Context is at the leading edge of the industry thanks to the extensive research and development performed by our team, as well as the experience gleaned through our work with government and blue chip clients. Consequently we as an organisation would like to share out knowledge and have therefore opened this Blog section on our website, which will include contributions from across our organisation. The blog is intended to fit into Context's company philosophy by being holistic in nature and hence will cover topics including issues affecting technologies in use within the financial, retail, legal, and defence sectors. http://www.contextis.co.uk/research/blog Tues, 1st Nov 2011 00:00:00 +0000 Mon, 06 Jan 2011 00:00:00 +0000 Context encounters numerous malware samples on a daily basis and this series of malware posts intends to provide a detailed analysis of the threats posed by malicious software that affect business today. The series aims to take the reader through the various stages of an attack against an organisation. This first posting presents an in-depth investigation into a PDF-based malware attack. This initial analysis covers an exploit-laden PDF document, the JavaScript payload and malicious shellcode responsible for the second-stage delivery of malware. This infection vector is currently one of the most common methods of malware propagation and through this series of postings, Context aim to deliver a greater visibility on how such attacks occur in the real world. http://www.contextis.co.uk/research/blog/malware1/ http://www.contextis.co.uk/research/blog/malware1/ Mon, 07 Dec 2010 00:00:00 +0000 Context encounters a wide range of server technologies during the course of penetration testing, often there are known vulnerabilities that can be used to exploit them, other times Context create new attacks. Context will be blogging about these techniques starting with JBoss RMI Twiddling. JBoss is an open source Java based application server which is widely used in corporate environments. In the past it has had its share of security vulnerabilities most of which have been addressed by adequate patches; however it is still distributed with several insecure options enabled by default. A large number of JBoss installations have not been extensively hardened and therefore are vulnerable to the attacks detailed in this post, that under certain circumstances lead to full system compromise http://www.contextis.co.uk/research/blog/inf1/ http://www.contextis.co.uk/research/blog/inf1/ Mon, 21 Dec 2010 00:00:00 +0000 Context is asked on a regular basis to evaluate the security of current mobile devices, especially smart phones, for use in the enterprise environment. Data security is of the upmost importance to our clients, any technique which could compromise their information is taken very seriously. One of the most underestimated attack vectors on a smartphone is its USB connection. In the not so distant past this was purely used for data access, but is now also the main charging connection on a device. This blog post discusses the risks inherent in this dual purpose on the two most popular enterprise smartphones, the RIM blackberry and the Apple iPhone, in what scenario data is exposed, how much information an attacker could gather and potential ways this can be solved at the enterprise level. http://www.contextis.co.uk/research/blog/Phones1/ http://www.contextis.co.uk/research/blog/Phones1/ Mon, 27 Jan 2011 00:00:00 +0000 One of the issues Context encounters time and time again is web servers supporting version 2 of the SSL protocol. The weaknesses in SSL2 have been known for fifteen years, and could aid an attacker in decrypting traffic between his victim and the target website, so it’s a significant issue. However, considering the severe consequences, surveys have shown 35% of web servers on the internet still support it. This blog post explains the biggest weakness in SSL2, the method used to exploit it, and asks the question, should SSL2 be keeping you awake at night? http://www.contextis.co.uk/research/blog/ssl1/ http://www.contextis.co.uk/research/blog/ssl1/ Mon, 28 March 2011 00:00:00 +0000 Context is currently undergoing a research project into the new WebGL technology and have uncovered serious security flaws. WebGL provides web pages with the functionality to access the lower level graphics driver in a way that previously was only available to local applications. This new access allows for web pages to create 3D graphics with the same level of speed and detail as PC games. However, from a security perspective allowing low level access to a graphics card to potentially malicious web pages carries a huge security risk. These risks stem from graphics cards/drivers having not been written with security in mind, the interface (API) they expose assumes that the applications are trusted but now this axiom is no longer true. Context have investigated this technology and have found fundamental design issues which currently expose users of the internet to having their PCs exploited. This includes breaking of the cross domain security principle, denial of service potentially leading to full exploitation of a user’s machine. http://www.contextis.co.uk/research/blog/webgl/ http://www.contextis.co.uk/research/blog/webgl/ Mon, 9 May 2011 00:00:00 +0000 Due to the high level of interest in Context’s blog posting on the Security issues within WebGL we are releasing the following further information to aid in the understanding of the issues. http://www.contextis.co.uk/research/blog/webgl/faq/ http://www.contextis.co.uk/research/blog/webgl/faq/ Wed, 11 May 2011 00:00:00 +0000 In this blog post Context demonstrates how to steal user data through web browsers using a vulnerability in Firefox’s implementation of WebGL. This is a continuation of our research into serious design flaws that could affect any browser which implements WebGL, currently Chrome and Firefox. http://www.contextis.co.uk/research/blog/webgl2/ http://www.contextis.co.uk/research/blog/webgl2/ Thur, 16 Jun 2011 00:00:00 +0000 In this series of posts I aim to cover in depth some of the publically known infrastructure vulnerabilities that affect SAP systems, how to use public domain tools to test your current deployments for these issues and how best to address them. While the industry is slowly taking note of SAP related security beyond segregation of duties, there is still a significant lack of awareness of vulnerabilities and attacks against SAP systems, which prompted this series of posts. http://www.contextis.co.uk/research/blog/sap1/ http://www.contextis.co.uk/research/blog/sap1/ Wed, 06 Jul 2011 00:00:00 +0000 This is the second in a series of posts about SAP infrastructure security, specifically related to RFC vulnerabilities and common misconfigurations that can be exploited by an attacker to gain unauthorised access to a SAP environment. In this post I will be demonstrating how some of the RFC vulnerabilities previously described can be exploited by the freely available, python based ERP penetration testing platform – Bizploit. http://www.contextis.co.uk/research/blog/sap2/ http://www.contextis.co.uk/research/blog/sap2/ Tue, 30 Aug 2011 00:00:00 +0000 In this blog I will describe a new type of security vulnerability which can allow full internal system access from the internet from an unauthenticated perspective. This technique exploits insecurely configured reverse web proxies to gain access to internal/DMZ systems. Apache web server is affected by this issue when running in reverse proxy mode; Context have worked with Apache to produce a patch which reduces the risk of exploitable misconfigurations. http://www.contextis.co.uk/research/blog/reverseproxybypass/ http://www.contextis.co.uk/research/blog/reverseproxybypass/ Wed, 5th Oct 2011 00:00:00 +0000 In this blog post I take a look at a RAT called Dark Comet. I will run through the capabilities provided by the tool, examine the associated network traffic, identify the encryption algorithm and show how the key can be identified with a little analysis of an infected host. http://www.contextis.co.uk/research/blog/darkcometrat/ http://www.contextis.co.uk/research/blog/darkcometrat/ Tues, 1st Nov 2011 00:00:00 +0000 A number of our clients have asked for advice regarding the HTTPS BEAST attack. This blog is intended to give a more realistic overview of what the attack means to those who are concerned with the effect that it may have on their web applications, and answer some of the questions received. BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection in a negligible amount of time. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. http://www.contextis.co.uk/research/blog/beast/ http://www.contextis.co.uk/research/blog/beast/ Mon, 16 Nov 2011 00:00:00 +0000 In my previous posting, a malicious PDF was analysed that originated from a targeted email campaign that exposed a number of users to infection. The PDF file implemented standard exploitation techniques to exploit issues in Adobe PDF reader to download an executable from a known malicious URL. In this post I will look at how the malware sample persists on the infected host using stealth, anti-debugging and common userland hooking and rootkit techniques. http://www.contextis.co.uk/research/blog/malware2/ http://www.contextis.co.uk/research/blog/malware2/ Fri, 6 Jan 2012 00:00:00 +0000 Over the past two years Context have been amassing statistics on a range of IT security activities based on the output of real-world IT security consultation engagements. One of the most common activities performed during this period has been web application penetration tests. This whitepaper will provide a unique insight into the state of web application security, presenting penetration test analysis from a dataset containing nearly eight thousand confirmed vulnerabilities found in over five hundred and ninety six web applications during the period January 2010 and December 2011. http://www.contextis.co.uk/research/blog/malware2/ http://www.contextis.co.uk/research/blog/malware2/ Thurs, 2 Feb 2012 00:00:00 +0000 In this blog post, I'll describe the Frame Leak Attack technique and show how it can be used by a remote attacker to steal sensitive information from users through their web browser. I'll demonstrate how this attack can be used to mine information from documents stored in a corporate SharePoint installation. This blog post also contains a demo that shows how information can be extracted from a user’s LinkedIn account using the same technique. Finally, I’ll explain how to protect your site against this kind of attack. http://www.contextis.co.uk/research/blog/framesniffing/ http://www.contextis.co.uk/research/blog/framesniffing/ Mon, 12 Mar 2012 00:00:00 +0000 Canape is a network testing tool for arbitrary protocols, but specifically designed for binary ones. It contains built in functionality to implement standard network proxies and provide the user the ability to capture and modify traffic to and from a server. The core can be extended through multiple programming languages including C# and Python, to parse any protocol as required thereby creating custom proxies tailored to the testing. It works at the network application layer supporting both TCP and UDP connections through port forwarding or by implementing a SOCKS or HTTP proxy. It does not capture data at the Ethernet, IP or TCP layers directly. Its main strength is reducing the amount of development effort usually associated with effectively testing a new protocol. By providing a common mechanism to capture and manipulate traffic, it aims to allow the security researcher to only develop the minimal amount of code for the truly bespoke aspects of a protocol. http://www.contextis.co.uk/research/tools/canape/ http://www.contextis.co.uk/research/tools/canape Wed, 14 Mar 2012 00:00:00 +0000 During our research last year into Cloud Node security we identified a security vulnerability affecting some customers at Rackspace and at VPS.NET, which were two out of the four providers we tested. Subsequent research found that VPS.NET’s service based on OnApp technology used by over 250 other providers, some of whom may share the same vulnerability. While Rackspace know of no instance of customer data being compromised through this vulnerability, they asked us to delay publication of its findings until Rackspace engineers could fully remediate the vulnerability and secure their customers. Rackspace recently completed those remediation efforts, and worked with us to publish our full findings, in hopes that they are helpful to other cloud hosting providers and their customers. http://www.contextis.co.uk/research/blog/dirtydisks http://www.contextis.co.uk/research/blog/dirtydisks Tues, 24 Apr 2012 09:00:00 +0100