Exactly one week ago I noticed an “urgent” tweet from Tavis Ormandy to get in contact with the Cloudflare team.
Normally when a tweet like this appears from Tavis, something is horribly broken. Well, today we know the background of this tweet as the bug tracker issue went public and it exposed quite a bug from Cloudflare.
While there is some background story how Tavis found the bug, because he wasn´t actively looking into the Cloudflare infrastructure and it was rather discovered by accident when odd data appeared in his fuzzing corpus. When he looked closely he found data that was not in any mean related to the expected data from various websites.
Ensuring the security of web applications in continuous delivery environments is an open challenge for many organizations. Traditional application security practices slow development and, in many cases, don’t address security at all. Instead, a new approach based on security automation and tactical security testing is needed to ensure important components are being tested before going live. Security professionals must master their tools to improve the efficiency of manual security testing as well as to deploy custom security automation solutions. Continue reading “TR17 Training Teaser: Developing Burp Suite Extensions – From manual testing to security automation”
IP Multimedia Subsystem (IMS) offers many multimedia services to any IP-based access network, such as LTE or DSL. In addition to VoLTE, IMS adds service provider flexibility, better QoS and charging control to the 4th generation of mobile networks. IMS exchanges SIP messages with its users or other IMS and usually these communications are secured by TLS or IPSec. But if an attacker manages to break the confidentiality and the integrity with IMS, he would find it vulnerable to several attacks.
An attacker does not have to overcome transport security to breach confidentiality and integrity with IMS. For example, owning A victim’s User Equipment (UE) could grant an attacker the confidential data he needs to develop many attacks on him. Moreover, motivated attackers, who target IMS itself, can manage to obtain their IPSec ESP Integrity Key (IKESP) from their UE and then manipulate their requests as they like. An example of the latter case is well explained here. This blog post discusses the exploitation of IMS in such cases of integrity and confidentiality loss.
My Master’s thesis “Evaluation of IMS security and developing penetration tests of IMS” discusses the exploitation of IMS vulnerabilities in case its confidentiality and integrity measures are breached. 3GPP specifications and IETF RFCs define how IMS works and therefore can lead us to its vulnerabilities. The attacks to exploit these vulnerabilities are tested and demonstrated on OpenIMS core. Availability attacks on IMS were previously discussed in a previous blog post.
As Troopers17 and TSD are getting closer, I’d like to publish the next talk’s abstract and a preliminary agenda. Still, the agenda is not final yet but you already can see some more confirmed talks. I hope to be able to confirm and publish more information about these slots soon. Also, please note that the TelcoSecDinner will start at 7pm – see more below.
This is part 1 of our report series on interesting talks of the 33rd Congress of the Chaos Computer Club. Every year the congress attracts hundreds (up to twelve thousand this year) of technical interested people with the opportunity to socialize and exchange knowledge with each other. The congress is organized by the European largest hacker association and speakers give talks about technical and societal issues like surveillance, privacy, freedom of information, data security and various more.
Talks in this part deal with CCC at schools, Wi-Fi security and the security of the N26 banking app.
Like in recent years the popular Hacking 101 workshop will take place on TROOPERS17, too! The workshop will give attendees an insight into the hacking techniques required for penetration testing. These techniques will cover various topics: