Whitepapers

We’ve published a whitepaper about how we built WiMap, which is a Wi-Fi mapping drone.  The paper includes details of the methods used to create, from parts, a hexacopter capable of being controlled over 3/4G and equipped to perform wireless and infrastructure assessments. We’d love to hear your feedback via…

This whitepaper details the vulnerability and examines some of the concepts needed for browser exploitation before describing how to construct a working exploit that exits gracefully. Download whitepaper Authored by Katy Winterborn

Six years ago, NCC Group researchers Tim Newsham and Jesse Hertz released TriforceAFL – an extension of the American Fuzzy Lop (AFL) fuzzer which supports full-system fuzzing using QEMU – but unfortunately the associated whitepaper for this work was never published. Today, we’re releasing it for the curious reader and…

Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do…

This paper collects a set of notes and research projects conducted by NCC Group on the topic of the security of Machine Learning (ML) systems. The objective is to provide some industry perspective to the academic community, while collating helpful references for security practitioners, to enable more effective security auditing…

Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes. As much of this information is spread across various sources, this whitepaper draws the knowledge together into a single place, in order…

For the past few years, NCC Group has been an industry partner to the Centre for Doctoral Training in Data Intensive Science (CDT in DIS) at University College London (UCL). CDT is composed of a group of over 80 academics from across UCL in areas such as High Energy Physics,…

KaiOS is a mobile operating system, forked from the discontinued Firefox OS, in which all the mobile applications running on a KaiOS-based mobile device are built using web technologies, such as HTML, JavaScript, and CSS. In this independent research project, we demonstrate that six of the pre-installed mobile applications are…

NCC Group's Transport Security Practice has co-authored with the Surrey Center for Cyber Security and the Surrey Space Center a new paper titled 'Cyber security in New Space'. It provides analysis of the threats, challenges and key technologies related to the satellite industry.

Authors: Jeremy Boone, Ilya Zhuravlev Over the years, NCC Group has audited countless embedded devices for our customers. Through these security assessments, we have observed that IoT devices are typically built using a hodgepodge of chipset vendor board support packages (BSP), bootloaders, SDKs, and an established Real Time Operating System…

By Aleksandar Kircanski and Terence Tarvis A good amount of effort has been dedicated to surveying and systematizing Ethereum smart contract security bug classes. There is, however, a gap in literature when it comes to surveying implementation-level security bugs that commonly occur in basic PoW blockchain node implementations, discovered during…

By Sultan Qasim Khan Microcontrollers commonly include features to prevent the readout of sensitive information in internal storage. Such features are commonly referred to as readback protection or readout protection. This paper describes common readback protection implementation flaws, discusses techniques that can be used to defeat readback protection, and provides…

By Eric Schorn An introduction to elliptic curve cryptography theory alongside a practical implementation in Erlang. This whitepaper may be downloaded below.

We are moving to a time where many ‘things’ that we know and use have the capability to be connected to a network either wired or wirelessly. The way we use technology is becoming more integrated in all aspects of our daily lives and is steadily integrating within the enterprise…

The complexities of the heavy truck ecosystem poses challenges to the security of the ECU networks contained within the vehicles. This paper describes some of the major sources of complexity, and how each can be addressed to design and implement a secure robust ECU provisioning system. Such a system is…

Over the past few years there has been an increase in the use of sound as a communications channel for device-to-device communications. This practice has been termed Data-Over-Sound (DOS) and has been billed as a cheap and easy to use alternative to traditional communications protocols such as Wi-Fi and Bluetooth.…

Quantum computing is still in its infancy but is expected to cause major changes to the technology landscape in coming years. Its ability to massively reduce the time taken for processes normally requiring large amounts of processing power is already causing concerns about the future of cryptography and the resistance…

This whitepaper addresses the cyber security threat to agriculture and the wider food network. The perspective and primary focus is the United Kingdom but the majority of observations on the structure of markets, technologies and related issues are largely applicable to other countries. Furthermore, some of the recommended actions identified in…

Connected Health is a rapidly growing area with huge innovative possibilities and potential. This is mostly due to the uptake of digital technologies in the health and medical fields that support diagnosis, treatment and management of health conditions. It is however crucially important that security of Connected Health products, systems…

Editor’s note: This work was also presented at ACM CCS 2019. Written by Keegan Ryan Trusted Execution Environments (TEEs) such as ARM TrustZone are in widespread usein both mobile and embedded devices, and they are used to protect sensitive secretswhile often sharing the same computational hardware as untrusted code. Althoughthere…

Abstract Unikernels are small, specialized, single-address-space machine images constructed by treating component applications and drivers like libraries and compiling them, along with a kernael and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than…

These days it is quite common to see a deserialisation flaw in a product. Although awareness around finding and exploiting this type of vulnerability is out there for security researchers, developers can still struggle with securing their code especially when they are not fully aware of dangerous methods and functionalities…

  As part of our vulnerability research work at NCC Group we find many vulnerabilities (bugs) in commercial products and systems and for the past nine years we have kept a detailed internal log of these bugs. In this whitepaper prepared by Matt Lewis, Research Director at NCC Group, we…

In this whitepaper*, nine different implementations of TLS were tested against cache attacks and seven were found to be vulnerable: OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS. The cat remains alive, with two lives left thanks to BearSSL (developed by NCC Group’s Thomas Pornin) and Google’s BoringSSL. The issues were disclosed back in August, and the teams…

Whenever an outage on one of these cloud providers occurs, or a data breach of information held by them, the immediate press coverage starts asking whether they really are as secure and reliable as traditionally managed servers. This whitepaper provides an overview of public cloud services and the steps to…

Embedded systems are regularly found to lack modern security-focused designs and implementations, despite decades of advancements in the field of computer security. Although the emergence and adoption of projects such as Yocto and OpenEmbedded have made it easier to develop and maintain firmware for embedded Linux systems, NCC Group has…

It’s not uncommon to find websites that attempt to validate user input and block code injection attacks using a blacklist of dangerous characters or keywords. Superficially, this might seem like a common-sense way to protect a website with minimum effort but it can prove to be extremely difficult to comprehensively…

This paper discusses the similarities and differences between professional ethics in the information security industry and ethics in the hacker community. Sources of conflict and shared values of the two are discussed in order to find some reconciliation and come to an understanding of how a shared set of ethics…

Abstract Side channels have long been recognised as a threat to the security of cryptographic applications. Implementations can unintentionally leak secret information through many channels, such as microarchitectural state changes in processors, changes in power consumption, or electromagnetic radiation. As a result of these threats, many implementations have been hardened to defend against these…

The concept of Open Banking is an innovative one. However, as with any new developments surrounding sensitive financial information it is imperative to assess the security implications of these actions. Matthew Pettitt discusses the pros and cons of the planned implementation and potential risks of Open Banking in NCC Group’s…

While there are many claims that cyber security is an indispensable necessary cost, there is also a body of opinion that cyber security does not always justify its costs and the financial impacts of a breach are frequently either exaggerated or unclear. As a response to these concerns, this whitepaper…

“We’re entering a new world in which data may be more important than software.” Tim O’Reilly Following from our recent CISO research council, our research team have put together this whitepaper, which explores the evolutionary steps in ransomware and malicious code and what NCC Group’s current perspective is. Ransomware as…

With the exponential increase of online services over the last decade, it is no surprise that the theft of credentials from poorly-secured applications is a growing concern and data breaches are becoming more of a regular occurrence. Even if we manage to secure and lock down these applications, do we…

Security is a high priority for most organisations. A string of high priority breaches in big multinational companies has brought home the threat that all organisations face in the modern world. Therefore, a growing number of companies are considering how to best protect themselves and reduce the impact of a…

Real-time, memory-level interoperability with a closed-source binary may be desired for a number of reasons. In order to read from and write to specific data structures within a target process’ memory, external software must have knowledge of how to access these structures at any given time. Since many objects are…

Nick Collisson, the author of Pointer Sequence Reverser (PSR), occasionally found himself with the need to write software that integrates deeply into an existing closed-source Windows binary and alters, or enhances, its behaviour. Such software must be able to access the data within the running process for reading and writing.…

Most of us interact with Artificial Intelligence (AI) or Machine Learning (ML) on a daily basis without even knowing; from Google translate, to facial recognition software on our mobile phones and digital assistance in financial services or call centres. It is a growing market with ever increasing possibilities across all…

Working closely with our clients both on site or at events, we are finding that several remain unclear on the topic of breach notification under GDPR. There seems to be little, focused guidance on the topic despite the fact that the new regulation will be enforced from May 2018. This…

Following from our recent CISO research council, our research team have put together this whitepaper, which explores the use of PowerShell in a modern corporate environment and how to mitigate the associated threats. Since its incarnation in 2006, PowerShell has grown to be a powerful and extensible management tool, allowing for…

Continuous integration (CI) has long left the stage of experimental practices and moved into mainstream software development. It is used everywhere from start-ups to large organisations, in a variety of technology stacks and problem domains, from web applications to embedded software. However, the security implications of introducing CI are often…

The popularity of USB usage has grown and it has become a common vehicle for spreading malware. As such, the need to protect IT assets from a cyber attack is paramount and from a physical endpoint perspective, this presents a challenging dynamic when wanting to prevent a data breach via…

On the 17th April 2007 Oracle released their 10th Critical Patch Update. This brief discusses the database flaws and EM01 which relates to the Intelligent Agent. Many of the flaws being patched are old issues. For example, DB01 relates to an issue first reported to Oracle in 2002 and another in June…

Buffer Underruns and Stack Protection Starting with Windows 2003 Server, Microsoft introduced a number of Exploitation Prevention Mechanisms (XPMs) into their software. Over time these XPMs were refined as weaknesses were discovered [1][2] and more XPMs were introduced. Today the XPMs have been added to Windows XP Service Pack 2…

When drilling for data via SQL injection there are three classes of attack – inband, out-of-band and the relatively unknown inference attack. Inband attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select. Out-of-band attacks employ…

Exploiting well knows flaws in DNS services and the way in which host names are resolved to IP addresses, Phishers have upped the ante in the cyber war for control of a customer’s online identity for financial gain. A grouping attack vectors now referred to as “Pharming”, affects the fundamental…

The objective of this series of papers is to describe the mathematical properties of some of the more common pseudo-random sequence generators and to show how they can be attacked by illustrating the principles with real-world bugs. The series demonstrates how weak randomness can be identified, used to compromise real-world systems, and defended against.…

When exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code – for example EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’. Of course, if the attacker can’t create their own…

This paper presents a number of technical discussion points relating to the potential for exploiting stack overflow vulnerabilities without having direct access to the application which is to be exploited. The points raised in this paper discuss the key issues which would need to be overcome in order to do this, as well…

Technology trail-blazing organisations such as large financial institutions have been working to secure their custom applications for several years, but the second-tier “technology following” organisations have been too slow to follow. This is now rapidly changing due to recent bad press following many highly publicised security compromises. In many of…

The paper is intended to be read by the portion of the security community responsible for creating protective mechanisms to guard against “shellcode” type security flaws; the intention is to remove the perception that Unicode buffer overflows are non exploitable and thereby improve the general state of network security. It…

This paper discusses the feasibility of violating the access control, authentication and audit mechanisms of a running process in the Windows server operating systems. Specifically, it discusses the feasibility of totally disabling application – enforced access control in a running service, taking SQL Server 2000 as a sizeable and meaningful…

This paper presents several methods of bypassing the protection mechanism built into Microsoft’s Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows. Recommendations about how to thwart these attacks are made where appropriate. Microsoft is committed to security. I’ve been playing with Microsoft products, as…

Over the last two decades, both Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been growing in frequency, complexity and volume. Traditionally, these attacks are associated with botnets and large amounts of traffic aimed at disrupting Internet-facing services. However, while the goal of these attacks remains…

Many IIS web servers running ASP applications will use the CDONTS.NEWMAIL object to provide the functionality for feedback or contact forms. This paper will examine how the CDONTS.NEWMAIL object can be used by attackers to send arbitrary e-mails via the vulnerable web server and what must be done to prevent an online ASP…

In Oracle, a failure to close cursors created and used by DBMS_SQL or a failure to clean up open cursors in the event of an exception can lead to a security hole. If the cursor in question has been created by higher privileged code and left hanging then it’s possible for a low…

This paper presents some unexpected consequences of running database servers on Windows XP with Simple File Sharing enabled. In the real world, this kind of setup would typically be a developer’s system and as it turns out, in some cases depending on the database software, you might not just be sharing your files…

DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within…

This paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. Only flaws affecting the database server software itself have been considered in compiling this data so issues that affect, for example,…

This paper will examine the differences and commonality in the way a vulnerability common to both Windows and Linux is exploited on each system. The VulnerabilityThe vulnerability that will be discussed in this paper is a classic stack based overflow in OracleÕs RDBMS 9.2.0.1. As well as offering the standard SQL service,…

“Security within the Internet of Things (IoT) is currently below par.” The statement above derives from many observations across our work in IoT (and that of the wider security research community) in addition to a myriad of regular, publicly reported issues and security concerns with IoT devices and their infrastructures.…

Data Loss Prevention (DLP) is a security control aimed at highlighting when sensitive data leaves the corporate network or is accessed without authorisation. A DLP solution can be a great asset to a business and support a range of security goals and compliance. It can be an invaluable safety net…

With one click, his entire business was in the hands of someone else. Sensitive company information, bank account details, social media profiles, various other usernames and passwords. All stolen by a cyber criminal in a convincing phishing attempt. The email he’d received looked legitimate. It was just a simple request…

“By far the greatest danger of Artificial Intelligence is that people conclude too early that they understand it.”  Eliezer Yudkowsky At NCC Group, we are researching Machine Learning (ML) and Artificial Intelligence (AI) from a number of different angles in order to fully understand the pros and cons of ML…

Abstract Java Serialisation is an important and useful feature of Core Java that allows developers to transform a graph of Java objects into a stream of bytes for storage or transmission and then back into a graph of Java objects. Unfortunately, the Java Serialisation architecture is highly insecure and has led…

The modern vehicle has become increasingly computerised as the demand for cleaner emissions and better transport safety for drivers and pedestrians has grown. Numerous initiatives are currently underway to begin to address this threat and to bring the principles used within traditional enterprise environments (such as the Secure Development Lifecycle)…

Abstract Network-Attached Storage (NAS) devices are a popular way for people to store and share their photos, videos and documents. Securing these devices is essential as they can contain sensitive information and are often exposed to the Internet. Because  Synology is one of the top manufacturers of NAS devices, we chose to…

NCC Group’s Robert Seacord explores the underbelly of the Java language in his whitepaper on “Accessing Private Fields Outside of Classes in Java.” According to Robert, “The use of nested classes in Java programs weakens the accessibility guarantees of the language and allows private fields to be accessed from outside…

It is a widely held belief that the vast majority of threats to businesses are from outside attackers, with the stereotypical view of hackers trying to make money through crime.  The problem with this viewpoint is that it does not consider the threat from a malicious insider. There is a…

Biometric facial recognition is becoming an increasingly popular mechanism for authenticating users in online and mobile environments. In addition, it is continually being adopted for physical access control, whether at border controls such as airports or within secure facilities to enforce strict access control (and/or time and attendance tracking) to…

Following from our recent CISO research council, our research team have put together this whitepaper, which explores encryption at rest. Encryption at rest is not a panacea to data protection due to its complexity and the utility of data. Often, misconceptions can (and do) arise whereby it is believed that…

An NCC Group whitepaper: Applying normalised compression distance for architecture classification When working with malware research and black box penetration testing, it is not always clear what data you are working on and in order to disassemble binaries properly, one needs to know the architecture that the binary has been…

“GDPR is about giving people back control of their personal data.” The EU General Data Protection Regulation (GDPR) will come into force across all member states, including the UK, on 25 May 2018. It will provide a common baseline for data protection across all of the member states and its consistent approach and requirements will benefit…

An NCC Group whitepaper Regardless of the size, scope, geography or sector of your organisation, there are common elements that should be considered when it comes to cyber security due diligence during the M A process. This whitepaper aims to cover the risks, opportunities and responsibilities associated with cyber security…

In today’s modern society the requirement for employees to be based within a corporate office is minimal, largely due to remote working gaining prominence. The cost to provide remote working or mobile technology to employees can, however, be expensive. An ideal solution to this cost issue is enabling the employee…

Every organisation faces uncertainty and this is often a key challenge in achieving its objectives. Much of this uncertainty comes from an inability to accurately predict future events. Generally, we can define a potential future event that could affect an organisation’s objectives as a ‘risk’ and the process of forecasting…

Email was not designed to be used the way it is today. Organisations rely on email for daily business communication and while most are protecting against low-level threats, more sophisticated email-based attacks are on the rise. This NCC Group whitepaper highlights the overall risks that organisations face when using email…

We’ve published a short eBook based on our experience of dealing with numerous ransomware cases in the last few years. The eBook is designed to provide real-world advice as to what organisations should do to minimise the likelihood of initial infection as well as limit any impact should that fail.…

FPGA stands for field-programmable gate array. An FPGA is a logic device whose function can be changed while the device is in place within its working environment, allowing the hardware processing of a system to be altered by an external configuration loading process. Their very nature creates potential security risks, and…

Abstract ISPs have moved to managed routers due to increased customer service calls with the question “What is my Wi-Fi password?” Managed routers allow complete remote management of a user’s home network and have facilitated customer service centers across ISPs. In this paper, we discuss the process of finding vulnerabilities in remotely managed routers,…

Peeling back the layers on defence in depth…knowing your onions An NCC Group whitepaper Is your organisation fully prepared for malicious attacks from both motivated external attackers and internal threat actors? As the threat landscape continues to evolve it is vital that organisations understand where the threats are and how…

End-of-life pragmatism – an NCC Group whitepaper Does your organisation have a robust IT Refresh Policy in place? One of the main concerns relating to the replacement of IT infrastructure is the cost.  The risk of introducing compatibility issues and, ultimately, downtime  also causes anxiety. However, exploitation of vulnerabilities in…

UK plc wants tougher cyber regulation and more punishment for failings 71% of UK board directors want companies to be penalised for failing to meet basic cyber security requirements, according to new research from global cyber security and risk mitigation expert NCC Group. In what appears to be a sea…

NCC Group’s latest Research Insights paper provides a view on modern vulnerability discovery approaches.The identification of vulnerabilities and understanding what is involved in their exploitation has numerous applications in both the attack and defence side of cyber security. The way in which software vulnerabilities are discovered has evolved considerably over…

Organisations that need to keep long-term secrets, or which are designing systems that will be in use for ten or more years, need to plan for a post-quantum-computing world. This whitepaper gives a short introduction and overview of post-quantum cryptography. We discuss why post-quantum crypto is needed and provide handles…

We’ve published a short eBook about the potential impact General Data Protection Regulation (GDPR) may have on your marketing activity. Regardless of when or how the various negotiations develop with the EU, the UK’s data protection standards will have to be equivalent to the EU’s GDPR. The eBook is designed…

Voice biometrics are becoming an attractive mechanism for authenticating users in online and mobile environments. They may, however, not always be the best choice of authentication mechanism, depending on the performance and assurance requirements of the underlying application. A feasibility study should always be performed on the use of biometrics…

Andrew Tanenbaum once said, “The great thing about standards is there are so many to choose from.” That’s especially true in the realm of web and mobile application authentication. From Base-64 to OAuth, there are nearly as many ways to send your password to a server as there are ways…

Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual EC in RSA’s B-Safe product, a modified Dual EC in Juniper Networks’s operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions…

A common misconception by Windows system administrators is that keeping operating systems fully updated is sufficient to keep them secure. However, even on a network which is fully patched and using the latest Windows operating systems, it is often trivial for an internal attacker to obtain user credentials, and in…

Authored by: Tom Ritter Download Whitepaper

Authored by: Paul Youn Download whitepaper

Authored by: Brad Hill Download whitepaper

Authored by: Scott Stender Download whitepaper

Authored by: Scott Stender Download whitepaper

Authored by: Kate McKinley Download whitepaper

Authored by: Brad Hill Download whitepaper

Authored by: Brad Hill Download whitepaper

Authored by: Jesse Burns Download whitepaper

Also published on the MicroSoft | TechNet Library. Authored by: Brad Hill | Geng Yang Download whitepaper

Authored by: Himanshu Dwivedi | Zane Lackey Download whitepaper

Authored by: Jonathan Wilkins Download whitepaper

Authored by: Justine Osborne Download whitepaper

Authored by: Chris Palmer Download whitepaper

Authored by: Brad Hill Download Whitepaper

Authored by: Riley Hassell Download Whitepaper

Authored by: Shawn Fitzgerald Download whitepaper

Authored by: Shawn Fitzgerald | Pratik Guha Sarkar Download whitepaper

Authored by: Jake Meredith Download whitepaper

Authored by: Andy Grant Download Whitepaper

Authored by: Paul Youn | Marc Blanchou Download whitepaper

Authored by Daniel A. MayerShmooCon 2014, January 17-19thWashington, D.C. Download whitepaper

Authored by: Rachel Engel Download whitepaper

Authored by: Javed Samuel Download whitepaper

Authored by: Tom Ritter Download whitepaper

Analysis of Boomerang Differential Trails via a SAT-Based Constraint Solver URSA Paper to be presented at ACNS 2015. Abstract Obtaining differential patterns over many rounds of a cryptographic primitive often requires working on local differential trail analysis. In the case of boomerang and rectangle attacks, merging two short differential trails into…

Authored by: Pratik Guha Sarkar Download whitepaper

Abstract The Internet of Things (IoT) is an emerging phenomenon where different kinds of devices that were previously not networked are being connected to networks. Examples include network connected thermostats, light bulbs, and door locks. These newly networked devices present additional attack surfaces, and due to the ad hoc nature of their implementations,…

In this paper, Justin Engler discusses the challenges of secure messaging for normal people based on his presentation entitled “Secure Messaging” from DEF CON 23. “Secure” messaging programs and protocols continue to proliferate, and crypto expertscan debate their minutiae, but there is very little information available to help therest of…

Operating System virtualisation is an attractive feature for efficiency, speed and modern application deployment, amid questionable security. Recent advancements of the Linux kernel have coalesced for simple yet powerful OS virtualisation via Linux Containers, as implemented by LXC, Docker, and CoreOS Rkt among others. Recent container focused start-ups such as…

Abstract: Governments and businesses recognise that absolute cyber security is neither possible nor practical. In the public sector the risks are in part addressed by the adoption of various compensating controls that align with various protective marking schemes. The nations which have adopted these controls have also developed resiliencestrategies, in…

With the finalisation of the General Data Protection Regulation (GDPR) it is time for businesses to take stock and prepare for the requirements which will soon be imposed. The GDPR replaces the 1995 EU directive (Directive 95/46/EC ) and begins a new chapter in European privacy. The regulation was published…

Not only are cyber attacks becoming more frequent, they are also becoming more persistent, targeted and at times sophisticated, often causing widespread impact. While some boards and executives of financial services (FS) organisations are being urged to place cyber security at the top of their risk agenda, there still often…

Cryptography is an underpinning of every organisation’s data security. It is as simple as the correct deployment of TLS and as complicated as bespoke protocols for software updates. This technology is an integral part of an organisation’s security infrastructure. With the field constantly evolving, having a dedicated review is becoming increasingly important. Download…

In an audit commissioned by Facebook, NCC Group consultants Raphael Salas, Andrew Rahimi and Robert Seacord provided an audit of the  osquery framework for operating system instrumentation. osquery represents operating system details and events as SQL tables that can be queried real-time in complex ways. The audit covered the osquery core and…

In this paper, we’ll discuss several security pitfalls with Linux containers. Many of them are intrinsic to the design of the container systems, or may be the result of insecure defaults. We’ll analyse historical container attacks, and how they are currently mitigated. We will then examine several novel or poorly…

At NCC Group, a colleague and I recently spent some time trying to develop a more robust exploit for the Android libstagefright bug CVE-2015-3684. This is a bug that persisted through the patches Joshua Drake (jduck) originally provided to Google, so a few more firmware versions are vulnerable. In this…

Do you know how your organisation would react in a real-world attack scenario? Find out where your weaknesses lie with a Red Team Assessment and take action now to improve your security posture. In today’s threat landscape, how to mitigate risk and prevent an organisation from becoming victim to a…

This whitepaper is about Erlang Security. NCC Group’s Security Technical Assurance team performs code reviews for clients on numerous different programming languages. Some are well understood from a security perspective (e.g. C, C++, C#, PHP and Python etc.) and some less so. We’ve been doing Erlang security focused code reviews…

Today we have released a new whitepaper titled: ‘Threat Intelligence: Benefits for the Enterprise’. This paper builds on a number of supporting blog posts we’ve published over the last seven months, namely: Understanding commercial sector threat intelligence and cyber security Threat intelligence: what we can learn from malware analysis Threat…

Static application security testing (SAST) is the analysis of computer software that is performed without the need to actually execute the program. The term is usually applied to analysis performed by an automated tool, whereas human analysis is typically called security-focused code review. The primary objective of SAST is to…

Today the production of hardware devices involves multiple suppliers at various stages of the production and support lifecycle. There is no electronics manufacturer who manufactures every single component of a device in their own factory. As such, and has been demonstrated, these hardware and manufacturing supply chains introduce risk that…

Author: David Cannings This eBook is a simple workbook that walks you through some of the key takeaways to building your own incident response process in your organisation. It provides you with some insight into why a robust incident response plan is needed, the kinds of things that are at…

HDMI is more than just a toll for displaying video and with increasing numbers of new laptops and PCs using the function it is important for organisations to understand the potential security issues that are likely to arise as the protocols start to become more widely used. This paper will…

In this paper the author will explain, in detail, the common SQL injection technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. The paper will also cover the various ways in which SQL can be injected into the application and addresses some of the…

Until November 2013 (CVE-2013-3906), exploit primitives for Object Linking and Embedding (OLE) objects were not discussed publicly. This changed at BlackHat USA 2015, when Haifei Bing presented “Attacking Interoperability: An OLE Edition”. This talk examined the internals of OLE embedding. Over the past few months, several malware campaigns targeting high-profile…

By using just a few commonly available tools and a bit of time, it is possible to port the Misfortune Cookie exploit to exploit a TD-8817 V8 router running the latest firmware and gain reliable control over its web interface without crashing the router, even after repeated exploitation attempts. In…

Research Insights Volume 6: Common Issues with Environment Breakouts Due to the rising trend in organisations implementing bring your own device (BYOD) and remote access working, IT departments are facing the ongoing risks of securing devices they neither own or control. This has led to a rise in the number…

A guideline for penetration testers to assess ecommerce and financial services applications. This document summarises NCC Group’s experience of assessing ecommerce and financial services applications, providing a checklist of common security issues seen in financial services web applications. In NCC Group’s experience, one of the best ways to identify the…

The proliferation of the personal and business use of mobile devices has created a strong demand for mobile security assurance. Mobile apps and devices can suffer from many of the same vulnerabilities as traditional systems but also require new approaches to security testing and risk assessment. This white paper looks to highlight some of…

tl;dr In June 2015, Microsoft released the MS15-61 advisory, to address a number of vulnerabilities. Today we’ve released a detailed analysis of one of these vulnerabilities, in the win32k.sys driver, and documented the necessary details for exploiting this class of vulnerability on Microsoft Windows 7 Service Pack 1. This is…

The @NCCGroupInfosec team performs security assessments across many different sectors and technologies. Regardless of the system being assessed, one of the most common issues we identify pertains to the use of weak passwords – permitted by an inadequate password policy. Systems that do not enforce a strong password policy can…

This whitepaper, produced by our Cyber Defence Operations team, is about the understanding of ransomware. It examines the impact, evolution and defensive strategies that can be employed by organisations. It is primarily focused on Microsoft Windows due to the historic prevalence and devastating impact on ransomware on this platform, but…

When exploiting vulnerabilities in compiled software we are often constrained by the amount of data that can be used, therefore it is important that shellcode is as small as possible. In this paper the author will describe his attempt to write Win32 shellcode that is as small as possible, in…

This paper will address some of the common classes of coding error that can be encountered when auditing web applications running on the Active Server Pages (ASP) platform. Firstly the paper will provide a list of common coding problems to be discussed, followed by a discussion of the three main…

This paper, by David Litchfield, will discuss String Vulnerabilities on the Windows 2000 Operating System.  Download Whitepaper

This paper summarises the findings of NCC Group’s research into Akamai and provides companies who wish to gain maximum security through their solutions advice on how to achieve this. Akamai allows organisations to improve performance and decrease the load on a web-based service through distributed networks of servers to perform…

Modelling Threat Actor Phishing Behaviour – “you’re only as strong as your weakest link!” This whitepaper focuses on the reconnaisance phase of a simulated attack. It will discuss how likely targets are identified within an organisation and why certain individuals are chosen. The reconnaisance phase will typically involve open source intelligence…

Research Insights Volume 7: Exploitation Advancements In the next of the Research Insights series we have looked at the exploitation techniques used by cyber criminals in their attempt to gain access to your critical business information. As exploits become more sophisticated, attacks of the previous era are now no longer…

tl;dr Earlier this year I worked on an exploit for an interesting use-after-free vulnerability in win32k.sys (CVE-2015-0057) and was able to develop a reliable exploit on both 32-bit and 64-bit, affecting XP through Windows 8.1 (with a few exceptions). This writeup describes in detail how I approached exploitation on both…

There has been some debate on the importance of antivirus software over the past few years. Some see antivirus as a way to satisfy risk controls and form part of an organisation’s information security strategy and insist on antivirus being installed on all an organisations machines. However this demand for antivirus has…

There are a huge number of automated attack tools available that can spider and mirror application content, extract confidential material, discover code injection flaws, fuzz application variables for exploitable overflows, scan for common files or vulnerable CGIs and generally attack or exploit web-based application flaws. These tools are very useful…

This white paper outlines a set of practical and pragmatic security considerations for organisations designing, developing and, testing Internet of things (IoT) devices and solutions. The purpose of this white paper is to provide practical advice for consideration as part of the product development lifecycle. While IoT products by their…

This paper will demonstrate how through the implementation of a well thought-out hosting name and URL referencing convention can provide a sizable contribution to an organisations defence-in-depth posture. Host and URL naming conventions are an issue that is often overlooked by organisations when they are developing web applications, but poorly…

Over the past few years Oracle has fixed a large number of PL/SQL injection vulnerabilities in their database server product. To help combat this class of attack Oracle has introduced the DBMS_ASSERT PL/SQL package. As a security researcher, it is excellent to see Oracle finally making the right positive moves…

A second-order code injection attack is the process where malicious code is injected into a web-based application and not immediately executed but is stored by the application to be retrieved, rendered and executed by the victim later. In this paper we will further explain second-order code injection attacks, providing examples…

Embedded systems have become a part of our day to day lives and examples of these can be seen everywhere from TVs to aircraft, printers to weapon control systems,  but as a security researcher it is often difficult to know how to begin when testing one of these black boxes.…

The fourth edition of our ‘Research Insights’ series delves into the risks faced in the Maritime Industry as a result of the increasingly connected world that we live in. Cyber security weaknesses in the maritime industry include insufficiently maintained and protected software, problems with legacy communication systems and the widespread…

This paper is the second in a series of Research Insights from our world class research team. It looks at some of the most recent trends in information security defence, such as, cloud computing, mobile apps, mobile devices and security information management systems. Download whitepaper The next in the series…

This whitepaper forms the first in a series of research insights from NCC Group. It delves into the financial services sector to provide an overview of some of the threats the sector is currently facing. This is a series of papers from NCC Group, the next two papers in the…

The first quantum cryptographic exchange occurred in October 1989 at IBM’s Thomas J. Watson Research Centre near New York. Two computers called Alice and Bob successfully negotiated a completely secure channel of communication over a distance of 32 centimetres, making quantum cryptography a reality rather than just a theory. In…

This whitepaper is about PCI DSS v3.0 Requirement 3.4 – the requirement to protect cardholder data on disk/at rest. There are a number of compliant options available, with varying levels of security in different scenarios. This document is intended as an analysis of the various compliant options such that the…

In an increasingly connected world, cyber security is more important than ever. NCC Group, one of the world’s leading cyber security research companies, regularly investigates the susceptibility of non-traditional systems to attack in order to help raise awareness of the risks to these systems. In this paper, we discuss the…

Most organisations are aware of and are protecting themselves against the threat posed by an attacker gaining access to systems through the exploitation of security vulnerabilities within the organisation’s systems. However the potential threat that information unintentionally leaked and freely available over the internet can pose to an organisation. This…

This paper will discuss the weakness of Oracle passwords and how they are implemented with reference to a number of current security issues. Lastly this paper will introduce a tool to exploit this weakness in Oracle’s most priviliged account. Download whitepaper

This paper is the final in a series of papers exploring Oracle forensics by David Litchfield. In this paper David will be examining the internals of the Oracle System Change Number (SCN) in 10g and show how it  can be useful in forensic investigations. The paper will also show how orablock and…

This paper is the 6th in a series of papers by David Litchfield exploring the topic of Oracle Forensics. This paper will look at the ways a forensics examiner can search for evidence of an attack in the places and technologies designed by Oracle for disaster recovery processes. Download whitepaper

This paper is the 5th in a series of papers by David Litchfield exploring the topic of Oracle Forensics, in this installment David will be discussing forensic analysis of a compromised database server. When investigating other areas of computer forensics it is often obvious that a crime has been committed however…

This papers is the 4th in a series of papers covering Oracle forensics, in this paper David Litchfield will cover reactions to a security incident occurring. For many organisations without a plan of action in the event of a security incident the instinctive response is to disconnect the system from the network…

This paper is the 3rd in a series of papers by David Litchfield exploring the topic of Oracle Forensics. In this installment David will be looking at ways to understand if a breach has been successful. The paper will start by exploring attacks against the authentication mechanism and evidence from the…

This second paper in the Oracle Forensics series will show, even when an object has been dropped and purged from the system there will be, in the vast majority of cases, fragments left “lying around” which can be sewn together to build an accurate picture of what the actions the…

This paper is the 1st in a series of papers by David Litchfield exploring the topic of Oracle Forensics. In this 1st paper David will explain how the redo logs can be a rich source of evidence for a forensic examiner when they are investigating a compromised Oracle database server. Whenever a…

As the number of products providing protection against buffer overflow exploits on the stack, non-stack based over flow exploit will become more and more common. In this paper we will start by explaining the differences between a stack-based overflow and a non-stack based overflow, then explain how to write a…

On the 17th of March 2003 Microsoft announced a patch to fix a security vulnerability at the centre of the Windows 2000 operating system. In this paper we will discuss a number of new attack vectors that we have discovered on the same operating system, including java based web servers…

This paper covers topics from the author’s previous paper “Advanced SQL Injection”, expanding upon and clarifying ideas from the previous paper. It will describe a method for privilege escalation using the openrowset function to scan a network, a method for extracting information in the absence of an error message and…

This paper will be exploring the security postures of Microsoft’s SQL Server and Oracles RDBMS and examining the differences between the two systems based upon flaws reported by external security researchers. Download whitepaper

It is widely know that an SQL Server uses an undocumented function, pwdencrypt() to produce a hash of the user’s password, which is stored in the sysxlogins table of the master database. However what has not been discussed are the details of the pwdencrypt() Function. This paper will cover the pwdencrypt function…

Due to their relatively low cost, small size and easy of distribution smart cards have become a popular choice for security when designing a system. They are often regarded as tamper proof devices where data can be physically protected, but this is not the case and it should be remembered…

Over the past few years NCC Group has identified over 50 USB driver bugs, using this research along with information from his 2011 paper “USB – Undermining Security Barriers” Andy Davis will, in this paper, outline common USB vulnerabilities and how to identify them. The paper will firstly discuss the…

Inter-Protocol exploration is an attack vector which encapsulates malicious data within a particular protocol in such a way that the resultant data stream is capable of exploiting a different application which uses a different protocol entirely. This paper will expand upon previous research into Inter-Protocol Exploitation and will show the…

Research into web browser security has acted as a catalyst for more depth research into Inter-Protocol Communication, an attack vector that potentially allows arbitrary protocols to meaningful interact with each other. In the past, it has been assumed that communication between different protocols is invalid and of no consequence, this paper will…

Over the past few years there has been a shift in the pattern of security vulnerabilities and increase in the volume of zero-day (0day) exploits which is making traditional security strategies less effective. Although traditional techniques such as penetration testing and vulnerability scanning are still an essential part of a company’s security…

This paper will build upon the author’s previous research presented in February 2006 that explored a way of persisting a rootkit in the system BIOS via the Advanced Configuration and Power Interface (ACPI). This paper will discuss means of persisting a rootkit on a PCI device containing a flashable expansion…

Penetration test reports commonly contain mention of vulnerabilities in SSL/TLS (hereafter referred to as just SSL). In many cases, this is due to system administrators not understanding the details of these services’ configuration and assuming that simply using SSL provides security. The issues identified during penetration tests are usually low…

Although Oracle 9 was proven not to be Unbreakable as their marketing campaign claimed, the product had passed fourteen independent security evaluations, demonstrating Oracles commitment to producing a secure product. In this paper we aim to bring Oracle customers to the secure environment they were promised by examining the ways…

MySQL is one of the most popular open source databases, and compared to some database management systems it is relatively easy to configure. However there are still a wide variety of configuration issues that need to be addressed to ensure the system is secure. This paper will provide an outline…

This paper will show Lotus Domino administrators ways in which an attacker would attempt to subvert the security of a Domino web server and provide insight into the mind of a Domino hacker. Throughout the paper the attacks will be explained in detail and will include information on how to…

The paper will review research in 2012 conducted into the overall security posture of popular appliance-based security products, building on research carried out in 2011 by NCC Group. The research focused on the most recent versions of widely used appliances from popular vendors in the IT Security industry covering: Firewalls…

This paper will discuss the format of device requests that are sent to USB devices in order to hopefully provide an insight into areas where software flaws may exist. It will also discuss a number of public vulnerabilities in USB devices and finally, the installation and usage of Frisbee Lite.…

Many people are unaware that video displays send data which is then processed by the connected device and that this data can contain security threats. This paper aims to act as a useful introduction to the technologies involved in video interfacing, the potential for security vulnerabilities and ways to test for their…

The security of security software is often taken for granted, and people assume that as it has been developed by a company that knows security it is likely to be secure. However with regards to Security Gateway UIs this is an incorrect assumption, the developers who design code and test the UI…

The modern vehicle has become increasingly computerised, and with that have come increased risk of cyber threats. While it has been known for some time in the vehicle modification and security industries that electronic vehicle systems contain exploitable vulnerabilities, it is only recently that academics, government, vehicle manufacturers, and the cyber security research community…

The why behind web application penetration test prerequisites Before a web application penetration test is scheduled to start, the company performing the test will contact the client with a set of prerequisites; that is, a list of considerations and configurations that are required before the test can begin. However, the…

Blackbox iOS App Assessments Using idb Daniel Mayer Presented at Black Hat Mobile Security Summit, 2015 Abstract More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. In this paper, we review common iOS mobile app flaws involving data storage, inter-process communication,…

Cyber red-teaming business-critical systems while managing operational risk Cyber red-teaming allows mature organisations to gauge their true resilience to sophisticated, planned, and somewhat sustained cyber-attack. These organisations use red team engagements to assess multiple facets of their cyber security strategy, maturity and implementation. With the introduction of programmes such as…

In this paper, Daniel Mayer and Drew Suarez discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges, we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for many attack scenarios. We then systematically introduce the more…

Historically USB bugs have required physical access so that a rogue device can be inserted into the target system to trigger a vulnerability by supplying malicious data, often within a USB protocol descriptor. This paper provides step-by-step instructions, showing how to remotely trigger a Windows-based USB bug by using a…

In this paper we will write from the perspective of an attacker targeting the Microsoft SQL Server. The paper will cover: Setting up for an attack Attacks that do not require authentication Attacks that require authentication

The advent of thin client, diskless PCs appear to offer IT Managers a cheap and effective solution to the problem of managing a large estate of desktop PCs and the associated security risks, making thin clients an attractive solution. However research for this paper has revealed that these devices can…

Phishing started off being part of popular hacking culture, but quickly professional criminals began using phishing techniques to steal personal finances and conduct identity theft at a global level. As phishing attacks become more widespread and more sophisticated it is important that we understand the tools and techniques used. This…

Oracle Security Specialist, Alex Kornbrust, demonstrated that there are certain cases where the use of the DBMS_ASSERT.QUALIFIED_SQL_NAME function can be unintentionally misused by developers so that SQL injection is still possible and showing a way to break out of a quoted string to inject arbitrary SQL. This paper will explore another…

Distributed Denial of Service (DDoS) attacks first appeared on the internet in 2000, since then they have increased in frequency and size and become a serious threat to an organisation’s security. During a DDoS attack thousands of botnets will flood an organisation’s servers with more requests than they can handle,…

This paper will explore the issue of laptop docking stations being used as attack platforms as well as explaining a few simple techniques that can be used to mitigate the risks.  Laptop docking stations are attractive to organisations with semi-mobile workers as they enable users to connect their laptops to…

This paper is the second in a series discussing the security of the Blackberry PlayBook, and will focus on the security of the Blackberry Bridge. The Blackberry Bridge allows its users to connect their Playbook to the Blackberry phone and use applications on the tablet through the phone and for…

This paper forms the first in a series of papers on the security of the first tablet devices from Research in Motion (RIM), the Blackberry PlayBook. This paper aims to give an overview of the security of the Blackberry PlayBook, a breadth first approach was taken to uncover as many…

This whitepaper summarises research undertaken in 2013/14 to develop offensive reconnaissance techniques for automated and external enumeration of the email filtering solutions of target organisations. It show how methodology, automated scripts, and test message sets can be used to enumerate a target email filtering solution, quickly and to a high…

This paper is focused on Windows and the Intel Architecture, and will briefly outline the current supervisor boundaries provided. Different attack vectors, along with relevant examples, will be provided to demonstrate how to attack the supervisor from the perspective of the supervised. Download whitepaper

A good application security assessment should probe all levels of the environment as well as the custom application itself. In this paper we will examine the relatively unknown skills of assessing the in-depth configuration of a Microsoft IIS web server remotely, and we hope that we will also show the…

Input validation is the process of ensuring the input into software conforms to what the internal logic of the software expects, though it is a relatively simple problem to solve it accounts for a high proportion of security vulnerabilities discovered. Not only is more education needed on the security risks…

DDoS attacks have been on the up for a number of years which has resulted in significant increases in the variety and availability of mitigation services designed to deal with such threats. With advancements in attack techniques comes the requirement for mitigation providers to adapt detection and scrubbing methodologies. We…

Web-based applications’ authentication processes are commonly vulnerable to automated brute force guessing attacks. Techniques such as escalating time delays and minimum lockout strategies are commonly implemented to solve the problem however in reality these techniques are not effective. This paper will explore an alternative solution, the enforcement of resource metering…

This paper, by David Litchfield, will be exploring the introduction to heap overflows on AIX 5.3L.  Download whitepaper