CONverse: Communicating the Findings of our Research

08 Apr 2016

Context invites you to our first CONverse event, an evening dedicated to sharing our recent work and findings with our technical contacts and the wider information security community. This will be a regular event throughout the year.

When:Wednesday, 11th May 2016, from 17:30 for a 18:00 start
Where: Context, Westferry House, 11 Westferry Circus, E14 4HD
What: Three 20 minute presentations, followed by a few nibbles and drinks until 20:00 withthe opportunity to catch up with some of our consultants and other peers in the industry.

This invitation is open to all in the information security community, however please be aware that the content of CONverse is purely aimed at individuals with a deep technical understanding and an interest in cyber security. 

Register your interest for the event here

Presentation Agenda

We will have three 20 minute presentations from our Research and Response departments, please find a synopsis of each presentation below:

Compromising 470,000+ Wordpress Sitesthe Lazy Way - Alex Chapman, Principal Researcher

One of Alex’s recentside projects has been to create a code analysis tool for PHP, specifically inorder to find vulnerabilities in the 1000 most popular Wordpress plugins. Alex will walk through his journey of implementing this project. The dizzying highs and the depressing lows, the wins and epic fails, that all went into discovering a suite of Wordpress plugin vulnerabilities which could have led tothe compromise of 470,000 (and counting) Wordpress sites. At the conclusion ofthis talk the audience will have the knowledge of how to go and do this themselves, and why they probably shouldn't bother.

Do you remember this packet? - AdamBridge, Senior Intrusion Analyst

When an attempt to recover the Windows DNS cache from memory didn’t seem to quite make sense, Context discovered that they’d made a mistake. In exploring that mistake, we realised we’d found something much more interesting: some kind of NDIS cache. In Windows, the NDIS (Network Driver Interface Specification) APIis implemented by ndis.sys. It’s an interface between layer 2 and layer 3 ofthe OSI model meaning that all network communication goes through this kernel-mode driver. Context discovered that by examining kernel space of the memory sample for Windows 7 and Server 2008R2 hosts, they could recover full packets sent by the host. This information could prove incredibly valuable,especially in identifying C2 domains with which the host was communicating. By understanding that the packets were kept in memory, Context were able to expand the tool to create a more generic carver which works on versions of Windows other than 7 and 2008R2.

Watching you watching me – Alex Farrant,Senior Researcher

Context has identified design flaws and software vulnerabilities in a next generation smart IP camera which allows an attacker to control the camera remotely behind a NAT router, steal passwords and keys, gain a foothold on your network and redirect the alerts and video to them, all from the click of a link. This particular cloud security device has been demonstrated to be a hidden security risk on a private network and Context believe the vulnerable code is present on other brands of smart IP cameras also.

Background information

CONverse was initiated as a result of the success from an internal event that we host annually for our technical team. We held an external version of this event last year which was a great success, to prevent confusion between the external and internal events we realised we would need a new name for this, with thanks to Adam Bridge in our Response team - CONverse was formed.

Register your interest for the event here.

Should you require any further information at all, please contact us at or call +44(0)207 537 7515.

We look forward to seeing you there!

CHECK IT Health Check Service
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider
ASSURE Cyber Supplier - CAA