2011
Runtime analysis of Windows Phone 7 Applications
Runtime analysis is an integral part of most application security assessment processes. Many powerful tools have been developed to perform execution/data flow analysis and code debugging for desktop and server operating systems. Although a few dynamic analysis tools such as DroidBox are available for Android, I currently know of no similar public tools for the Windows Phone 7 platform. The main challenge for Windows Phone 7 is the lack of a programable debugging interface in both the Emulator and phone devices. The Visual Studio 2010 debugger for Phone applications does not have an “Attach to process” feature and can only be used to debug applications for which the source code is available. Although the Kernel Independent Transport Layer (KITL) can be enabled on some Windows Phone devices at boot time which could be very useful for Kernel and unmanged code debugging, it can’t be used directly for code tracing of phone applications which are executed by the .NET compact framework.
Hacking Online Auctions – UnCon && ITWeb talk
I gave an updated version of my ‘Hacking Online Auctions’ talk at UnCon in London last week. The talk gave a brief intro to general auction theory, and how the models can be applied online, but the main focus was on ‘penny auction’ websites. What are those all about then? Well, during my Masters last year I took a course on Internet Economics, and one of the modules involved auction theory. It was a really interesting module, and I did a bit of my own research on the side, whereby I stumbled across various penny auction sites. The sites (who pretend to be akin to eBay or the likes) go a little something like this:
Systems Applications Proxy Pwnage
[2011/9/6 Edited to add Slideshare embed]
I am currently in London at the first ever 44con conference. It’s been a fantastic experience so far – excellent talks & friendly people.
Yesterday, I presented a paper titled “Systems Applications Proxy Pwnage” . The talk precis sums it up nicely:
It has been common knowledge for a number of years that SAP GUI communicates using an unencrypted and compressed protocol by default, and numerous papers have been published by security professionals and researchers dealing with decompressing this traffic.
SensePost @ 44Con – Join us!
Until recently, there was a distinct lack of decent, high-quality technical security conferences held in the United Kingdom. Home to the Global Financial Centre, London, there isn’t a shortage of industries who require secure applications and rely on secure infrastructure and applications to operate.
With this in mind, 44Con is the first combined information security conference and training event held in Central London. The con will provide business and technical tracks, aimed at government, public sector, financial, security professionals and Chief Security Officers.
Metricon6 Presentation
Dominic is currently in the air somewhere over the Atlantic, returning from a long trip that included BlackHat, DefCon and lastly Metricon6, where he spoke on a threat model approach that he has picked up and fleshed out. He has promised a full(er) write-up on his glorious return, however in the meantime his slides are below. An updated copy of the CTM tool is on the CTM page, as is the demonstration dashboard (a nifty spreadsheet-from-the-deep that interactively provides various views on your threat model).
BlackHat 2011 Presentation
On this past Thursday we spoke at BlackHat USA on Python Pickle. In the presentation, we covered approaches for implementing missing functionality in Pickle, automating the conversion of Python calls into Pickle opcodes, scenarios in which attacks are possible and guidelines for writing shellcode. Two tools were released:
Converttopickle.py – automates conversion from Python-like statements into shellcode. Anapickle – helps with the creation of malicious pickles. Contains the shellcode library. Lastly, we demonstrated bugs in a library, a piece of security software, typical web apps, peer-to-peer software and a privesc bug on RHEL6.
Security Policies – Go Away
Security policies are necessary, but their focus is to the detriment of more important security tasks. If auditors had looked for trivial SQL injection on a companies front-page as hard as they have checked for security polices, then maybe our industry would be in a better place. I want to make this go away, I want to help you tick the box so you can focus on the real work. If you just want the “tool” skip to the end.
SensePost Black Hat Course Summary & chosing the right courses
As we draw nearer to Black Hat Vegas we get a lot of requests from people who need help choosing between one of our courses or the other. In order to provide people with a single, consolidated summary of all the courses we’ll be offering this year I’ve put together a rough summary doc that outlines all the courses and attempts to illustrate how they fit together. Get it here:
House of Cards
In light of recent mass hacks (HBGary, Sony, Nintendo, etc) one would have thought that collectively, companies would take notice and at least be slightly more aware of the potential implications vulnerabilities in public-facing services could have.
The problem appears to be that these hacks, and indeed hackers, aren’t that technically superior and more often than not, take advantage of simple flaws. Some flaws, like SQL injection, provide so much access on their own that a fairly grim attack scenario can be painted. However, often attackers don’t require such extravagant flaws to gain access. Chained attacks utilising “low risk” attacks can be far more deadly than a single flaw.
Threat Modeling vs Information Classification
Over the last few years there has been a popular meme talking about information centric security as a new paradigm over vulnerability centric security. I’ve long struggled with the idea of information-centricity being successful, and in replying to a post by Rob Bainbridge, quickly jotted some of those problems down.
In pre-summary, I’m still sceptical of information-classification approaches (or information-led control implementations) as I feel they target a theoretically sensible idea, but not a practically sensible one.