability discovery approaches.The identification of vulnerabilities and understanding what is involved in their exploitation has numerous applications in both the attack and defence side of cyber security. The way in which software vulnerabilities are discovered has evolved considerably over…
Post-quantum cryptography overview
Organisations that need to keep long-term secrets, or which are designing systems that will be in use for ten or more years, need to plan for a post-quantum-computing world. This whitepaper gives a short introduction and overview of post-quantum cryptography. We discuss why post-quantum crypto is needed and provide handles…
The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition
Author(s): Chris Anley, John Heasman, Felix Lindner and Gerardo Richarte. The Shellcoder’s Handbook takes a detailed look at why security holes appear, how to discover them and how to close them so that they can’t be exploited. In this revised 2007 second edition, many new exploitation techniques are explored that were…
Potential false redirection of web site content in Internet in SAP NetWeaver web applications
Vulnerability Summary Title Potential false redirection of web site content in Internet in SAP NetWeaver web applications Release Date 8 March 2016 Reference …
Multiple security vulnerabilities in SAP NetWeaver BSP Logon
Vulnerability Summary Title Multiple security vulnerabilities in SAP NetWeaver BSP Logon Release Date 8 March 2016 Reference NCC00837 Discoverer …
My name is Matt – My voice is my password
Voice biometrics are becoming an attractive mechanism for authenticating users in online and mobile environments. They may, however, not always be the best choice of authentication mechanism, depending on the performance and assurance requirements of the underlying application. A feasibility study should always be performed on the use of biometrics…
Local network compromise despite good patching
A common misconception by Windows system administrators is that keeping operating systems fully updated is sufficient to keep them secure. However, even on a network which is fully patched and using the latest Windows operating systems, it is often trivial for an internal attacker to obtain user credentials, and in…
Secure Messaging for Normal People
In this paper, Justin Engler discusses the challenges of secure messaging for normal people based on his presentation entitled “Secure Messaging” from DEF CON 23. “Secure” messaging programs and protocols continue to proliferate, and crypto expertscan debate their minutiae, but there is very little information available to help therest of…
Private sector cyber resilience and the role of data diodes
Abstract: Governments and businesses recognise that absolute cyber security is neither possible nor practical. In the public sector the risks are in part addressed by the adoption of various compensating controls that align with various protective marking schemes. The nations which have adopted these controls have also developed resiliencestrategies, in…
General Data Protection Regulation – are you ready?
With the finalisation of the General Data Protection Regulation (GDPR) it is time for businesses to take stock and prepare for the requirements which will soon be imposed. The GDPR replaces the 1995 EU directive (Directive 95/46/EC ) and begins a new chapter in European privacy. The regulation was published…
Business Insights: Cyber Security in the Financial Sector
Not only are cyber attacks becoming more frequent, they are also becoming more persistent, targeted and at times sophisticated, often causing widespread impact. While some boards and executives of financial services (FS) organisations are being urged to place cyber security at the top of their risk agenda, there still often…
Building Systems from Commercial Components
Author: Kurt Wallnau, Scott Hissam, Robert Seacord Robert Seacord, principal security consultant at NCC Group, has co-authored Building Systems from Commercial Components. The book describes a number of proven techniques, as well as much-needed guidance on how to build component-based systems in a real working environment. Click here for more…
Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices
Author: Robert Seacord, Daniel Plakosh, Grace Lewis Robert Seacord, principal security consultant at NCC Group, has written a book about Modernizing Legacy Systems. The book uses an extensive real-world case study (based on the modernisation of a 30-year- old retail system) to show how modernising legacy systems can deliver significant…
Secure Coding in C and C++
Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has written a book about secure coding in C and C++. Readers will be able to learn the root causes of software vulnerabilities and how to avoid them. The book covers some technical details on how to improve the…
CERT Oracle Secure Coding Standard for Java
Author: Fred Long, Dhruv Mohindra, Robert Seacord, Dean Sutherland, David Svoboda Robert Seacord, principal security at NCC Group, has co-authored Cert Oracle Secure Coding Standard for Java. The book provides a high-level introduction to Java application security and seventeen consistently organized chapters detailing specific rules for key areas of Java development.…
CERT C Secure Coding Standard
Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has written a book about secure coding standard. The book is the essential desktop reference documenting the first official release of The CERT® C Secure Coding Standard. It provides guideline with examples of insecure code as well as secure,…
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
Author: Fred Long, Dhruy Mohindra, Robert Seacord, Dean Sutherland, David Svoboda Robert Seacord, principal security consultant at NCC Group, has co-authored Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs. The book provides realistic guidance to help Java developers implement desired functionality with security, reliability and maintainability goals in mind.…
Professional C Programming LiveLessons, (Video Training) Part I: Writing Robust, Secure, Reliable Code
Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has created a video book showcasing LiveLessons on professional C programming. The video book provides an in-depth explanation of how to use common C language features to produce robust, secure, and reliable code. Click here for more information.
Secure Coding in C and C++, 2nd Edition
Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has written a book about secure coding in C and C++. Readers will be able to learn the root causes of software vulnerabilities and how to avoid them. As part of the second edition, the book features topics such…
The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems
Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has written a book about Cert C Coding Standard. The book is the essential reference for any developer who wishes to write secure and resilient software in C and C++. Click here for more information.
Secure Coding Rules for Java LiveLessons, Part 1
Author: Robert Seacord Robert Seacord, principal security consultant at NCC Group, has created a video book about secure coding rules for Java It provides developers with practical guidance for developing Java programs that are robust and secure. < p style=”text-align: left;”>Click here for more information.
Hacking Displays Made Interesting
Many people are unaware that video displays send data which is then processed by the connected device and that this data can contain security threats. This paper aims to act as a useful introduction to the technologies involved in video interfacing, the potential for security vulnerabilities and ways to test for their…
What the HEC? Security implications of HDMI Ethernet Channel and other related protocols
These slides come from Andy Davis’ presentation “What the HEC? Security implications of HDMI Ethernet Channel and other related protocols” that was given at 44Con in 2012. In this presentation Andy discusses the importance of and security issues surrounding, HDMI, the CEC protocol and the HEC protocol. Download our slides…
44CON Workshop – How to assess and secure iOS apps
These slides are supporting documentation used as part of a 44CON workshop we held in September 2013 which was delivered by Bernardo Damele on assessing and securing iOS apps. Download Presentation
Payment Card Industry Data Security Standard (PCI DSS) A Navigation and Explanation of Changes from v2.0 to v3.0
Over a series of Webinars Rob Chahin of NCC Group presented on the changes to PCI DSS from V2.0 to V3.0. The presentation will explain the changes to requirements that will be implemented from version 2.0 to version 3.0. Download presentation
Mobile World Congress – Mobile Internet of Things
NCC Group Research Director Andy Davis presented on The Mobile Internet of Things and Cyber Security at this year’s Mobile World Congress in Barcelona. The presentation covered how everything from rubbish bins to refrigerators have been in the spotlight recently from a security point of view and the key things…
Practical SME security on a shoestring
These slides come from a presentation given by Matt Summers at the Cyber Security Breakfast Meetings for Industry in February. “Security is big business, with new threats emerging every day and companies offering software and services to mitigate these threats securing your network can be expensive. No one has an…
BlackHat Asia USB Physical Access
NCC Group Research Director Andy Davis presented ‘USB Attacks Need Physical Access Right? Not Any More…’ at this year’s BlackHat Asia in Singapore. Due to recent advances in a number of remoting technologies, USB attacks can now be launched over a network. The talk went into detail about how these…
How we breach network infrastructures and protect them
We showcased at a client’s corporate event how we technically assess and breach network infrastructures, before attackers do. Throughout the talk a number of questions were answered: what network design mistakes and defective assumptions lead to security breaches? What are the weakest entry points of your network perimeter? How do…
Hacking a web application
NCC Group’s Thomas MacKenzie delivered this live demo on how to hack websites during the NCC Group website performance and optimisation day. Download presentation