Publications
Recent publications produced by MWR InfoSecurity are listed below in date order. On this page you can also find recent presentations and White Papers from MWR InfoSecurity consultants.
Full TextBanking Sector Security - Annual Research Review
Aug 13, 2010
MWR Labs welcomes you to its 2010 review of research undertaken into technologies in use in the banking sector.
Brave New 64-Bit World
Jun 02, 2010
Memory requirements on server and desktop systems have risen considerably over the past few years, to the point where 32-bit architectures are not capable of addressing the required amount of memory. A variety of 64-bit CPUs and operating systems have been introduced to resolve this architecture imposed limitation and these are now being widely adopted. However, any porting of software to 64-bit compatibility can have unexpected security implications. This paper discusses some of these implications and how to resolve them.
Journey to the Centre of the Breach
Jun 02, 2010
Computer forensics is no longer exclusively the domain of law enforcement investigators. The same techniques applied to gathering evidence for use in court can also be applied to investigating a security incident in order to provide the victim with information and assurance. In this report, a case study is presented that details the tools and techniques used in the investigation of a breach of an FTP server, from the initial log file analysis through to reverse engineering the discovered malware.
This document was produced as an academic report and as such does not follow the typical MWR InfoSecurity formatting.
Presentation: ShmooCon 2010 - How To Be An RSol: Effective Bug Hunting in Solaris
Mar 05, 2010
Matt Hillman presented at ShmooCon 2010 in Washington DC about his research in Solaris bug hunting. The presentation included demos of his software which provides a Ruby based debugging interface to Solaris, allowing implementation of tools to perform fault monitoring for fuzzers, code coverage, run tracing, code profiling and fault injection.
Weapons of Mass Pwnage: Attacking Deployment Solutions - DeepSec 2009
Dec 03, 2009
Luke Jennings presented at DeepSec '09 in Vienna, Austria regarding the security of deployment solutions and some of the recent vulnerabilities he discovered in Symantec's Altiris Deployment Solution. The slides for this presentation are available from the download link above.
USB Attacks: Fun with Plug and 0wn - T2'09
Oct 29, 2009
On Thursday 29th October 2009 Rafa gave an updated version of his "USB Attacks: Fun with Plug and 0wn" presentation at T2'09 in Helsinki, Finland. The slides from the presentation can be downloaded from the link above.
Additionally, the advisory detailing the vulnerability which was the focus of the presentation has now been released and can be downloaded here.
Fun with Plug & 0wn
Aug 04, 2009
On Sunday 2nd August 2009 Rafa presented his USB research at Defcon 17 in Las Vegas. The presentation can be downloaded using the link provided here.
HashCookies - A Simple Recipe
May 07, 2009
Since HTTP is stateless it utilises sessions in order to track a user’s state when using web based applications. Several vectors which exist which could permit an attacker to gain access to a user’s session and so could result in compromise of the users account or other sensitive information. The use of a changing and expiring session ID can enable a user’s session to be protected from a number of attacks. By transmitting a random salt to a web browser the web browser is able to use this salt in order to generate a new cookie by hashing information which only the web browser and web server know; this cookie is a HashCookie. Provided the salt is protected during the initial exchange, or an attacker is not in a position to intercept this communication, then in all instances even if an attacker is able to obtain a valid session ID for a user of a web based application the use of HashCookies would provide them no leverage over the user’s session. Implementation requires HashCookie support from both the web browser and web server.
Presentation: DeepSec 2008 - Behind Enemy Lines: Administrative Web Application Attacks
Nov 15, 2008
Rafael Dominguez Vega presented at DeepSec 2008 about his research into attacking administrative web interfaces. His talk included demonstrations of these kinds of attacks through SSID and DHCP script injection vulnerabilities discovered by in the course of his research. The slides for this presentation are available from the download link above.
Presentation: DefCon16 - Virtually Hacking
Aug 12, 2008
On Friday 8th August 2008 MWR InfoSecurity's John Fitzpatrick presented the talk 'Virtually Hacking' at DefCon 16 in Las Vegas. The presentation looked at VMware security and can be downloaded using the link provided above.
White Paper: Behind Enemy Lines: Administrative Application Attacks
Jul 31, 2008
A white paper was released by MWR InfoSecurity discussing the security implications of administrative web applications.
This explains how the use of alternative protocols (such as DHCP and 802.11) can be used to perform web based attacks. The white paper also explains the different methods available for exploiting these issues in practice, and details how tools can be built to test and exploit them.
The paper is based upon original research by Rafael Dominguez Vega and can be downloaded using the link provided above.
White Paper: IBM WebSphere MQ Security Part 1
May 06, 2008
The first in a series of white papers discussing IBM WebSphere MQ security has been released by Martyn Ruks of MWR InfoSecurity.
IBM’s WebSphere MQ is a widely used and respected middleware application for handling messaging within an enterprise network. Its popularity and level of adoption arises from its robustness, scalability, functionality and compatibility with a wide range of platforms and applications. Whilst the software has a large number of security features the complexity of the environments within which it operates often results in it being poorly configured. This environmental complexity and the richness of the product’s feature set can make it an attractive target to attackers. In an era when “front-end” web applications and “back-end” databases are subject to increasingly intensive security testing the weakest link in an application can now often be found in the middleware.
Applications that are not well documented within penetration testing manuals and for which there is no well defined testing toolkit available can often be brushed over during a penetration test. However, a skilled attacker will not concern themselves with such limitations and could exploit any vulnerabilities that are present in the system with devastating effect. This paper documents the results of research and investigation into WebSphere MQ systems and introduces a methodology for assessing the security of the software product from the perspective of a penetration tester.
It has been discovered that WebSphere MQ environments can be secured but this is not a trivial process and a detailed understanding of the technology is required. The information included within this document can be used to understand the requirements of those people who are responsible for the security of such environments.
White Paper: Security Implications of Windows Access Tokens
Apr 16, 2008
A white paper has been published by Luke Jennings of MWR InfoSecurity which discusses the security exposures that can occur due to the manner in which access tokens are implemented in the Microsoft® Windows Operating System.
A brief overview of the intended function, design and implementation of Windows access tokens is given, followed by a discussion of the relevant security consequences of their design. More specific technical details are then given on how the features of Windows access tokens can be used to perform powerful post-exploitation functions during penetration testing, along with a basic methodology for including an assessment of the vulnerabilities exposed through tokens in a standard penetration test.
Discussion is also included about why many corporate environments (assessed during penetration tests conducted by MWR InfoSecurity) have been found to not be operating in a manner which limits the risk of such issues. Finally, best practice advice is given on how to defend against these attacks.
It must be noted that the security issues discussed in this white paper do not represent a flaw in the Microsoft® Windows Operating System but are an expected consequence based on the design and implementation of Windows access tokens. The important point is that many corporate environments do not account for these issues within their security strategy and, consequently, the controls in many of these environments are not sufficient to withstand the techniques discussed here.
Additionally, it is acknowledged that the security implications of Windows access tokens have been discussed before both in general terms and to different degrees of technical detail. This document is not intended to present such discussions as being fundamentally new; instead it is intended to collate some of the existing knowledge, introduce some new findings and to demonstrate why many years after the general principles discussed were highlighted, many corporate environments are still vulnerable to these issues.
The paper is based upon research originally presented by the author at Defcon 15 and Chaos Computer Congress (CCC) 2007.
Presentation: FIST 2007 - Inspect a Gadget
Oct 26, 2007
Rafael Dominguez Vega presents his research into attack vectors and best practice recommendations for Vista Sidebar Gadgets.
White Paper: Considerations for the Secure Rollout of Sidebar Gadgets on Windows Vista
Sep 27, 2007
This white paper discusses the potential impact of the new Sidebar Gadgets feature of the Microsoft® Windows Vista™ Operating System. It also examines the requirements for its secure rollout and describes in detail different types of attacks and their consequences. Remedial actions and best practice recommendations are also included in this document.
Presentation: DefCon 15 - Websphere MQ
Aug 03, 2007
On Friday 3rd August 2007 MWR InfoSecurity presented a talk about the security of the IBM Websphere MQ software at DefCon 15 in Las Vegas. The presentation from the Websphere MQ talk can be downloaded using the link provided here.
Presentation: DefCon 14 - IBM Networking
Aug 05, 2006
Presentation given by Martyn Ruks at DefCon 14 (2006) on testing IBM Network Security.