Building

Agile Development & Security

I’m a big fan of Chris Gates’ publications on DevOops and From Low to Pwned. The content reflects a lot of issues that we also experience in many assessments in general and assessments in agile environments in particular. In addition, we were supporting several projects recently that were organized in an agile way. In this post, I want to summarize some thoughts on how security work can/should be integrated into agile projects. The post was also a result from the preparation of our upcoming Troopers workshop on Docker Security & Devops, which of course also covers organizational aspects, but not to the degree this post describes them.

Continue reading “Agile Development & Security”

Continue reading
Events

TR17 Training Teaser: Suricata: World-class and Open Source

This is a guest blog by Andreas Herz and Peter Manev for their training,  Suricata: World-class and Open Source

Suricata is an advanced open source network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata is owned and supported by the Open Information Security Foundation (OISF), a US based non-profit organization dedicated to open source security technologies. Suricata’s use around the world and ongoing development is the result of the open source community with focus on security, performance and advanced features. Continue reading “TR17 Training Teaser: Suricata: World-class and Open Source”

Continue reading
Misc

Cloudflare Incident #Cloudbleed

Exactly one week ago I noticed an “urgent” tweet from Tavis Ormandy to get in contact with the Cloudflare team.
Normally when a tweet like this appears from Tavis, something is horribly broken. Well, today we know the background of this tweet as the bug tracker issue went public and it exposed quite a bug from Cloudflare.

While there is some background story how Tavis found the bug, because he wasn´t actively looking into the Cloudflare infrastructure and it was rather discovered by accident when odd data appeared in his fuzzing corpus. When he looked closely he found data that was not in any mean related to the expected data from various websites.

Continue reading “Cloudflare Incident #Cloudbleed”

Continue reading
Events

TR17 Training Teaser: Developing Burp Suite Extensions – From manual testing to security automation

This is a guest post from TR17 trainer Luca Carettoni: Developing Burp Suite Extensions

Ensuring the security of web applications in continuous delivery environments is an open challenge for many organizations. Traditional application security practices slow development and, in many cases, don’t address security at all. Instead, a new approach based on security automation and tactical security testing is needed to ensure important components are being tested before going live. Security professionals must master their tools to improve the efficiency of manual security testing as well as to deploy custom security automation solutions. Continue reading “TR17 Training Teaser: Developing Burp Suite Extensions – From manual testing to security automation”

Continue reading
Misc

Exploitation of IMS in absence of confidentiality and integrity protection

IP Multimedia Subsystem (IMS) offers many multimedia services to any IP-based access network, such as LTE or DSL. In addition to VoLTE, IMS adds service provider flexibility, better QoS and charging control to the 4th generation of mobile networks. IMS exchanges SIP messages with its users or other IMS and usually these communications are secured by TLS or IPSec. But if an attacker manages to break the confidentiality and the integrity with IMS, he would find it vulnerable to several attacks.

An attacker does not have to overcome transport security to breach confidentiality and integrity with IMS. For example, owning A victim’s User Equipment (UE) could grant an attacker the confidential data he needs to develop many attacks on him. Moreover, motivated attackers, who target IMS itself, can manage to obtain their IPSec ESP Integrity Key (IKESP) from their UE and then manipulate their requests as they like. An example of the latter case is well explained here. This blog post discusses the exploitation of IMS in such cases of integrity and confidentiality loss.

My Master’s thesis “Evaluation of IMS security and developing penetration tests of IMS” discusses the exploitation of IMS vulnerabilities in case its confidentiality and integrity measures are breached. 3GPP specifications and IETF RFCs define how IMS works and therefore can lead us to its vulnerabilities. The attacks to exploit these vulnerabilities are tested and demonstrated on OpenIMS core. Availability attacks on IMS were previously discussed in a previous blog post.

Continue reading “Exploitation of IMS in absence of confidentiality and integrity protection”

Continue reading
Events

TelcoSecDay 2017 – Next Talks and Agenda

As Troopers17 and TSD are getting closer, I’d like to publish the next talk’s abstract and a preliminary agenda. Still, the agenda is not final yet but you already can see some more confirmed talks. I hope to be able to confirm and publish more information about these slots soon. Also, please note that the TelcoSecDinner will start at 7pm – see more below.

Continue reading “TelcoSecDay 2017 – Next Talks and Agenda”

Continue reading
Events

33c3 Talks – What could possibly go wrong with “insert x86 instruction here” ?

This was one of the few technical talks at 33c3 I managed to see, by that I mean live-stream during an access control shift, by Clémentine Maurice and Moritz Lipp.

The talk gave an overview of some already known possible information leaks by abusing certain x86 instructions(the same concept applies to ARM too though) and demonstrating the various ways an attacker could use them. Continue reading “33c3 Talks – What could possibly go wrong with “insert x86 instruction here” ?”

Continue reading
Misc

Whitepaper on Incident Handling First Steps, Preparation Plans, and Process Models

We just published my Whitepaper about First Steps, Preparation Plans, and Process Models for Incident Handling, that I wrote to pass the time between Christmas and New Year. The whitepaper sums up information that I consider to be useful to prepare for IT security incidents as a conclusion from the incidents in which we supported over the past year.

Whitepaper Teaser

Have you for example thought about classes of incidents that are most likely to affect you and formulated Incident Handling Preparation Plans for those incidents?
Continue reading “Whitepaper on Incident Handling First Steps, Preparation Plans, and Process Models”

Continue reading