Besuchen Sie unsere News
We build genuine partnerships with our clients
News
Context Releases Whitepaper - Web Application Vulnerability Statistics Report 2010-2011
February 2011
Two thirds of web applications tested by security consultants at Context Information Security in 2011 were found to be at risk from cross-site scripting and nearly one in five applications risked attacks by experienced SQL injections, according to the new Context Web Application Vulnerability report published today. The research also found that web applications developed for government, financial services and law and insurance sectors had the greatest increase in vulnerabilities. The findings come from penetration tests carried out on almost 600 hundred custom-built web applications. In total, Context discovered some 8,000 vulnerabilities, reflecting an increase in the average number of different security issues affecting each application from 12.5 to 13.5 between 2010 and 2011.
“While the number of vulnerabilities identified in applications from 2010 and 2011 has not increased greatly, it does indicate that developers are continuing to make the same mistakes and are still not addressing web app security sufficiently,” says Michael Jordon, research and development manager at Context.
Web applications built for the Government sector were found to contain the highest number of vulnerabilities in 2011 and while the financial services sector had one of the lowest counts in 2010, this changed in 2011 with an average increase of roughly 1.5 vulnerabilities per web application tested. The law and insurance sector also saw similar results, seeing an average increase of roughly 2.5 vulnerabilities per web application penetration test in the same period.
“While some of the vulnerability categories such as server configuration and information leakage saw bigger rises, more serious cross-scripting and SQL injections present the biggest and potentially most damaging threats to web applications,” says Context’s Jordon. “Hopefully this document will provide help as a source of guidance, allowing developers and security professionals to prioritise and focus their web application security efforts in 2012. It is certainly clear that penetration testing before allowing a web application to go live is more relevant and essential than ever.
Read the Application Vulnerabilities whitepaper here
Mark Raeburn and Alex Church present at BlueHat - Redmond, USA
December 2011
Last month Context’s C.E.O, Mark Raeburn and Technical Director, Alex Church were invited to present at the BlueHat conference in Redmond as trusted experts in the area of ‘Targeted Attacks on Enterprise Networks’.
The conference brings together Microsoft developers and executives with key security programme partners and members of the security research community. Its principle aim is to help protect Microsoft’s customers by sharing information on current and emerging security threats, addressing security issues and concerns in Microsoft products and services.
Mark Raeburn’s presentation provided an insight into the current wave of targeted attacks on enterprise networks, according to Context’s experiences within this field. Alex Church followed with a presentation on the threat of targeted attacks from both an attacker’s and a responder’s perspective. Alex used two real world anonymised case studies of recent Context engagements, to help the audience understand what it feels like to break into a large multinational organisation using client side exploitation techniques, and what is involved in responding to similar attacks from the other side of the fence.
These presentations were well received and both Mark and Alex very much enjoyed sharing their knowledge and experience with other professionals in this field.
BlueHat Redmond Security Briefings: Fall 2011 Sessions
Oasis Network – Putting Security Research into Context
November 2011
Context invite you to our next Oasis Network; a series of presentations showcasing our recent research efforts in areas ranging from economic espionage to cloud security.
Save the date: Thursday 1st March 2012 from 3:30pm until 8pm at Shoreditch House, East London.
Please see the following link for further details: Oasis Network
Apache releases security advisory following discovery of back door threat by Context researchers
October 2011
Apache released an advisory on Wednesday 5th October 2011 to all of its customers following the identification by Context’s researchers of a new class of security vulnerability that could allow hackers to gain full internet access to internal or DMZ systems using insecurely configured reverse web proxies. Context alerted Apache to the weakness last month and have published a blog detailing this new class of attack that it believes is likely to affect other web servers and proxies. The blog also provides advice to mitigate the risks: http://www.contextis.com/research/blog/reverseproxybypass/
Reverse proxies are used to route external HTTP and HTTPS web requests to one of several internal web servers to access data and resources. Typical applications include load balancing, separating static from dynamic content, or to present a single interface to a number of different web servers at different paths.
While other proxies may suffer from the same vulnerability, the specific attack identified by Context researchers was based on an Apache web server using the mod_rewrite proxy function, which uses a rule-based rewriting engine to modify and rewrite web requests dynamically. When the web proxies had not been configured securely, Context was able to use an easy-to-obtain hacking tool in order to force a change in the request to access internal or DMZ systems, including administration interfaces on firewalls, routers, web servers and databases. And if credentials on internal systems were weak, a full network compromise was possible including uploading Trojan WAR files to a server.
The vulnerability can easily be mitigated by checking reverse proxy configurations to ensure that the rewrite rules cannot be abused to allow for the URLs to be rewritten in such a way that they can access internal systems. Context has also released the latest version of its free to download Context Application Tool (CAT) designed to deliver manual web application penetration testing that can be used to identify the vulnerability.
The difference between the two rules can be as simple as adding an extra slash, which ensures that Apache does not interpret the domain and port parts of the request as a username and password.
For example, if the Apache configuration file is configured like this:
RewriteRule ^(.*) http://internalserver:80$1 [P], and not like this:
RewriteRule ^(.*) http://internalserver:80/$1 [P], then access from the internet to any internal system is possible.
“This latest vulnerability presents a potential back door to sensitive internal or DMZ systems but is totally avoidable if the reverse proxies are properly configured,” said Michael Jordon, Research and Development Manger at Context. “We have not investigated other web servers and proxies but it reasonable to assume that the problem is more widespread.” Full details of the reverse proxy bypass vulnerability are also documented in the Context blog published today at: http://www.contextis.com/research/blog/reverseproxybypass/.
Context Application Tool (CAT) Version 1.0 Released
August 2011
Context Information Security is pleased to announce the release of its latest version of the globally esteemed CAT. Context is proud to be leading the way by developing the world’s leading Application Testing tool available to everyone for FREE. Security is a key component of any organisation, and Context is delighted to facilitate the movement towards a more secure business world.
CAT is designed to deliver manual web application penetration testing for more complex, demanding application testing tasks. CAT version 1.0 has been developed in-house by Context’s leading Security Development Consultants, and boasts significant upgrades, including:
- Silverlight WCF Support
- Scriptable Fuzzing
- Mono Support for Linux and OSX
- Freely Available SDK Addon Interface
Context would like to thank everyone who continues to provide feedback on CAT.
The new version can be downloaded from here.
More security problems for WebGL
June 2011
Researchers at Context Information Security who exposed security flaws in WebGL last month have identified further concerns about early implementations of the new technology that allows web pages to draw fast 3D graphics to deliver a much richer experience to web users. In one example, a vulnerability in the Mozilla Firefox browser made it possible for malicious web pages to capture any screenshot from a target PC – including the user’s desktop, other web pages or applications. By revealing that none of the current implementations comply with WebGL conformance standards, Context also raises serious questions for Khronos, the consortium which has drawn up the WebGL specification and conformance tests.
The findings are published today along with videos in a Context blog.
Context’s original investigations discovered design level security issues that provide a ‘back-door’ to low-level parts of the operating system via some graphics cards, which were never designed to defend against this type of threat. Following further investigations, Context researchers have discovered that neither Chrome nor Firefox passed the 144 Khronos conformance tests for WebGL, including a number that are directly related to security.
“While Mozilla has already taken steps to mitigate the original vulnerabilities and will fix this latest threat in the new version of its browser due out on 21 June, we believe this is the tip of the iceberg for the difficult adoption of this immature technology, leaving users vulnerable,” says Michael Jordon, Research and Development Manager at Context.
“The fact that security-related Khronos conformance tests are not clearly identified has been a contributory factor in security issues being missed by developers of the current browser implementations of WebGL,” adds Jordon. “It would be unreasonable to expect full conformance to the complete specification of any new standard but some areas of WebGL need to be carefully implemented to prevent security issues arising. Browser developers should now start banning non-conformant configurations as they are identified until the security issues that have been highlighted are resolved.”
Context’s research also found that Khronos’ recommended defence against the Denial of Service issue, WebGL_ARB_robustness, is not fit for purpose. It is only supported by certain chipsets and operating systems such as NVidia on Windows and Linux, and the extension only offers mitigation and not a comprehensive solution to WebGL DoS issues.
The risks from WebGL depend on the web browser, operating system and graphics card being used. WebGL is currently supported only on Firefox and Chrome and currently users of Internet Explorer, Safari or Opera are not vulnerable to WebGL issues. “We would advise anyone at risk to disable WebGL until the security vulnerabilities have been addressed,” added Jordon. “We have been working with developers of the Firefox plug-in NoScript (http://noscript.net/) to include support to selectively disable WebGL and would recommend this plug-in to protect users from malicious Internet content.” The full blog including two videos can be seen here.
Context uncover security flaws in new WebGL technology put PCs and data at risk
May 2011
Context researchers have uncovered serious security flaws in the new WebGL technology that creates 3D graphics in a browser with the same speed and detail as hardware-accelerated PC games and applications. Context says that design level security issues give potentially malicious web pages low level access to graphics cards that could provide a ‘back door’ for hackers and compromise data stored on internet-connected machines.
WebGL is currently supported on Linux, OSX and Windows operating systems, using Firefox 4, Safari and Google Chrome browsers. In addition to desktops and notebooks, WebGL is also being adopted for use in other devices including smart phones and is rapidly increasing in popularity.
“The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted,” says Michael Jordon, Research and Development Manager at Context. “While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user’s machine.”
“We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem, but is down largely to the WebGL specification, which is inherently insecure,” adds Jordon. “In the short term, individual end users or IT departments can avoid potential problems by simply disabling WebGL within their browsers; but the only long term solution is for the developers of WebGL itself to ensure that the specification is designed and tested to prevent these types of risks.”
WebGL 1.0 was officially released in March this year by The Khronos Group, a non-profit consortium of companies including Google, Apple, Intel and Mozilla working to create open standard APIs to display digital interactive media across all platforms and devices. It is essentially a graphics library that extends the functionality of JavaScript to allow it to create interactive 3D graphics within a browser without using plug-ins.
For more information on the security implications of the emerging WebGL technology, Context has today published a blog detailing the design level security issues within WebGL along with some examples of proof of concepts.
Read our blog here
Context introduces new Cloud Security Assessment Service
March 2011
In parallel with the release of our whitepaper “Cloud Computing – Assessing Cloud Node Security”, Context is pleased to announce the introduction of our new Cloud Security Assessment Service. As a result of the increasing popularity of Cloud computing, more and more Context clients have requested our support in helping to determine and improve the security posture of their Cloud-based systems.
Our new Cloud Security Assessment Service analyses the security of the client’s Cloud system from three different perspectives. Initially, we perform a security assessment of the Cloud system from an external, Internet-facing perspective. This involves the use of classic network infrastructure and application penetration testing methodologies. Due to the shared nature of the Cloud environment, we also assess system security from the perspective of a neighbouring, malicious node. This assessment includes network-based attacks and exploitation of shared resources in an attempt to gain access to the target system. Finally, Context conducts an audit of the security protection enforced on the node in order to prevent it from being compromised. This includes a node hardening assessment, a review of virtualisation security, an analysis of how the node is remotely administered and a review of the external and internal network infrastructure security related to the node.
As with all of Context’s technical security assurance services we provide a formal report at the conclusion of the assessment containing a high-level summary, detailed technical findings, technical impact and exploit difficulty ratings, along with detailed remedial recommendations and supporting materials.
Clients should note that Context’s ability to perform the Cloud Security Assessment Service in full depends upon the terms of the contract between your organisation and the Cloud provider.
Find out more about the Cloud Security Assessment Service.
Context Releases Whitepaper - Assessing Cloud Node Security
March 2011
Cloud computing has become one of the buzzwords of the moment. The potential benefits offered by the Cloud make it an attractive business proposal to many organisations. But how secure is the Cloud and to what extent are its benefits tainted by the potential security risks?
In order to provide our client base with a better understanding of the technical security issues associated with Cloud computing, Context has undertaken a study of four major Cloud providers.
In the course of our research, Context reviewed the security aspects of hard disk separation, memory, network, hypervisor and remote management as these relate to the nodes provided to Cloud clients. Our aim was to discover how effectively the Cloud providers address security concerns associated with these areas. Our findings were that serious flaws in the implementation of Cloud technologies mean that some major providers are exposing their clients’ data to risk of compromise.
We are pleased to present the output of our research in the form of a whitepaper entitled “Cloud Computing – Assessing Cloud Node Security”. In this whitepaper we highlight the technical security risks associated with Cloud computing, provide recommended best practices for securing Cloud nodes, and arm prospective Cloud clients with a series of questions they can ask the would-be provider, to help ascertain the provider’s suitability from a security perspective.
Read the Cloud whitepaper here.
Context Information Security opens Australian Office
February 2011
Context is delighted to announce the opening of our new office in Melbourne, Victoria on 1st February 2011.
Due to the continued expansion of our Australian client base, now is the ideal time for Context to establish a physical presence in Australia. We are all very excited by this new venture and by the increased demand in Australia for the high quality, professional security assurance services that Context provides. Our new Melbourne office will enable us to better meet the requirements of our clients in the APAC region and build upon the sustained growth we have achieved over the past few years. We are all looking forward to the challenge.
The office address and contact details can be found here.
Context Launches Blog - Insights from the Experts
December 2010
Context is launching a blog designed to put readers in direct touch with expert opinion on important topics in the world of information security.
Context is at the leading edge of the industry, thanks to extensive research and development and its work with government and blue chip clients. A range of contributors will aim to share some of the knowledge they have gathered in the line of duty and through R&D. Topics to be covered will include security issues affecting technologies in use within the financial, retail, legal, and defence sectors.
Read our blog here.
Simon Clow premieres “Smartphones in the Enterprise” White Paper at CrestCon
December 2010
We are pleased to announce that Simon Clow, a principal consultant often involved in the development of cutting edge consultancy services at Context, is presenting at CrestCon 2010. He will be sharing the findings of his recent research, conducted in conjunction with Graham Murphy (one of our senior security consultants and general mobile communications guru) into the use of Smartphones in the Enterprise.
In this talk, Simon will be covering the implications of extending the enterprise security boundary to include smartphones. As well as discussing the general security considerations and best practice guidelines to Smartphone integration, he will be covering device specific vulnerabilities from the market leading products selected for assessment.
For more information regarding the Smartphone research you can read the white paper here.
In addition, Paul Stone will also be speaking at CrestCon about his research into Next Generation Clickjacking. Read the Clickjacking white paper.
Context confirms membership of RDMG
November 2010
Context Information Security is pleased to announce its membership of the Risk Management Delivery Group (RMDG), a partnership programme established by the UK’s Centre for the Protection of National Infrastructure (CPNI) aimed at creating strong and dynamic links with leading UK consultancies.
The programme provides RMDG members with the benefit of direct access to CPNI protective security advice, briefings and support. This enables member consultancies to provide their customers with informed and comprehensive services relating to protective security, and to address customer vulnerabilities in an integrated way.
Context has permission to use a special logo to indicate when our support to customers has been informed by advice from CPNI.
Membership of the RMDG is an acknowledgement by CPNI of the key and trusted support that Context can provide to the UK’s critical national infrastructure community on protective security.
Mark Raeburn CEO of Context said: “We’re delighted that Context has become a full member of the RMDG. We have benefitted from an excellent working relationship with CPNI for some years, but this will enhance yet further both that relationship and our ability to provide our clients with the best possible advice and support on security issues.”
More Context consultants join security industry elite
November 2010
Another four Context consultants have now completed one or more of the certification programmes run by the Council of Registered Ethical Security Testers (CREST), so join a long list of CREST-certified experts working at the company.
Context is one of only four UK companies employing individuals to have completed each of the three CREST certification processes: CREST Application Certification, CREST Infrastructure Certification and the examination to become CREST Registered Testers.
CREST is a standards-based organisation representing the information security testing industry. It seeks to provide members with a guidance framework including standards, methodologies and recommendations alongside its technical certification programme, to help them deliver the very highest standards of security testing to their clients.
Context adds four Lead Auditors to our resource pool
October 2010
Context is delighted to announce four newly certified ISO 27001 Lead Auditors , bringing a wealth of experience in this field to Context and our clients. Following Context’s sucessful ISO/IEC 27001 accreditation for the whole business; Jason Dewar, David Kierznowski, Simon Clow and Rob Marr have all completed BSI’s comprehensive training to explore the in-depth business implications of the International Standard for Information Security Management. This is a positive step towards being able to offer our clients a greater level of expertise and security service.
Our newly qualified consultants are able to advise and guide our clients through the ISO/IEC 27001 accreditation process, as well as offering high level scoping exercises, and threat and risk assessments as more esoteric services. Whether a client aims to complete the ISO/IEC 27001 accreditation or not, it is extremely useful in highlighting the areas of weakness in security within the clients organisation, and enabling the client to take the necessary steps towards improving levels of security within business practice.
For details of other services that Context can offer please click here.
Context Information Security Ltd achieves certification to ISO/IEC 27001:2005
September 2010
Context has now successfully completed the ISO/IEC27001:2005 certification process, having been assessed by BSI and found to be compliant with the internationally recognized standard for Information Technology and Information Security Management. We selected BSI as they are a UKAS (United Kingdom Accreditation Service) accredited certification body. We felt that achieving certification through such a body provided the best way to benchmark ourselves for position and progress amongst our peers in the industry. Context is currently one of the very few companies operating in the Information Security arena to have adopted, and been successfully certified in, ISO/IEC 27001:2005.
For a while Context has been seeking a way to measure ourselves against industry best practice. As a provider of information security consultancy, we felt it was important to find a demonstrable way to assure ourselves and our clients that a) we do all we can to safeguard our sensitive data and, in doing so, our clients’ confidentiality, and b) we practice what we preach.
The ISO/IEC 27001:2005 standard was a perfect fit into our own holistic approach to security as an organization, both in the services we offer and the way we operate internally. As a standard it is all encompassing, covering the documentation and implementation of not only technical, but physical and personnel security domains too. Additionally, proper application of the standard (and therefore achievement of certification) is reliant on buy-in at all levels of the organization including a total commitment from senior management to continual improvement in all the areas the standard covers.
Although the appearance of ‘Information Technology’ in the standard’s title gives the impression that it may be little more than a checklist of technical security controls a company is stipulated to abide by, this is actually a bit of a misnomer - the standard prescribes an Information Security Management System (ISMS), which is far from being rigid and inflexible. Instead, Context has found that the standard provides us with a highly pragmatic framework within which we can manage the existing security controls that, as a security-minded company, we have in place already.
As a security consultancy ourselves we have always considered the security of our data as paramount, but through adopting the ISO/IEC 27001:2005 standard we now have the mechanism to continually monitor, review and improve what we do across the entire business. Context chose to certify the entire organization, from top to bottom, for the provision of all services and across all geographical locations, as an indication of our continuing commitment to standardizing best practice.
Context also appreciates the way that the standard adapts to fit your organization, providing a management framework foundation that will continue to evolve with the business. This framework puts in place the mechanism to allow the review and selection of only those security controls that are relevant and beneficial to your operational processes. In fact, there’s no let up as the process doesn’t stop at certification. We are continually assessed by both BSI and several of our larger client organizations to ensure that we continue to efficiently implement our own ISMS framework and improve our security posture where possible. To further enable this continuous improvement we have established an internal team of qualified ISMS Lead Auditors, dedicated to monitoring what we do and keeping the whole business focused on security.
In certifying Context to ISO/IEC 27001:2005 we have achieved a greater understanding of our business risks and an increased assurance that we are doing everything that we can to protect ourselves against them. We hope that in going through this due diligence, we have demonstrated to our clients through our compliance with the international standard, our commitment to a holistic information security approach and thus to protecting their interests.
We found the whole experience a thoroughly positive one and can offer the benefit of our experience and our qualified team of consultants to help in any way to guide your organization or business unit through to certification too.
Click here for more information regarding our Information Assurance consultancy service offerings.
Letting the CAT out of the bag
September 2010
Context’s Principal Security Consultant Michael Jordon is hitting the road in September to demonstrate the qualities of the Context Application Tool (CAT).
Michael will be presenting to delegates at both the Open Web Application Security Project (OWASP) event at Deloitte’s offices in London on September 9 and at the OWASP Leeds UK Local Chapter event at the Novotel Leeds on September 15. He will be showcasing CAT’s main features, demonstrating its ability to perform tests that cannot be conducted using other testing tools, in all aspects of manual web application testing. The aim is to give delegates at the events a high level understanding of CAT’s capabilities. There will also be a sneak preview of some new features still under development.
Context discovers Citrix vulnerability
August 2010
Context has identified a previously unknown vulnerability in the widely used Citrix ICA Client. Our consultant Michael Jordon has discovered that the Citrix Presentation Server Client (as tested on v10.150) does not perform bounds checking on the type field in an ICA "graphics" packet. This creates a theoretical opportunity for an attacker to carry out remote exploitation of any client device upon which the client has been installed.
An attacker would be a in a position to execute arbitrary code on the client device if a user can be lured into connecting to a server controlled by the attacker. This could happen if the user visited a malicious website or opened an untrusted email attachment. This issue has affected Windows, Windows Mobile, Linux and Solaris clients. The ICA client for Java, and the Citrix Receivers for iPhone/iPad and Android are not affected.
Citrix has updated the ICA client to resolve these issues. More details are available from the Citrix website.
Gain a new understanding of secure development with Michael Jordon
May 2010
Security guru and Context consultant Michael Jordon will be among speakers presenting to delegates at the International Secure Systems Development (ISSD) Conference.
Michael will be sharing his expertise on the development of testing tools for secure development, examining the importance of such tools and outlining best practice in development processes. He will also be demonstrating some of the tools Context uses (including the Context App Tool). Elsewhere at the conference other members of Context’s team will be available to discuss individual secure development requirements with attendees.
Context is a sponsor of the ISSD Conference. For more information about the conference please visit the ISSD website.
Paul Stone is speaking at Black Hat Europe 2010
April 2010
We are pleased to announce that one of our consultants, Paul Stone, is a speaker at Black Hat Europe 2010. He will be sharing the findings of his research into Next Generation Clickjacking, covering everything from the basics to newly-developed techniques, as well as demonstrating a new tool that enables easy creation of multi-step Clickjacking attacks.
For more information about the conference please visit the Black Hat website here.
Context releases CAT Beta 4
April 2010
Context Information Security is pleased to announce the release of Context App Tool (CAT) Beta 4. The latest version of CAT includes a new Clickjacking tester which displays framed and unframed versions of websites next to each other, enabling testing for frame busting code such as ‘X-Frame-Options’ headers or JavaScript that disables web pages. New columns for page caching and auto-completion tests are also included.
The company would like to thank everyone who continues to provide feedback on CAT.
The new version can be downloaded from here.
Context expands offices in Cheltenham
June 2009
Context Information Security is continuing to expand its operations, and the company is delighted to announce the opening of a new office in Cheltenham. The new facility will help Context cater for a growing demand for its services from clients based in the surrounding area.
Context expands offices in Dusseldorf, Germany
March 2009
Context Information Security has announced further expansion and the opening of a new office in Dusseldorf, Germany to help serve our growing client base in mainland Europe.
How we can help
We are an independent security consultancy, specialising in both technical security and information assurance services.
CAT
Our new flagship
tool CAT is perfect
for identifying application
security vulnerabilities.
