2011
Runtime analysis of Windows Phone 7 Applications
Runtime analysis is an integral part of most application security assessment processes. Many powerful tools have been developed to perform execution/data flow analysis and code debugging for desktop and server operating systems. Although a few dynamic analysis tools such as DroidBox are available for Android, I currently know of no similar public tools for the Windows Phone 7 platform. The main challenge for Windows Phone 7 is the lack of…
Hacking Online Auctions – UnCon && ITWeb talk
I gave an updated version of my ‘Hacking Online Auctions’ talk at UnCon in London last week. The talk gave a brief intro to general auction theory, and how the models can be applied online, but the main focus was on ‘penny auction’ websites. What are those all about then? Well, during my Masters last year I took a course on Internet Economics, and one of the modules involved auction…
Systems Applications Proxy Pwnage
[2011/9/6 Edited to add Slideshare embed] I am currently in London at the first ever 44con conference. It’s been a fantastic experience so far – excellent talks & friendly people. Yesterday, I presented a paper titled “Systems Applications Proxy Pwnage” . The talk precis sums it up nicely: It has been common knowledge for a number of years that SAP GUI communicates using an unencrypted and compressed protocol by default,…
SensePost @ 44Con – Join us!
Until recently, there was a distinct lack of decent, high-quality technical security conferences held in the United Kingdom. Home to the Global Financial Centre, London, there isn’t a shortage of industries who require secure applications and rely on secure infrastructure and applications to operate. With this in mind, 44Con is the first combined information security conference and training event held in Central London. The con will provide business and technical tracks, aimed at…
Metricon6 Presentation
Dominic is currently in the air somewhere over the Atlantic, returning from a long trip that included BlackHat, DefCon and lastly Metricon6, where he spoke on a threat model approach that he has picked up and fleshed out. He has promised a full(er) write-up on his glorious return, however in the meantime his slides are below. An updated copy of the CTM tool is on the CTM page, as is…
BlackHat 2011 Presentation
On this past Thursday we spoke at BlackHat USA on Python Pickle. In the presentation, we covered approaches for implementing missing functionality in Pickle, automating the conversion of Python calls into Pickle opcodes, scenarios in which attacks are possible and guidelines for writing shellcode. Two tools were released: Converttopickle.py – automates conversion from Python-like statements into shellcode. Anapickle – helps with the creation of malicious pickles. Contains the shellcode library.…
Security Policies – Go Away
Security policies are necessary, but their focus is to the detriment of more important security tasks. If auditors had looked for trivial SQL injection on a companies front-page as hard as they have checked for security polices, then maybe our industry would be in a better place. I want to make this go away, I want to help you tick the box so you can focus on the real work.…
SensePost Black Hat Course Summary & chosing the right courses
As we draw nearer to Black Hat Vegas we get a lot of requests from people who need help choosing between one of our courses or the other. In order to provide people with a single, consolidated summary of all the courses we’ll be offering this year I’ve put together a rough summary doc that outlines all the courses and attempts to illustrate how they fit together. Get it here:…
House of Cards
In light of recent mass hacks (HBGary, Sony, Nintendo, etc) one would have thought that collectively, companies would take notice and at least be slightly more aware of the potential implications vulnerabilities in public-facing services could have. The problem appears to be that these hacks, and indeed hackers, aren’t that technically superior and more often than not, take advantage of simple flaws. Some flaws, like SQL injection, provide so much access…
Threat Modeling vs Information Classification
Over the last few years there has been a popular meme talking about information centric security as a new paradigm over vulnerability centric security. I’ve long struggled with the idea of information-centricity being successful, and in replying to a post by Rob Bainbridge, quickly jotted some of those problems down. In pre-summary, I’m still sceptical of information-classification approaches (or information-led control implementations) as I feel they target a theoretically sensible idea,…