Events

Latest SAP threats, SAP Forensics & BIZEC @Troopers!

This is a guest post from Mariano Nunez and Juan Perez-Etchegoyen

Juan Perez-Etchegoyen (@jp_pereze) and Mariano Nunez (@marianonunezdc) from Onapsis here, thrilled to be troopers for the third time! In this post we want to share with you a glimpse of what you will see regarding SAP security at this amazing conference.

Last week we released advisories regarding several vulnerabilities affecting SAP platforms. Some of these vulnerabilities are in fact very critical, and their exploitation could lead to a full-compromise of the entire SAP implementation – even by completely anonymous attackers. Following our responsible disclosure policy, SAP released the relevant SAP Security Notes (patches) for all these vulnerabilities a long time ago, so if you are an SAP customer make sure you have properly implemented them!

Continue reading “Latest SAP threats, SAP Forensics & BIZEC @Troopers!”

Continue reading
Breaking

VMDK Has Left the Building — Newsletter

We are pleased to announce that we summarized the results from our VMDK research in our latest newsletter.

We hope you enjoy the reading and will get some “food for thought”!

The newsletter can be found at:
ERNW_Newsletter_41_ExploitingVirtualFileFormats.pd

A digitally signed version can be found at:
ERNW_Newsletter_41_ExploitingVirtualFileFormats_signed.pdf

Enjoy your weekend,
Matthias

Continue reading
Events

Bluevoxing

This is a guest post from Graeme Neilson

Reverse engineering is generally thought of as using debuggers, disassemblers and hex editors. Much as I love hex editors, IDA and staring at opcodes for the last few years I have been focused on applying my reverse engineering methodology to larger, composed systems. At Troopers TelcoSec day this year I will be presenting Bluevoxing which demonstrates how this approach works. Bluevoxing is about reverse engineering how web based “audio one time password” systems work. Simply put audio one time password systems use a short audio file as an authentication token. When I discovered these systems I was intrigued as reversing them would involve a range of techniques and tools from web testing, audio tools, signal analysis, phreaking and cryptanalysis. The disassembler would be of no use instead I would have to employ audio tools such as audacity and ruby-processing.

My methodology was:

  1. collect a large sample set of audio one time passwords
  2. extract the raw audio file from the samples
  3. somehow convert the audio file into a number…
  4. analyse the numbers…

Continue reading “Bluevoxing”

Continue reading
Events

APT

Many of you have probably seen the public media coverage (e.g. [1], [2]) of  Mandiant’s latest report on APT.

Just to let you know: Trooper‘s traditional panel discussion on the first day will be on APT this year. So if you want to discuss the topic with other practitioners from the field, join us there.

have a great day

Enno

Continue reading
Breaking

Corporate Espionage via Mobile Compromise: A technical deep dive

This is a guest post from David Weinstein

Mobile devices play an important role in the business world. Yet with increased emphasis on the Bring Your Own Device (BYOD) model, defenses are not where they need to be to slow the loss of valuable intellectual property.

Corporate defenses have traditionally focused on the network, the endpoints, and not necessarily on the ecosystem of how these devices interact outside of network sockets. Smartphones bring unique network connectivity, an array of sensors, and can be overlooked by resources invested on IDS/IPS not being effectively leveraged.

Getting to the core of an exemplar attack, a Mobile Remote Administration Tool (RAT) is devastating. With access to the microphone, GPS/network location, camera, and an accelerometer, having control of a mobile device in a corporate setting is a dream for an attacker. We’ve improved an open source RAT and introduced a new feature, the ability to turn the mobile device into a virtual person sitting at the computer, able to type commands into the console.

Using a USB device to gain access to a computer is not new and the dangers of an unprotected port are extraordinary (see upcoming troopers talk, You wouldn’t share a syringe. Would you share a USB port? Bratus & Goodspeed). The takeaway from this particular talk is that the attack need not be performed from a specialized device (Teensy, Facedancer), like a thumb drive. The attack can be mounted from a common device that is routinely plugged into computers for charging or data transfer purposes… the Android mobile phone in your employee’s pocket!

Continue reading “Corporate Espionage via Mobile Compromise: A technical deep dive”

Continue reading
Building

IPv6 Extension Headers: New Features, and New Attack Vectors

This is a guest post from Antonios Atlasis

IPv6 introduces a lot of new features and consequently, a lot of new capabilities. Obviously, the most significant of them is the huge address space that it offers. However, this is not the only one. IPv6 also introduces the use of the IPv6 Extension Headers. The IPv6 header has been considerably simplified in comparison with IPv4 one. On the other hand, the IPv6 Extension Headers, not only do the “job” of most of the fields which were removed from the main header, but, additionally, they add many more. However, any new “technology” creates new attack opportunities and a “new” protocol, such as IPv6 could not be an exception, especially since its design and implementation is more complicated than it’s predecessor.

Continue reading “IPv6 Extension Headers: New Features, and New Attack Vectors”

Continue reading
Breaking

Apple iOS and the history of a workin’ lockscreen… NOT

Once again a vulnerability in Apples mobile operating system iOS was found by some guys of the Jailbreak Nation. The newest version of this operating system suffers from a weakness that makes it possible to unlock the lockscreen of all iPhones that use iOS version 6.1. In this case it does not matter whether a PIN or a password is used to unlock the phone. After successful exploitation an attacker is able to see and edit contact-information, to add new contacts to the phonebook, to view all pictures, to call the inbox or any of the contacts and to see and delete the list of recent calls or parts of it.
Continue reading “Apple iOS and the history of a workin’ lockscreen… NOT”

Continue reading
Breaking, Events

Paparazzi over IP

Almost every higher class DSLR on the market today features multiple and complex access technologies. To name a few, canons new flagship features IP connectivity wired via 802.3 as well as wireless via 802.11. All the big vendors are pushing these features to the market and advertise them with real time image transfer to the cloud. We have taken a look at the layer 2 and 3 implementations in the CamOS and the services running upon those, so here is what we found while examine the EOS 1D X:

Continue reading “Paparazzi over IP”

Continue reading
Breaking

Mobile Application Testing

Our new workshop about mobile application testing, held for the 1st time at the Troopers conference 2013, is coming closer. So I would like to take the opportunity and post an appetizer for those who are still undetermined if they should attend the workshop ;-).

While the topic of mobile application testing is a wide field that may contain reverse engineering, secure storage analysis, vulnerability research, network traffic analysis and so forth, in the end of the day you have to answer one question: Can I trust this application and run it on my enterprise devices? So first you have to define some criteria, which kind of behavior and characteristics of an application you regard as trustworthy (or not). Let us peek at malware … besides harming your devices and data, malware is typically:

  • obfuscated and/or encrypted
  • contains anti-debugging features
  • contains anti-reverse engineering features

This makes the analysis process a difficult task and comparing these characteristics especially to ordinary iOS applications from the AppStore, at least one is also true for these apps: Those are encrypted and are only decrypted at runtime on your Apple gadget ;-).

Continue reading “Mobile Application Testing”

Continue reading