In December 2019, we launched a new technical security research blog site. As part of its launch, we had cause to revisit our old blog website and found a myriad of forgotten whitepapers and conference presentations spanning NCC Group’s history (formation in 1999).
Deeply nested on our old blog site, we found over 200 whitepapers and conference presentations dating as far back as 2001, and which included key outputs from previous cyber security acquisitions including NGS Software (2008), iSEC Partners Inc. (2010), Matasano Security (2012), Intrepidus Group (2012), FortConsult A/S (2014), Fox-IT (2015), Payment Software Company Inc (2016), and VSR Inc. (2016).
While much of the research may not be so relevant anymore due to changes in technology landscapes and a maturation of the cyber security industry, the whitepapers and presentations chronicle much of the foundation of our industry. In fact, many times they show the genesis of ideas and techniques, classes of vulnerability, methods of attack and defence, open source tooling, public reports on key internet components, and much more. This research has helped our clients with their cyber security assurance needs, and has positively contributed to the security of the internet as we all know and use it.
There is also sometimes much value in revisiting historical research – this can aid in general learning and development, stimulation of new research ideas, and/or re-invigoration of older research ideas that perhaps at the time were theoretical or unfeasible but are now realisable due to improvements in technology and computational power.
What a journey its been! With early whitepaper topics covering finding and exploiting format string vulnerabilities in Windows 2000, to more recent topics covering assessment of Unikernel security, and practically every type of technology in between and the security aspects of those technologies.
The research is in no way exhaustive either – many of the public presentations that we have delivered at all manner of Tier-1 conferences around the world over the past 20 years didn’t find their way to our old web site for whatever reason. We have, however, taken whatever was available and present it here: greppable by title, author, synopsis and year of publication in the table below.
We welcome feedback on additional and relevant things to include in this list and we will happily update the table accordingly.
Just reading the author names in the table is fascinating – many of those individuals are now CISOs, CEOs, or senior and influential cyber security professionals in the industry and at some of the largest companies in the world. We are proud of them and their research legacy.
Our current research team continues to build on this legacy as can be seen from their great outputs that we are always excited and proud to showcase on this blog platform. Thank you to everyone who does, and has, contributed to NCC Group’s research and here’s to the next 20 years and the immense research challenges it will bring…
| Title | Author(s) | Synopsis | Date |
| Hackproofing Lotus Domino Web Server | David Litchfield | This document describes how to secure the web service that comes with Lotus Domino. It is written to show Lotus Domino administrators how an attacker would attempt to subvert the security of a Domino Web server and provide insight into the mind and modus operandi of a Domino hacker. | 2001 |
| Windows 2000 Format String Vulnerabilities | David Litchfield | A deep-dive on format string vulnerabilities in Windows 2000. | 2001 |
| Advanced SQL Injection In SQL Server Applications | Chris Anley | This document discusses in detail the common ‘SQL injection’ technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. | 2002 |
| More Advanced SQL Injection | Chris Anley | This paper addresses the subject of SQL Injection in a Microsoft SQL Server/IIS/Active Server Pages environment, but most of the techniques discussed have equivalents in other database environments. It should be viewed as a “follow up”, or perhaps an appendix, to the previous paper, “Advanced SQL Injection”. | 2002 |
| E-mail Spoofing and CDONTS.NEWMAIL – Protecting Microsoft Active Server Pages Applications | David Litchfield | This paper will examine how the CDONTS.NEWMAIL object can be used by attackers to send arbitrary e-mails via the vulnerable web server and what must be done to prevent an online ASP application being abused in this way. | 2002 |
| Assessing IIS Configuration Remotely – Low Level IIS Application Assessment | David Litchfield | This document will look at the relatively unsung skill of assessing the in-depth configuration of a Microsoft IIS web server remotely, showing how to “read” server responses to do this. | 2002 |
| Hackproofing Oracle Application Server – A Guide to Securing Oracle 9 | David Litchfield | This paper will show how an attacker can break into an Oracle-based site, gaining control of the web front end and from there the database server. With each attack explained, the defense against it will be covered. | 2002 |
| Microsoft SQL Server Passwords – Cracking the password hashes | David Litchfield | This paper will discuss the function in detail and show some weaknesses in the way SQL Server stores the password hash. In fact, as we shall see, later on I should be saying, ‘password hashes’. | 2002 |
| Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP | David Litchfield | This document will describe what they are and how to write one. As will be seen they are easy to write, more so than traditional stack based overflows and as they only require only an understanding of how functions are called at a low level. The non-stack based buffer overflow exploit writer doesn’t even need to know assembly language. | 2002 |
| Creating Arbitrary Shellcode In Unicode Expanded Strings – The “Venetian” exploit | Chris Anley | The paper is intended to be read by the portion of the security community responsible for creating protective mechanisms to guard against “shellcode” type security flaws; the intention is to remove the perception that Unicode buffer overflows are non exploitable and thereby improve the general state of network security. | 2002 |
| Violating Database – Enforced Security Mechanisms Runtime Patching Exploits in SQL Server 2000: a case study | Chris Anley | This paper discusses the feasibility of violating the access control, authentication and audit mechanisms of a running process in the Windows server operating systems. Specifically, it discusses the feasibility of totally disabling application – enforced access control in a running service, taking SQL Server 2000 as a sizeable and meaningful example. | 2002 |
| Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server | David Litchfield | This paper presents several methods of bypassing the protection mechanism built into Microsoft’s Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows. Recommendations about how to thwart these attacks are made where appropriate. | 2003 |
| Variations in Exploit methods between Linux and Windows | David Litchfield | This paper will examine the differences and commonality in the way a vulnerability common to both Windows and Linux is exploited on each system. |
2003 |
| New Attack Vectors and a Vulnerability Dissection of MS03-007 | David Litchfield | The patch announced by Microsoft on the 17th March 2003 fixed a security vulnerability in the core of the Windows 2000 operating system. The problem, however, is much wider in scope than just simply machines running IIS. Researchers at NGSSoftware have isolated many more attack vectors including java based web servers and other non-WebDAV related issues in IIS. Due to this, NGSSoftware urge Windows 2000 users to apply the patch. |
2003 |
| Quantum Cryptography – A study into the present technologies and future applications | Bill Grindlay | In this report I intend to demonstrate why many scientists now view quantum cryptography as the first ever completely unbreakable cipher, which will allow people all over the world to communicate securely and privately. I shall also consider the implications which this will have on society as a whole, including potential problems for law enforcement organisations and the possible impact on civil liberties. |
2003 |
| Writing Secure ASP Scripts | Chris Anley | This paper briefly describes several common classes of coding error generally encountered when auditing web applications running on the Active Server Pages (ASP) platform. |
2003 |
| Hackproofing MySQL | Chris Anley | This document is a brief outline of common attacks on MySQL and the steps that a MySQL administrator can take to defend against them. | 2004 |
| Slotting Security into Corporate Development | Gunter Ollmann Sherief Hammad John Heasman Chris Anley |
Technology trail-blazing organisations such as large financial institutions have been working to secure their custom applications for several years, but the second-tier “technology following” organisations have been slow to follow. This is now rapidly changing due to recent bad press following many highly publicised security compromises. | 2004 |
| Blind Exploitation of Stack Overflow Vulnerabilities – Notes on the possibilities within Microsoft Windows NT based operating systems | Peter Winter-Smith Chris Anley |
This paper presents a number of technical discussion points relating to the potential for exploiting stack overflow vulnerabilities without having direct access to the application which is to be exploited. | 2004 |
| Passive Information Gathering The Analysis of Leaked Network Security Information | Gunter Ollmann | Like it or not, every Internet-connected system unintentionally leaks internal information about their organisation which could be used to formulate a targeted attack. Depending upon the source of this leakage, the information may relate to the components used within the organisation’s physical asset infrastructure, the ma | 2004 |
| Second-order Code Injection Attacks – Advanced Code Injection Techniques and Testing Procedures | Gunter Ollmann | A second-order code injection attack can be classified as the process in which malicious code is injected into a web-based application and not immediately executed, but instead is stored by the application and then later retrieved, rendered and executed by the victim. | 2004 |
| Database Security: A Christmas Carol | David Litchfield | Presentation | 2004 |
| An Introduction to Heap overflows on AIX 5.3L | David Litchfield | In terms of exploitation, one way to exploit heap overflows is with the “arbitrary 4 byte overwrite”. When the pointers that keep track of heap blocks are updated, an attacker can influence this if they manage to overwrite the inline heap management data. | 2005 |
| Anti Brute Force Resource Metering – Helping to Restrict Web-Based Application Brute Force Guessing Attacks through Resource Metering | Gunter Ollmann | Whilst commonly proposed solutions make use of escalating time delays and minimum lockout threshold strategies, these tend to prove ineffectual in real attacks and may actually promote additional attack vectors. | 2005 |
| Database Servers on Windows XP and the Unintended Consequences of Simple File Sharing | David Litchfield | This paper presents some unexpected consequences of running database servers on Windows XP with Simple File Sharing enabled |
2005 |
| Securing PL/SQL Applications with DBMS_ASSERT | David Litchfield | Oracle has introduced the DBMS_ASSERT PL/SQL package. Whilst integrated into Oracle 10g Version 2 from day one, the DBMS_ASSERT was introduced into 10g Version 1 as part of the October 2005 Critical Patch Update. As a security researcher, it is excellent to see Oracle finally making the right positive moves in the direction of greater security. | 2005 |
| Security Best Practice: Host Naming URL Conventions Security considerations for web-based applications | Gunter Ollmann | There are a number of simple steps that can be taken to strengthen the security of an environment or application making it more resilient to several popular attack vectors. By understanding how an attacker can abuse poorly thought out naming conventions, and by instigating a few minor changes, it is possible to positively increase the defence-in-depth stature of an environment. |
2005 |
| Data-mining with SQL Injection and Inference | David Litchfield | SQL Inference is the subject of this paper; this paper is the paper I promised I’d write after talking about this at the Blackhat Security Briefings in Europe of in the March of 2005. Better late than never! |
2005 |
| Stopping Automated Attack Tools – An analysis of web-based application techniques capable of defending against current and future automated attack tools | Gunter Ollmann | This whitepaper examines techniques which are capable of defending an application against these tools; providing advice on their particular strengths and weaknesses and proposing solutions capable of stopping the next generation of automated attack tools. | 2005 |
| The Pharming Guide – Understanding Preventing DNS-related Attacks by Phishers | Gunter Ollmann | This paper, extending the original material of “The Phishing Guide”, examines in depth the workings of the name services of which Internet-based customers are dependant upon, and how they can be exploited by Pharmers to conduct identity theft and financial fraud on a massive scale. | 2005 |
| Writing Small Shellcode | Dafydd Stuttard | This paper describes an attempt to write Win32 shellcode that is as small as possible, to perform a common task subject to reasonable constraints. The solution presented implements a bindshell in 191 bytes of null-free code, and outlines some general ideas for writing small shellcode. | 2005 |
| Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms on the Windows platform | David Litchfield | Starting with Windows 2003 Server, Microsoft introduced a number of Exploitation Prevention Mechanisms (XPMs) into their software. Over time these XPMs were refined as weaknesses were discovered and more XPMs were introduced. | 2005 |
| Software Penetration Testing | Brad Arkin – Symantec Scott Stender – iSec Partners Gary McGraw – Cigital |
Quality assurance and testing organizations are tasked with the broad objective of assuring that a software application fulfills its functional business requirements. Such testing most often involves running a series of dynamic functional tests to ensure proper implementation of the application’s features. | 2005 |
| Dangling Cursor Snarfing: A New Class of Attack in Oracle | David Litchfield | What is detailed in this document should provide a security reason as to why developers should ensure that cursors are closed properly, especially in the event of an exception. | 2006 |
| Implementing and Detecting a PCI Rootkit | John Heasman | This paper discusses means of persisting a rootkit on a PCI device containing a flashable expansion ROM. |
2006 |
| Inter-Protocol Communication | Wade Alcorn | This paper explores the Inter-Protocol Communication attack vector. That is, the potential of two different protocols meaningfully communicating commands and data. This has been investigated through encapsulating the target protocol within a carrier protocol. The findings demonstrate that under certain conditions distinct protocols are interoperable. | 2006 |
| Low Cost Attacks on Smart Cards The Electromagnetic Side-Channel | Adam Matthews | This paper documents a successful Electromagnetic Analysis attack implemented using limited technical knowledge and low cost equipment. EM traces were acquired from a sample card and analysis software successfully identified the correct key guesses in proprietary traces. |
2006 |
| Which database is more secure? Oracle vs. Microsoft | David Litchfield | This paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. | 2006 |
| Oracle Passwords and OraBrute | Paul Wright | oracle-passwords-and-orabrute | 2007 |
| A Simple and Practical Approach to Input Validation | David Soldera | Input validation, in theory, is not a difficult problem to solve; it is however a difficult problem to get developers to prioritise security (with regards to other development pressures) and put the time and effort into following good security practice when validating input. | 2007 |
| Attacking the Windows Kernel | Jonathan Lindsay | This paper is focused on Windows and the Intel Architecture, and will briefly outline the current supervisor boundaries provided. Different attack vectors, along with relevant examples, will be provided to demonstrate how to attack the supervisor from the perspective of the supervised, as well as an outline of what possible architectures could be used to mitigate such attacks, such as the research operating system Singularity. |
2007 |
| DNS Pinning and Web Proxies | Dafydd Stuttard | There are various ways in which DNS-based attacks against web proxies could potentially be prevented through changes to proxy and browser software. Each of the fixes considered suffers from important shortcomings. In the meantime, there are other defences that organisations and individuals can employ to prevent attacks against them. | 2007 |
| Inter-Protocol Exploitation | Wade Alcorn | In October 2006, this author presented a paper exploring the threat of Inter-Protocol Communication. That is, the possibility of two different applications using two different protocols to meaningfully exchange commands and data. This paper extends that and other research to explore Inter-Protocol Exploitation. These findings demonstrate the practicality of encapsulating exploit code in one protocol to compromise a program which uses a different protocol. |
2007 |
| Database Security Brief: The Oracle Critical Patch Update for April 2007 | David Litchfield | On the 17th April 2007 Oracle released their 10th Critical Patch Update. This brief discusses the database flaws and EM01 which relates to the Intelligent Agent. |
2007 |
| Oracle Forensics Part 1: Dissecting the Redo Logs | David Litchfield | This paper represents the first in a series of papers on performing a forensic analysis of a compromised Oracle database server. |
2007 |
| Oracle Forensics Part 2: Locating dropped objects | David Litchfield | As this second paper in the Oracle Forensics series will show, even when an object has been dropped and purged from the system there will be, in the vast majority of cases, fragments left “lying around” which can be sewn together to build an accurate picture of what the actions the attacker took – or at least some of their actions. |
2007 |
| Oracle Forensics: Part 3 Isolating Evidence of Attacks Against the Authentication Mechanism | David Litchfield | In this section we’ll look at attacks against the authentication mechanism and evidence from the TNS Listener log file and audit trail, assuming CREATE SESSION is audited of course, and to check whether a logon attempt was successful or not. We’ll also look at other attacks levelled at the authentication process including SID guessing, user enumeration and brute forcing of passwords over the network. |
2007 |
| Oracle Forensics Part 4: Live Response | David Litchfield | An organization should have a clear understanding of what actions should be taken in the event of an incident occurring. For those that don’t have a plan often the knee-jerk response is to pull the plug or disconnect the system from the network. | 2007 |
| Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of Auditing | David Litchfield | This paper details information about Oracle 10g Release 2 only and should be used as a guideline for investigating other versions of Oracle as no guarantees or assertions can be made about other versions. | 2007 |
| Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle Bin | David Litchfield | This paper examines the ways in which a forensic examiner or incident responder may look for evidence in those places and technologies designed by Oracle for disaster recovery purposes – namely Undo segments, Flashback and the Recycle Bin – of a compromise and the actions an attacker may have taken. |
2007 |
| Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges | David Litchfield | When exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code | 2007 |
| Weak Randomness Part I – Linear Congruential Random Number Generators | Chris Anley | This, the first paper in the series, describes the extremely common linear congruential generator and describes a bug in Jetty, a popular Java-based web server, which illustrates some of the dangers described in the paper. | 2007 |
| Cross Site Request Forgery – An introduction to a common web application weakness | Jesse Burns | Cross‐site request forgery (CSRF; also known as XSRF or hostile linking) is a class of attack that affects web based applications with a predictable structure for invocation. | 2007 |
| Exploiting Rich Content | Riley Hassell | As rich Internet application (RIA) technologies flourish in the mar-ketplace security professionals begun to wonder what impact RIA will have on security landscape. I decided to perform an assessment of one of the most widely deployed technologies, Adobe Flash, and in the process discovered several issues that could be used to com-promise systems with Adobe Flash installed | 2007 |
| IAX Voice Over-IP Security | Zane Lackey Himanshu Dwivedi |
Inter‐Asterisk eXchange (IAX) is a protocol used for Voice‐Over‐IP (VoIP) communication with Asterisk servers (http://www.asterisk.org/), an open source PBX system. | 2007 |
| A Taxonomy of Attacks against XML Digital Signatures Encryption | Brad Hill | This document is an enumeration and taxonomy of currently known attacks and evasions against the W3C Recommendation for XML-Signature Syntax and Processing. | 2007 |
| Blind Security Testing – An Evolutionary Approach | Scott Stender | Security testing requires that functional testing be covered, for example by ensuring that an authorization mechanism grants or denies access where appropriate, in addition to testing for nonfunctional aspects of the system, a much less tractable test. | 2007 |
| ProxMon – Automating Web Application Penetration Testing | Jonathan Wilkins | Performing a web application penetration test is full of repetitive but essential tasks. ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios. | 2007 |
| Command Injection in XML Signatures and Encryption | Brad Hill | This paper describes the vulnerabilities in detail and offers advice for remediation. The most damaging attack is also likely to apply in other contexts where XSLT is accepted as input, and should be considered by all implementers of complex XML processing systems. | 2007 |
| Firmware Rootkits: The Threat to the Enterprise | John Heasman | Blackhat / DEFCON USA 2007 Presentation | 2007 |
| Advanced Exploitation of Oracle PL/SQL Flaws | David Litchfield | Blackhat USA 2007 Presentation | 2007 |
| Hacking the Extensible Firmware InterfaceFirmware Interface | John Heasman | Blackhat USA 2007 Presentation | 2007 |
| VoIP Security | Barry Dempster | Blackhat USA 2007 Presentation | 2007 |
| Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Investigations | David Litchfield | This paper will examine the internals of the Oracle System Change Number (SCN) in 10g and demonstrate how it can be used in the forensic examination of a compromised database server. It will also demonstrate how to use orablock and oratime, part of cadfile, a forensic toolkit for database servers, to discover when an Oracle data block was changed. |
2008 |
| Cleaning Up After Cookies Version 1.0 | Katherine McKinley | This paper presents the findings from running our tool using several major browsers with two plug-ins across three common operating systems. We find current browsers are unable to extend tracking protection to third party plug-ins such as Google Gears and Adobe Flash | 2008 |
| DEVELOPING SECURE MOBILE APPLICATIONS FOR ANDROID – An introduction to making secure Android applications | Jesse Burns | This guide was written for developers of Android applications. It takes the reader through the security model of Android, including many of the key security mechanisms and how you can use them safely. While it is targeted towards applications developers, I hope it is useful background for those intending to change or extend the platform. | 2008 |
| Exposing Vulnerabilities in Media Software | David Thiel | Deep media stream fuzzing presents a rich opportunity for turning up hard to find bugs in media players, codecs and other unexpected software, and can be a useful tool for developers to ensure the robustness of code. It also requires techniques a bit different than those used in traditional, bit-flipping file fuzzers. This paper explores possibilities, techniques and results of media codec fuzzing and exploitation, using several modern (and some antiquated) audio codecs as examples. | 2008 |
| Secure Session ManagementWith Cookies for Web Applications | Chris Palmer | Strong session management is a key part of a secure web application. Since HTTP does not directly provide a session abstraction, application and framework developers must bake their own using cookies. In this article I am to help developers aovid the common pitfalls that result in unsafe applications. | 2008 |
| A Quick Introduction to SQL Injection | Brad Hill Geng Yang |
This article will give you some tips and tricks to hunt down and eliminate SQL injection in your applications |
2009 |
| Microsoft SDL: Return-on-Investment | iSEC Partners Microsoft | This paper will help managers: – Understand and communicate the benefits of a structured approach to software security. – Develop and use metrics for ROI to guide process improvement. – Get meaningful results from a new program or optimize existing efforts on a limited budget. |
2009 |
| “Aurora” Response Recommendations | Alex Stamos | iSEC Partners has been investigating this attack with several victims, and has found a number of common oversights and vulnerabilities that enabled these attackers to be successful | 2010 |
| Secure Application Development on Facebook | Justine Osborne | This document provides a basic outline/best practice for developing secure applications on the Facebook platform. Facebook applications are web, desktop, or mobile applications that make use of the Facebook API to integrate tightly with the social network experience. | 2010 |
| Security Compliance as an Engineering Discipline | Brad Hill | In this article, I’ll focus on some of the strategies and best practices for deploying SDL and integrating it with security compliance regimes. | 2010 |
| Weaknesses and Best Practices of Public Key Kerberos with Smart Cards | Brad Hill | This whitepaper will: – Give a brief introduction to Kerberos and smart cards – Dispel some common myths about smart cards – Explore the certificate validation practices of common PKINIT implementations – Discuss a practical elevation of privilege exploit possible in common configurations of Windows KDCs – Provide step by step advice to network architects and administra-tors for securing their smart card deployments |
2010 |
| BlackBerry PlayBook Security: Part one | Daniel Martin Gomez Andy Davis |
This is the first in a series of white papers about the security of the BlackBerry PlayBook, the first tablet device released by Research in Motion (RIM) who has had significant success with their BlackBerry smartphones that are used extensively by businesses and consumers around the world. | 2011 |
| BlackBerry PlayBook Security: Part two BlackBerry Bridge | Gavin Jones | This is the second in a series of white papers regarding the security of the BlackBerry PlayBook, the first tablet device released by Research in Motion (RIM). | 2011 |
| Exporting Non-Exportable RSA Keys | Jason Geffner | This paper discusses the details of said obfuscation and provides code to export non-exportable keys from client versions of Windows, server versions of Windows, and Windows Mobile devices. Unlike prior work done in this space, the solution offered in this paper does not rely on function hooking or code injection. | 2011 |
| Fuzzing USB devices using FrisbeeLite | Andy Davis | This paper will discuss the format of device requests that are sent to USB devices in order to hopefully provide an insight into areas where software flaws may exist. It will also discuss a number of public vulnerabilities in USB devices and finally, the installation and usage of Frisbee Lite. | 2011 |
| Common Flaws of Distributed Identity and Authentication Systems | Brad Hill | This paper presents an informal list and plain-language discussion, in the spirit of the “OWASP Top 10”, of some common flaws in distributed authentication, authorization and identity systems of the last fifteen years. | 2011 |
| Creating a Safer OAuth User-Experience | Paul Youn | An increasing number of web services are implementing OAuth servers in order to allow users to securely share their resources with third-party “consumer” applications. OAuth allows end-users to grant a consumer access to these private resources without surrendering their actual server credentials. Security risks can be introduced into an OAuth implementation and this paper suggests making a more secure user-experience by creating a simple and understandable workflow, implementing a least-privileges model, and auditing consumers. | 2011 |
| Exporting Non-Exportable RSA Keys | Jason Geffner | Blackhat EU 2011 Presentation | 2011 |
| The Role of Security Research in Improving Cyber Security | Andy Davis | Presentation | 2011 |
| What the HEC? Security implications of HDMI Ethernet Channel and other related protocols | Andy Davis | This paper discusses the various communications protocols that exist within HDMI to provide a whole host of plug-and-play functionality and the security impact of exposing these technologies to a corporate environment. | 2012 |
| They ought to know better: Exploiting Security Gateways via their Web Interfaces – “All your Gateway are Belong to Us” | Ben Williams | This paper summarises research undertaken to identify various ways to exploit Security Gateway products via their Web UIs, and also provides some practical examples of how these systems could be exploited. |
2012 |
| HDMI – Hacking Displays Made Interesting | Andy Davis | In this paper I will explain the circumstances in which display devices send data to their connected host and show that this data could potentially contain threats (which could compromise a laptop for example). I will describe video protocol data-structures, data-sequences and practical challenges. I will also explain how to build a hardware-based fuzzer, provide some example firmware fuzzing code, and describe some interesting findings from the fuzzing which has been undertaken so far. | 2012 |
| Abusing Privileged and Unprivileged Linux Containers | Jesse Hertz | This paper will examine some of the security mechanisms behind containers and show how they can be exploited. Although the focus of this paper will primarily be LXC, and will discuss Docker, this paper will demonstrate many techniques that are applicable across any Linux container system built on the same foundations. |
2012 |
| HTML5 SECURITY THE MODERN WEB BROWSER PERSPECTIVE | Doug DePerry | The purpose of this paper is to serve as a current analysis of HTML5 on modern web browsers and mobile platforms and as a reference for related testing methodologies. | 2012 |
| AUDITING ENTERPRISE CLASS APPLICATIONS AND SECURE CONTAINERS ON ANDROID – The Limitations of Mobile Security in the Enterprise | Marc Blanchou | There is an increasing need to assess the security claims of such enterprise class software vendors , but there is very little information on how their claims hold up to real world threats. This paper cover s research into those threats, with a focus on mobile devices running Android. By understanding the different attack. | 2012 |
| AN ADAPTIVE-CIPHERTEXT ATTACK AGAINST “I XOR C” BLOCK CIPHER MODES WITH AN ORACLE | Tom Ritter Jon Passki (Aspect Security) |
Certain block cipher confidentiality modes are susceptible to an adaptive chosen-ciphertext attack against the underlying format of the plaintext. When the application decrypts altered ciphertext and attempts to process the manipulated plaintext, it may disclose information about intermediate values resulting in an oracle. In this paper we describe how to recognize and exploit such an oracle to decrypt ciphertext and control the decryption to result in arbitrary plaintext. We also discuss ways to mitigate and remedy the issue. |
2012 |
| What the HEC? Security implications of HDMI Ethernet Channel and other related protocols | Andy Davis | 44Con Presentation | 2012 |
| When Security Gets in the Way – PenTesting Mobile Apps That Use Certificate Pinning | Justine Osborne Alban Diquet |
Blackhat USA 2012 Presentation | 2012 |
| The Myth of Twelve More Bytes – Security on the Post-Scarcity Internet | Alex Stamos Tom Ritter |
Blackhat USA 2012 Presentation | 2012 |
| Mobile Threat War Room | Ollie Whitehouse | RSA Conference eFraud Global Forum | 2012 |
| Finding the Weak Link in Binaries | Ollie Whitehouse | Hack in the Box Presentation | 2012 |
| Hacking Displays Made Easy | Andy Davis | CanSecWest Vancouver 2012 | 2012 |
| Mobile apps and security by design | Ollie Whitehouse | Presentation | 2012 |
| Software Security Austerity – Security Debt in Modern Software Development | Ollie Whitehouse | 44Con | 2012 |
| They ought to know better: Exploiting Security Gateways via their Web Interfaces | Ben Williams | Blackhat EU 2012 Presentation | 2012 |
| Further adventures with USB | Andy Davis | Presentation | 2012 |
| The Demise in Effectiveness of Signature and Heuristic Based Antivirus: “Or has the death of AV been wildly exaggerated?” | NCC Group’s Technical Directors Forum | Overall our view is that signature based antivirus is tackling a problem we had 20 years ago and is not relevant to many of today’s threats for businesses, although we feel it still has a role in protecting the consumer. As a result, NCC Group’s opinion is that security budgets might be more effectively directed into other areas of mitigation that offer a higher return on investment in terms of risk reduction. | 2013 |
| To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms | Andy Davis | This paper details how attackers can exploit the privileged position that laptop docking stations have within an environment. It will also describe the construction of a remotely controllable, covert hardware implant, but most importantly it will discuss some of the techniques that can be employed to detect such devices and mitigate the risks that they pose. | 2013 |
| Hacking Appliances: Ironic exploits in security products | Ben Williams | This paper summarises research undertaken during 2012 to assess the overall security posture of popular appliance-based security products. A selection of the products and vulnerabilities discovered during the course of this research are demonstrated here, with redacted proof-of-concept exploits and scenarios in which these vulnerabilities could be exploited. | 2013 |
| Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions | Andy Davis | In this paper we will show how USB stack interaction analysis can be used to provide information such as the OS running on the embedded device, the USB drivers installed, and the devices supported. | 2013 |
| The Pentester’s Guide to Akamai | Darren McDonald | This paper summarizes the findings from NCC’s research into Akamai while providing advice to companies wish to gain the maximum security when leveraging their solutions. | 2013 |
| Lessons learned from 50 bugs: Common USB driver vulnerabilities | Andy Davis | Over the past few years NCC Group has identified over fifty USB driver bugs in all the major operating systems and many of these have affected more than one OS. Based on these discoveries, this paper presents common USB vulnerabilities and how to identify them from a black box testing perspective. | 2013 |
| CONTENT SECURITY POLICY BEST PRACTICES | Jake Meredith | Content Security Policy is an HTTP header that provides client side defense in depth against content injection attacks. This document describes the nuances of Content Security Policy, provides guidance on testing and deploying, and proposes a list of best practices for its secure use. | 2013 |
| AN INTRODUCTION TO AUTHENTICATED ENCRYPTION | Shawn Fitzgerald | Over the last decade, authenticated encryption has become popularized and a number of modes have been proposed. This paper presents a technical introduction and analysis of the most well-known and standardized modes. |
2013 |
| LOGIN SERVICE SECURITY | Rachel Engel | Login and password reset services exist in just about every web application. They’re easy pieces of functionality to think about, but include a few common bugs used by attackers to compromise account credentials. This paper discusses security vulnerabilities related to web login services, highlighting possible implementation pitfalls along the way. | 2013 |
| PASSWORD MANAGERS – EXPOSING PASSWORDS EVERYWHERE | Marc Blanchou Paul Youn |
Advancements in password cracking and frequent theft of password databases endanger single-factor password authentication systems. Password managers are one of the only tools available that can help users remember unique high-entropy passwords, and other secrets such as credit card numbers, for a large number of applications. Can password managers deliver on security promises, or do they introduce their own security vulnerabilities? This paper examines popular browser-based password managers and presents common security flaws that could be exploited to remotely extract a user’s password. | 2013 |
| ATTACKS ON SSL – A COMPREHENSIVE STUDY OF BEAST, CRIME, TIME, BREACH, LUCKY13 RC4 BIASES | Pratik Guha Sarkar Shawn Fitzgerald |
Over last few years, a number of vulnerabilities have been discovered in the Transport Layer Security protocol. The purpose of this paper is to serve as an analysis of recent attacks on SSL/TLS and as a reference for related mitigation techniques; particularly as they relate to HTTPS. | 2013 |
| WINDOWS PHONE 7 APPLICATION SECURITY SURVEY: a look at popular apps and their data storage practices | Andy Grant | As more people use mobile devices for sensitive tasks, such as online banking and password storage, the data stored on the device increases in value. With each new mobile platform there are more opportunities for a mobile application developer to store data in an insecure manner. This paper looks at how popular Windows Phone 7 apps address data storage with a focus on the platform’s initial lack of data protection APIs and how that influenced the type of and manner in which data was kept on a user’s device. | 2013 |
| How to assess and secure iOS apps | NCC Group | 44Con Workshop | 2013 |
| Harnessing GP²Us Building Better Browser Based Botnets | Marc Blanchou | Blackhat EU 2013 Presentation | 2013 |
| To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms | Andy Davis | Presentation | 2013 |
| Bypassing Windows AppLocker using a Time of Check Time of Use vulnerability | Ollie Whitehouse | This paper presents the findings from research conducted by NCC Group into a way to bypass Windows AppLocker to allow unauthorized code to execute on a system. |
2013 |
| Fuzzing the easy way, using Zulu | Andy Davis | This paper serves as an introduction to using Zulu and includes a number of tutorials explaining how to use the different features within the tool. | 2014 |
| XML Schema, DTD, and Entity Attacks A Compendium of Known Techniques |
Timothy D. Morgan and Omar Al Ibrahim | The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. A core feature of XML is the ability to define and validate document structure using schemas and document type definitions (DTDs). When used incorrectly, certain aspects of these document definition and validation features can lead to security vulnerabilities in applications that use XML. This document attempts to provide an up to date reference on these attacks, enumerating all publicly known techniques applicable to the most popular XML parsers in use while exploring a few novel attacks as well. | 2014 |
| Understanding Ransomware: Impact, Evolution and Defensive Strategies | Emily Mitchell Will Alexander Nikos Laleas Jacqueline Gough David Cannings |
In this whitepaper we discuss the potential impact of ransomware trojans, the technology behind a number of recent threats and most importantly how enterprises can begin to protect themselves from losing business critical data. | 2014 |
| Erlang Security 101 | Ed Williams | We’ve been doing Erlang security focused code reviews for over four years and built up a body of knowledge on the subject | 2014 |
| Preparing for Cyber Battleships – Electronic Chart Display and Information System Security | Yevgen Dyryavyy | In this paper, we discuss the results of a research project looking at the security risks and weaknesses within Electronic Chart Display and Information Systems (ECDIS), an information technology product used by the maritime industry. | 2014 |
| Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond | Ollie Whitehouse | This white paper outlines a set of practical and pragmatic security considerations for organisations designing, developing and, testing Internet of Things (IoT) devices and solutions. The purpose of this white paper is to provide practical advice for consideration as part of the product development lifecycle. | 2014 |
| An Analysis of Mobile Geofencing App Security | Ashley Cox | NCC Group conducted a security analysis of consumer-focused geofencing mobile applications available for the Android operating system from the Google Play store. The purpose of this security analysis was to identify issues associated with privacy, integrity, and overall security of the solutions. | 2014 |
| RESEARCH INSIGHTS – Sector Focus: Financial Services | Matt Lewis | An overview of the current and emerging cyber threats facing financial services. | 2014 |
| “SS-Hell: the Devil is in the details” Or “How organisations can properly configure SSL services to ensure the integrity and confidentiality of data in transit” | Will Alexander Jerome Smith |
In this whitepaper we discuss how organisations can avoid SSL issues commonly found during penetration tests, ensure that data in transit is properly secured and ultimately instil in users a sense of confidence that their information is adequately protected. | 2014 |
| Application Layer Attacks – The New DDoS Battleground | Akhilesh Mathur Paul Vlissidis |
Distributed denial of service (DDoS) attacks, which are designed to flood organisations’ servers preventing sites from functioning efficiently or at all, have become increasingly more sophisticated and targeted in the approach employed to bypass current defences. |
2014 |
| Automated enumeration of email filtering solutions | Ben Williams | This paper summarises research undertaken in 2013-2014 to develop offensive reconnaissance techniques for automated and external enumeration of the email filtering solutions of target organisations. | 2014 |
| THE FACTORING DEAD: PREPARING FOR THE CRYPTOPOCALYPSE | Javed Samuel | This paper will explain the latest breakthroughs in the academic cryptography community and look ahead at what practical issues could arise for popular cryptosystems. Specifically, we will focus on the recent major developments in discrete mathematics and their potential ability to undermine our trust in the most basic asymmetric primitives, including RSA. |
2014 |
| Early CCS Attack Analysis | NCC Group | The OpenSSL project released a security advisory on June 5th 2014, for several newly patched vulnerabilities. Among these is CVE-2014-0224, an attack affecting a two susceptible OpenSSL endpoints in the presence of a network attacker. | 2014 |
| idb – iOS Blackbox Pentesting | Daniel A. Mayer | Presentation of toolset to assist in iOS blackbox pentesting | 2014 |
| PERFECT FORWARD SECURITY – AN EXTRA LAYER OF SECURITY AND PRIVACY | Pratik Guha Sarkar | Disclosure of state sponsored monitoring of electronic communications and the threat of retroactive decryption of traffic of millions of people have created an urge for an extra layer of security and privacy for all electronic communications. The purpose of this paper is to survey Perfect Forward Security — invented more than twenty years ago — as the solution to this problem. |
2014 |
| Automating extraction from malware recent campaign analysis | David Cannings | 44Con Presentation Breakfast riefing | 2014 |
| Are we secure yet? | Rory McCune | Trust Forum Presentation | 2014 |
| Batten down the hatches: Cyber threats facing DP operations | Andy Davis | Presentation on Cyber threats facing DP operations | 2014 |
| External Enumeration and Exploitation of Email and Web Security Solutions | Ben Williams | Presentation on External Enumeration and Exploitation of Email and Web Security Solutions | 2014 |
| Distributed Denial of Service | Thomas McDonald Akhilesh Mathur |
Presentation | 2014 |
| Fuzzing the easy way: Using Zulu | Andy Davis | Nullcon 2014 Presentation | 2014 |
| Dissecting Social Engineering Attacks | Robert Ray | Trust Forum Presentation | 2014 |
| How we breach network infrastructures and how to protect them | Bernardo Damele | Presentation | 2014 |
| Practical SME Security on a Shoestring | Matt Summers | Presentation | 2014 |
| Phishing Stories | Shaun Jones | Presentation | 2014 |
| Social Engineering – Techniques, Methods, Tools Mitigation | Panagiotis Gkatziroulis | Trust Forum Presentation | 2014 |
| SSL Checklist for Pentesters | Jerome Smith | B-Sides Manchester 2014 | 2014 |
| The Mobile Internet of Things and Cyber Security | Andy Davis | Presentation | 2014 |
| U Plug, We Play | David Middlehurst | B-Sides Manchester 2014 | 2014 |
| USB attacks need physical access right? Not any more… | Andy Davis | Presentation | 2014 |
| USB under the bonnet | Andy Davis | Presentation | 2014 |
| Cyber Red-Teaming Business-Critical Systems while Managing Operational Risk | Ollie Whitehouse | In this short paper, we outline how we support our clients in ensuring they can conduct red team engagements while managing their operational risk levels to within acceptable levels when working with business-critical functions and their underlying systems. | 2015 |
| RESEARCH INSIGHTS – Sector Focus: Automotive | David Clare | Driven by demands for cleaner emissions and increased vehicle safety for both drivers and pedestrians, the modern vehicle has become increasingly computerised, and now has more in common with an industrial control system than with a simple mechanically controlled car from 30 years ago. | 2015 |
| The Why Behind Web Application Penetration Test Prerequisites | Jerome Smith | The paper is aimed at anyone who is charged with preparing for a web application penetration test, from project managers to developers, and as such it is written for both technical and non-technical readers. | 2015 |
| Modelling Threat Actor Phishing Behaviour – “you’re only as strong as your weakest link!” | Ed Williams | This whitepaper will discuss how likely targets are identified and why certain individuals become targets. It will also cover why the timing of attacks affects the likelihood of success | 2015 |
| Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong) | Dominic Wang | In June 2015, Microsoft released the MS15-61 advisory, to address a number of vulnerabilities. This paper aims to provide detailed analysis of one of these vulnerabilities, in the win32k.sys driver, and document the necessary details for exploiting this class of vulnerability on Microsoft Windows 7 Service Pack 1. | 2015 |
| “If your password is ‘password’, then it doesn’t matter how good your security is” or “Why password and brute-force mitigation policies matter” | Will Alexander | In this whitepaper we discuss the need for good password and brute-force mitigation (or account lockout) policies, for both operating systems and web applications, to help minimise the likelihood of user accounts being compromised. | 2015 |
| RESEARCH INSIGHTS – Common Issues with Environment Breakouts | Dave Spencer | Environment breakout assessments attempt to bypass restrictions and move the user into a less restricted context. |
2015 |
| Exploiting CVE–2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit | Cedric Halbronn | This paper details how I ported the CVE-2015-2426 (a.k.a. MS15-078) vulnerability, as originally exploited by Eugene Ching of Qavar Security on the January 2015 version of Windows 8.1 64-bit to the more recent July 2015 version of Windows 8.1 64-bit, the last version of Windows still vulnerable to this issue before it got patched by Microsoft. | 2015 |
| Secure Device Manufacturing: Supply Chain Security Resilience | Rob Wood | This whitepaper is primarily concerned with the following questions: How can I build a secure product that my customers can trust when I do not trust my factory? How do I limit the number of counterfeit devices in the marketplace? Can the grey market be of any benefit to my company? |
2015 |
| Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817 | Grant Wilcox | In this whitepaper, I will discuss how I went about disassembling and debugging a TD-8817 v8 router to develop a compatible Misfortune Cookie exploit, which would allow me to gain reliable access to the admin control panel on the web interface without the need for a username or password | 2015 |
| RESEARCH INSIGHTS – Exploitation Advancements | Aaron Adams | In the last decade and a half, we have seen a significant shift in the defensive realm, with the introduction of many mitigations into mainstream compilers and operating systems, and into their services and applications. This increase in defences has led exploit writers to start leveraging new techniques, along with many that were previously known but considered advanced and unnecessary, in order to achieve a successful compromise. | 2015 |
| Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability | Dominic Wang | This paper is a written form of a presentation I gave at ToorCon San Diego in October 2015. It details the exploitation tactics used for exploiting the CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free vulnerability discovered by Yong Chuan, Koh of MWRLabs. | 2015 |
| Best Practices for the use of Static Code Analysis within a Real-World Secure Development Lifecycle | Jeremy Boone | In this paper we describe a methodology for evaluating and selecting the most appropriate static code analysis solution for your software organisation, as well as best practice guidance for effectively integrating that solution with your development procedures as part of a mature secure development lifecycle. | 2015 |
| Exploiting CVE-2014-0282 | Katy Winterborn | This paper details the vulnerability and how to produce a working exploit that exits gracefully. | 2015 |
| RESEARCH INSIGHTS – Defensive Trends | James Eaton-Lee | Defensive measures in information security have always demanded that information security practitioners attempt to make decisive assessments as to where to deploy resources based on limited information. |
2015 |
| RESEARCH INSIGHTS – How we are breaking in: Mobile Security | Thomas Cannon | The proliferation of the personal and business use of mobile devices has created a strong demand for mobile security assurance. Mobile apps and devices can suffer from many of the same vulnerabilities as traditional systems but also require new approaches to security testing and risk assessment. | 2015 |
| RESEARCH INSIGHTS – Sector Focus: Maritime Industry | Yevgen Dyryavyy | Computerised systems that are present on board a vessel suffer from many of the same vulnerabilities as traditional systems, but these shipboard systems also require a non-traditional approach to security testing and risk assessment. | 2015 |
| PROTECTING STORED CARDHOLDER DATA – AN UNOFFICIAL SUPPLEMENT TO PCI DSS V3.0 | Rob Chahin | This document is intended as an analysis of the various compliant options such that the reader can choose an option that makes sense – and in doing so, meet their compliance obligations while also improving security and keeping costs proportionate. | 2015 |
| Blackbox iOS App Assessments Using idb | Daniel A. Mayer | To assist the community in assessing security risks of mobile apps, we introduce our recent tool called idb and show how it can be used to efficiently test for a range of iOS app flaws. |
2015 |
| Going AUTH the Rails on a Crazy Train – A Dive into Rails Authentication and Authorization | Tomek Rabczak Jeff Jarmoc |
In this paper, we explore Ruby on Rails Authentication and Authorization patterns and pitfalls. |
2015 |
| Matasano And ISEC Interns Summer 2014 Internet of Things Security | Brian Belleville Patrick Biernat Adam Cotenoff Kevin Hock Tanner Prynn Sivaranjani Sankaralingam Terry Sun Daniel Mayer |
We assessed the security of several currently available IoT devices targeted at consumers. We considered all user-facing interfaces and all networking components to be in scope of our investigation, and evaluated the devices for common security vulnerabilities. All of the devices we investigated had numerous exploitable security flaws. We discuss in detail the vulnerabilities and the processes used to discover them. | 2015 |
| Analysis of Boomerang Di erential Trails via a SAT-Based Constraint Solver URSA | Aleksandar Kircanski | In this paper, we propose the use of a SAT-based constraint solver URSA as aid in analysis of differential trails and find that previous rectangle/boomerang attacks on XTEA, SHACAL-1 and SM3 primitives are based on incompatible trails. Given the C speci cation of the cryptographic primitive, verifying di erential trail portions requires minimal work on the side of the cryptanalyst | 2015 |
| Secure Messaging for Normal People | Justin Engler Cara Marie |
This paper discusses the types of attacks used against a variety of messaging models and discusses how secure messaging features can defend against them. The goal of this paper is to help inform those who are tech-savvy but not crypto-experts to make smart decisions on which crypto applications to use. | 2015 |
| Faux Disk Encryption: Realities of Secure Storage On Mobile Devices | Daniel A. Mayer Drew Suarez |
In this paper, we discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges, we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for many attack scenarios. |
2015 |
| SSL/TLS SMACK: State Machine AttaCKs SKIP-TLS FREAK | NCC Group | Presentation of two attacks: SKIP-TLS: spoofing and encryption removal REAK: downgrading of encryption | 2015 |
| 4 secrets to a robust incident response plan | David Cannings | Webinar Presentation | 2015 |
| Broadcasting your attack: Security testing DAB radio in cars | Andy Davis | Presentation | 2015 |
| Mature Security Testing Framework | NCC Group | Presentation | 2015 |
| Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions | Andy Davis | Blackhat USA 2015 Presentation | 2015 |
| OSQuery Application Security Assessment – Facebook | Raphael Salas Andrew Rahimi Robert Seacord |
Public Report | 2015 |
| The L@m3ne55 of Passw0rds:Notes from the field | Ben Williams | Presentation | 2015 |
| An Introduction to Ultrasound Security Research | Alex Smye | This paper examines the use of Ultrasound and Near Ultrasound as a communications channel and evaluates potential security issues within them. | 2016 |
| A few notes on usefully exploiting libstagefright on Android 5.x | Aaron Adams | At NCC Group, a colleague and I recently spent some time trying to develop a more robust exploit for the Android libstagefright bug CVE-2015-3684. This is a bug that persisted through the patches Joshua Drake (jduck) originally provided to Google, so a few more firmware versions are vulnerable. In this white paper, I will discuss a few tricks we came up with to make the exploit a bit more robust with regards to address space spraying, dealing with SELinux sandbox restrictions, automating device identification, and staging a kernel exploit. | 2016 |
| RESEARCH INSIGHTS – Hardware Design: FPGA Security Risks | Duncan Hurwood | The paper examines the process of developing configuration binaries for FPGA devices and the potential security problems that could be encountered. It assumes no prior knowledge of FPGA technology. | 2016 |
| Creation of WiMap, the Wi-Fi Mapping Drone | Michael Johnson | The objective of this project is to detail the methods used to create, from parts, a hexacopter capable of being controlled over 3/4G and equipped to perform wireless and infrastructure assessments. | 2016 |
| Private sector cyber resilience and the role of data diodes | NCC Group | It has long been received wisdom that the way to ensure that a network can’t be compromised remotely is to isolate it using an air gap. However, in today’s world, an isolated network is rarely practical given the need for flows between producers and consumers. While these islands might be secure, they are simply not practical given modern demands. |
2016 |
| General Data Protection Regulation – Are you ready? | Lydia Lavender | This whitepaper will review the new controls against existing controls for the Data Protection Act 1998 (DPA) and provide key next steps for businesses to undertake ahead of GDPR enforcement. | 2016 |
| How to Backdoor Diffie-Hellman | David Wong | We present two ways of building a Nobody-But-Us (NOBUS) Diffie-Hellman backdoor: a composite modulus with a hidden subgroup (CMHS) and a composite modulus with a smooth order (CMSO). We then explain how we were able to subtly implement and exploit it in a local copy of an open source library using the TLS protocol. |
2016 |
| Local network compromise despite good patching: The dangers of NBNS/LLMNR spoofing attacks and how to prevent them | Jon Macfarlane | This paper aims to raise awareness of the dangers of these attacks, and particularly the steps required to prevent them. | 2016 |
| Post-quantum cryptography overview | Steffan Karger | Organisations that need to keep long-term secrets, or which are designing systems that will be in use for ten or more years, need to plan for a post-quantum-computing world. This paper gives a short introduction and overview of post-quantum cryptography. We discuss why post-quantum crypto is needed, and provide handles to determine how to plan for migration. Furthermore, we provide an overview of promising post-quantum crypto directions, and provide references for further reading. |
2016 |
| My name is Matt – My voice is my password | Matt Lewis | This paper is aimed at IT practitioners tasked with implementing, or looking to use, voice biometrics as an authentication mechanism in systems or applications. The paper should also be useful to anyone interested in learning more about voice biometrics in general, with specific focus on the relative merits and limitations of voice recognition systems. | 2016 |
| RESEARCH INSIGHTS – Modern Security Vulnerability Discovery | Aaron Adams Pete Beck Jeremy Boone Zsolt Imre Greg Jenkins Edward Torkington Ollie Whitehouse Peter Winter-Smith David Wood |
This paper is intended for individuals with a technical background who are responsible for identifying, understanding, mitigating or responding to security vulnerabilities in software. The paper is technical in nature, although high level, and is intended to provide a view on modern vulnerability discovery approaches in 2016. | 2016 |
| End-of-life pragmatism | Blake Markham William Burlend Robbie Joseph |
This paper aims to identify and address these concerns and help with planning and replacing technology that is nearing or has reached its end-of-life (EoL) or end-of-support. | 2016 |
| State-of-the-art email risk | Julian Storr Dean Hardcastle Matt Lewis |
This paper is aimed at senior managers and above with a view to presenting the overall risks that organisations face when using email services, with focus on the techniques used by advanced threat actors and defensive solutions to a number of the vulnerabilities exploited |
2016 |
| Peeling back the layers on defence in depth…knowing your onions | Ed Williams Grant Dale | This whitepaper will discuss five key principles of network design and implementation that, when combined, create the foundations of a defence-in-depth strategy that will provide an organisation with increased assurance, reduce the impact of breaches and ultimately frustrate any malicious threat actors that do breach the perimeter. | 2016 |
| Understanding and Hardening Linux Containers | Aaron Grattafiori | This paper discusses these container features, as well as exploring various security mechanisms. Also included is an examination of attack surfaces, threats, and related hardening features in order to properly evaluate container security. Finally, this paper contrasts different container defaults and enumerates strong security recommendations to counter deployment weaknesses– helping support and explain methods for building high-security Linux containers. | 2016 |
| My Hash Is My Passport: Understanding Web and Mobile Authentication | David Schuetz | This paper explains, with simple examples, how some of the most frequently seen authentication systems work. It identifies the characteristics of an “ideal” authentication system, compares the common methods against that ideal, and demonstrates how to verify that they’ve been implemented correctly. | 2016 |
| Optimum Routers: Researching Managed Routers | Amy Burnett Read Sprabery |
In this paper, we discuss the process of finding vulnerabilities in remotely managed routers, in particular those running on the Optimum network. We delve into the setup process for these routers, examine modifications that Optimum has made to an off-the-shelf router firmware, and highlight vulnerabilities in the routers examined. |
2016 |
| The Importance of a Cryptographic Review | NCC Group Cryptography Services | Cryptography is an underpinning of every organization’s data security. It is as simple as the correct deployment of TLS and as complicated as bespoke protocols for software updates. This technology is an integral part of an organization’s security infrastructure. With the field constantly evolving, having a dedicated review is becoming increasingly important. | 2016 |
| Maritime Cyber Security Threats and Opportunities | Brendan Saunders | Presentation | 2016 |
| Zcash Cryptography and Code Review | Alex Balducci Robert Seacord |
Public Report | 2016 |
| Ricochet Security Assessment | Jesse Hertz Patricio Jara-Ettinger Mark Manning |
Public Report | 2016 |
| Applying normalised compression distance for architecture classification | Thomas Marcks von Würtemberg | In this whitepaper, we present a technique to classify binaries and shellcode with statistical analysis using normalised compression distance. | 2017 |
| Beyond Data Loss Prevention | William Burlend | This whitepaper aims to discuss the various benefits and pitfalls of DLP solutions currently available. It will also address how DLP can be integrated with cloud providers given the ever-increasing demand to place data in the cloud. | 2017 |
| GDPR: Knowing your data | Paul Barks | This whitepaper discusses the importance of knowing your data and how to carry out data mapping. | 2017 |
| Understanding the insider threat and how to mitigate it | Katy Winterborn | This paper is intended to give a high-level view on the insider threat for those looing to implement a defensive programme. It considered the types of attack that may take place and some of the common weaknesses that aid insider attack. | 2017 |
| Latest threats to the connected car intelligent transport ecosystem | David Clare | Modern vehicles consist of a multitude of different inter-connected process control systems which each govern a specific mechanical process. These take input from a complex array of real-time sensors and connected data sources. |
2017 |
| Matty McMattface: Security implications, mitigations testing strategies for biometric facial recognition systems | Matt Lewis | This paper is aimed at IT practitioners tasked with implementing, testing, or looking to use facial recognition biometrics as an authentication mechanism in physical and/or logical systems or applications. | 2017 |
| Mobile web browser credential management: Security implications, attack cases mitigations | Mathew Nash | This paper is aimed at users of internet services and website developers tasked with securely managing user data. | 2017 |
| Adversarial Machine Learning: Approaches defences | Matt Lewis Thomas Marcks von Würtemberg |
In this paper we discuss ‘Adversarial Machine Learning’ and the potential impact of advances in this area of study. |
2017 |
| Best practices with BYOD | Paul Dalton | This paper is intended for senior managers and above, with a view to present the overall risks that organisations can encounter with BYOD deployments, as well as touching on privacy concerns that often arise. | 2017 |
| Managing PowerShell in a modern corporate environment | Dean Hardcastle | This paper explores how PowerShell is abused by adveraries but more importantly, how it can be securely managed in a modern corporate environment. | 2017 |
| Understanding cyber risk management vs uncertainty with confidence in 2017 | Stephen Bailey Jeff Bennison Shanne Edwards Matt Field Lee Hazell Chris Hilder Ted Ipsen Patrick McCloskey Tim Rawlins Reuben Sinclair Ollie Whitehouse |
There is no universally accepted risk management method or universal acceptance of risk nomenclature. | 2017 |
| Encryption at rest: Not the panacea to data protection | Matthew Pettitt | An overview of what encryption at rest does and doesn’t provide in the context of data protection. | 2017 |
| Endpoint connectivity | Blake Markham | This whitepaper aims to identify the security risks posed by USB and address the associated concerns by looking at the available strategies and solutions that can be used to deliver effective USB endpoint access control. | 2017 |
| Securing the continuous integration process | Irene Michlin | This paper intentionally avoids recommending a specific solution or vendor. Instead, it focuses on technology and process change invovled in setting up a CI environment and aims to provide best practice guidance for introducing CI into your SDLC. | 2017 |
| SOC Maturity Capability | Katy Winterborn | This paper aims to give an overview of a SOC and its capabilities, describing the roles and responsibilities of a SOC along with some of the considerations and benchmarks that a mature and capable SOC might utilise. | 2017 |
| Non-flood/non-volumetric Distributed Denial of Service | Gabriel Garrido | This whitepaper aims to provide an overview of non-voumetric DDoS attacks, addressing the techniques used to carry out such attacks and the defences or mitigations needed to improve system resilience when under attack. | 2017 |
| Rise of the machines: Machine Learning its cyber security applications | Matt Lewis | This initial whitepaper is by no means intended to be exhaustive; we acknowledge that, as an industry, cyber security is still catching up on ML and AI topics that have been researched for decades within academia. | 2017 |
| Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things | Matt Lewis | In this paper we set out an approach using graph databases to understand IoT network complexity and the impact different devices and their profiles have on the overall security of an underlying network and its data. | 2017 |
| Accessing Private Fields Outside of Classes in Java | Robert C. Seacord | Java developers are frequently unaware that the use of nested classes in Java programs weakens the accessibility guarantees of the language and allows private fields to be accessed from outside the class, potentially violating developers’ assumptions and affecting overall security. This whitepaper describes the Java language mechanisms used in these exploits, specifies the extent to which the compiler weakens the accessibility of private fields, and identifies possible attack vectors. |
2017 |
| Network Attached Security: Attacking a Synology NAS | Jason Noll Prahlad Suresh |
Because Synology is one of the top manufacturers of NAS devices, we chose to analyze a Synology DS215j . In doing so we were able to identify a number of exploitable security flaws. In this paper, we discuss in detail the analysis performed, methodologies used, and vulnerabilities found during the summer of 2015. |
2017 |
| Combating Java Deserialization Vulnerabilities with Look-Ahead Object Input Streams (LAOIS) | Robert C. Seacord | This whitepaper examines Java deserialization vulnerabilities and evaluates various LAOIS solutions including JDK Enhancement Proposal (JEP) 290. | 2017 |
| Automated Reverse Engineering of Relationships Between Data Structures in C++ Binaries | Nick Collisson | This paper discusses a general approach for finding kinds of pointer sequences and introduces a new tool implementing this approach. |
2017 |
| Use of Deserialisation in .NET Framework Methods and Classes | Soroush Dalili | This document lists .NET Framework classes and methods using deserialisation techniques that can potentially be exploited when handling untrusted data. | 2018 |
| Third party assurance | David Rowan Agwu Nwoke |
This paper explores the concept behind third party assurance and the extent to which such assurance is deemed satisfactory or detrimental. | 2018 |
| Ethics in Security Testing | Nick Dunn | This paper discusses the similarities and differences between professional ethics in the information security industry and ethics in the hacker community. | 2018 |
| Public cloud: What, why, where, how, who? | Matthew Pettitt | Are public cloud services safe, cost effective and reliable? | 2018 |
| The disadvantages of a blacklist-based approach to input validation | Nick Dunn | In this paper, we look at the relative merits of whitelisting and blacklisting for input validation purposes, and examine the difficulties of carying out a fully effective blacklisting approach. | 2018 |
| Open Banking – Security Considerations Potential Risks | Matthew Pettitt | NCC Group has been working with a number of providers to ensure that appropriate secuity is both built into the specifications, and actively applied within specific implementations, both in the bank-specific and in the third-party facing sections. | 2018 |
| The Economics of Defensive Security | Nick Dunn | This paper examines the costs of cyber defence in comparison to the costs and likelihood of a data breach. | 2018 |
| Nine years of bugs coordinated vulnerability disclosure: Trends, observations recommendations for the future | Matt Lewis | This paper provides some analysis of the data that we’ve captured over the past nine years in terms of types of bug found, their risk ratings, whether there are any trends in specific vulnerability classes and whether there are any observations around the overall responsible disclosure process | 2018 |
| Return of the Hidden Number Problem | Keegan Ryan | We implement a full proof of concept against OpenSSL and demonstrate that it is possible to extract a 256-bit ECDSA private key using a simple cache attack after observing only a few thousand signatures. | 2018 |
| The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations | Eyal Ronen – Weizmann Institute Robert Gillham – University of Adelaide Daniel Genkin – University of Michigan Adi Shamir – Weizmann Institute David Wong – NCC Group Yuval Yaromy – University of Adelaide, Data61 |
Over the last twenty years researchers and implementors had spent a huge amount of effort in developing and deploying numerous mitigation techniques which were supposed to plug all the possible sources of Bleichenbacher-like leakages. However, as we show in this paper most implementations are still vulnerable to several novel types of attack based on leakage from various microarchitectural side channels | 2018 |
| Android Cloud Backup/Restore | Mason Hemmel Jason Meltzer Thomas Pornin Keegan Ryan Javed Samuel David Wong Rob Wood Greg Worona |
Public Report | 2018 |
| NCC Group Kolide- The Update Framework Security Assessment | NCC Group Kolide- The Update Framework Security Assessment | Public Report | 2018 |
| Proxy Re-Encryption Protocol – IronCore Labs | NCC Group | Public Report | 2018 |
| Cyber Security in UK Agriculture | Lawrence Baker, NCC Group Richard Green, Harper Adams University |
This whitepaper addresses the cyber security threat to agriculture and the wider food network. |
2019 |
| Common Security Issues in Financially-Oriented Web Applications – A guideline for penetration testers | Soroush Dalili | This document summarises NCC Group’s experience of assessing e-commerce and financial services applications, providing a checklist of common security issues seen in financial services web applications. | 2019 |
| Connected Health: Security Landscape Review | Katharina Sommer Katy Winterborn Matt Lewis Stuart Kurutac |
Security concerns in connected health can differ to those in environments traditionally tested by the security community, although many of the issues are still applicable. Traditionally, penetration tests in standard environments focus heavily on remote code execution and privilege elevation in order to fully compromise a network. | 2019 |
| Assessing Unikernel Security | Spencer Michaels Jeff Dileo |
Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than full-OS virtual machines and containers. We surveyed two major unikernels, Rumprun, and IncludeOS, and found that this was decidedly not the case. | 2019 |
| Zcash Overwinter Consensus and Sapling Cryptography Review | Thomas Pornin Aleks Kircanski Mason Hemmel David Wong Janet Ghazizadeh Mathias Hall-Andersen Javed Samuel |
Public Report | 2019 |
