Besuchen Sie unsere Blog
We build genuine partnerships with our clients
Blog
Context is at the leading edge of the industry thanks to the extensive research and development performed by our team, as well as the experience gleaned through our work with government and blue chip clients. Consequently we as an organisation would like to share out knowledge and have therefore opened this Blog section on our website, which will include contributions from across our organisation. The blog is intended to fit into Context’s company philosophy by being holistic in nature and hence will cover topics including issues affecting technologies in use within the financial, retail, legal, and defence sectors. This will include the following subjects:
- Malware
- Server Technologies
- Application Testing Techniques
- Secure Development Techniques
- Wireless and Hardware
- Trends, Fashions and Fads in Security
- Phones, Handheld Devices and Gadgets
Blog: Malware 2 - From Infection to Persistence
January 2011
In my previous posting, a malicious PDF was analysed that originated from a targeted email campaign that exposed a number of users to infection. The PDF file implemented standard exploitation techniques to exploit issues in Adobe PDF reader to download an executable from a known malicious URL. In this post I will look at how the malware sample persists on the infected host using stealth, anti-debugging and common userland hooking and rootkit techniques.
Read more on Malware 2 - From Infection to Persistence
HTTPS BEAST Attack
16th November 2011
A number of our clients have asked for advice regarding the HTTPS BEAST attack. This blog is intended to give a more realistic overview of what the attack means to those who are concerned with the effect that it may have on their web applications, and answer some of the questions received.
BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection in a negligible amount of time. That is, it provides a way to extract the unencrypted plaintext from an encrypted session.
Read more on HTTPS BEAST Attack
Malware Analysis: Dark Comet RAT
1st November 2011
A Remote Administration Tool (otherwise known as a RAT) is a piece of software designed to provide full access to remote clients. Capabilities often include keystroke logging, file system access and remote control, including control of devices such as microphones and webcams. RATs are designed as legitimate administrative tools, yet due to their extensive capabilities are often seen used with malicious intent.
When a RAT is found to be the source of an infection, typical analysis of the malicious binaries will resolve the capabilities being provided to the attacker which is often not enough information. In order to identify what malicious activity has occurred, we need to examine the network traffic and the commands sent by the attacker. However, most RAT traffic is hiden with encryption or obfuscation.
In this blog post we take a look at a RAT called Dark Comet. We will run through the capabilities provided by the tool, examine the associated network traffic, identify the encryption algorithm and show how the key can be identified with a little analysis of an infected hosts.
Reverse Proxy Bypass
5th October 2011
In this blog I will describe a new type of security vulnerability which can allow full internal system access from the internet from an unauthenticated perspective. This technique exploits insecurely configured reverse web proxies to gain access to internal/DMZ systems.
Apache web server is affected by this issue when running in reverse proxy mode; Context have worked with Apache to produce a patch which reduces the risk of exploitable misconfigurations.
Read more on Reverse Proxy Bypass
SAP Exploitation – Part 2
30th August 2011
This is the second in a series of posts about SAP infrastructure security, specifically related to RFC vulnerabilities and common misconfigurations that can be exploited by an attacker to gain unauthorised access to a SAP environment. In this post I will be demonstrating how some of the RFC vulnerabilities previously described can be exploited by the freely available, python based ERP penetration testing platform – Bizploit.
Read more on SAP Exploitation – Part 2
SAP Exploitation – Part 1
6th July 2011
In this series of posts I aim to cover in depth some of the publically known infrastructure vulnerabilities that affect SAP systems, how to use public domain tools to test your current deployments for these issues and how best to address them. While the industry is slowly taking note of SAP related security beyond segregation of duties, there is still a significant lack of awareness of vulnerabilities and attacks against SAP systems, which prompted this series of posts.
Read more on SAP Exploitation – Part 1
WebGL – More WebGL Security Flaws
16th June 2011
In this blog post Context demonstrates how to steal user data through web browsers using a vulnerability in Firefox’s implementation of WebGL. This is a continuation of our research into serious design flaws that could affect any browser which implements WebGL, currently Chrome and Firefox.
Read more on WebGL - More WebGL Security Flaws
WebGL - A New Dimension for Browser Exploitation
11th May 2011
Update: Due to the high level of interest in Context’s blog posting on the Security issues within WebGL we are releasing the following FAQ.
9th May 2011
Context is currently undergoing a research project into the new WebGL technology and have uncovered serious security flaws. WebGL provides web pages with the functionality to access the lower level graphics driver in a way that previously was only available to local applications. This new access allows for web pages to create 3D graphics with the same level of speed and detail as PC games. However, from a security perspective allowing low level access to a graphics card to potentially malicious web pages carries a huge security risk. These risks stem from graphics cards/drivers having not been written with security in mind, the interface (API) they expose assumes that the applications are trusted but now this axiom is no longer true. Context have investigated this technology and have found fundamental design issues which currently expose users of the internet to having their PCs exploited. This includes breaking of the cross domain security principle, denial of service potentially leading to full exploitation of a user’s machine.
Read more on WebGL - A New Dimension for Browser Exploitation
Server Technologies - SSL2: Should it keep you awake at night?
28th March 2011
One of the issues Context encounters time and time again is web servers supporting version 2 of the SSL protocol. The weaknesses in SSL2 have been known for fifteen years, and could aid an attacker in decrypting traffic between his victim and the target website, so it’s a significant issue. However, considering the severe consequences, surveys have shown 35% of web servers on the internet still support it. This blog post explains the biggest weakness in SSL2, the method used to exploit it, and asks the question, should SSL2 be keeping you awake at night?
Read more on SSL2: Should it keep you awake at night?
SmartPhones - Can you Trust your USB Charger?
28th January 2011
Context is asked on a regular basis to evaluate the security of current mobile devices, especially smart phones, for use in the enterprise environment. Data security is of the upmost importance to our clients, any technique which could compromise their information is taken very seriously. One of the most underestimated attack vectors on a smartphone is its USB connection. In the not so distant past this was purely used for data access, but is now also the main charging connection on a device. This blog post discusses the risks inherent in this dual purpose on the two most popular enterprise smartphones, the RIM blackberry and the Apple iPhone, in what scenario data is exposed, how much information an attacker could gather and potential ways this can be solved at the enterprise level.
Read more on Can You Trust Your USB Charger?
Server Technologies - JBoss RMI Twiddling
21st December 2010
Context encounters a wide range of server technologies during the course of penetration testing, often there are known vulnerabilities that can be used to exploit them, other times Context create new attacks. Context will be blogging about these techniques starting with JBoss RMI Twiddling. JBoss is an open source Java based application server which is widely used in corporate environments. In the past it has had its share of security vulnerabilities most of which have been addressed by adequate patches; however it is still distributed with several insecure options enabled by default. A large number of JBoss installations have not been extensively hardened and therefore are vulnerable to the attacks detailed in this post, that under certain circumstances lead to full system compromise.
Read more on JBoss RMI Twiddling
Malware 1 - From Exploit to Infection
7th December 2010
Context encounters numerous malware samples on a daily basis and this series of malware posts intends to provide a detailed analysis of the threats posed by malicious software that affect business today. The series aims to take the reader through the various stages of an attack against an organisation. This first posting presents an in-depth investigation into a PDF-based malware attack. This initial analysis covers an exploit-laden PDF document, the JavaScript payload and malicious shellcode responsible for the second-stage delivery of malware. This infection vector is currently one of the most common methods of malware propagation and through this series of postings, Context aim to deliver a greater visibility on how such attacks occur in the real world.
How we can help
We are an independent security consultancy, specialising in both technical security and information assurance services.
CAT
Our new flagship
tool CAT is perfect
for identifying application
security vulnerabilities.
