Skip to content

Security Policy Gone Wrong

Another story from the trenches:

Client: “You will have to work on site for this job. The data you’re gonna work with is of course highly sensitive and confidential. We cannot risk any of it to leave the company premises.”

Ok, so at this point, you usually prepare yourself to disillusion the client about how secure large company networks usually are and through how many insecure systems their data travels daily (including the Internet). But this time, they had a solution to the problem:

Client: “Ok, how about this: We take an image of your hard drive when you enter the building. When you leave in the evening, we take another image and see what data changed. This way, we know if any sensitive data leaves the company.”

No further questions. On the bright side, it didn’t take long to convince them that this wouldn’t really solve the problem.

The moral of the story: If you hire pentesters to deliberatly hack your network and search for security vulnerabilities, make sure that you trust them. Otherwise, search for another company. This is one of the reasons why we always have a personal meeting even before we send you a quote. We want you to know who we are and that you can entrust us with the highly sensitive task of pentesting your network. All our pentesters are listed on our homepage, something you usually do not see with other companies. You may want to read this older blog post about pentesting as a me-too-business too, a topic also relevant when thinking about trust.

Tagged , , ,
2010 03 12 phof Fun Comments (0) Permalink

A Tale of Access Control and Config File Backups

Location: A security area with access control. Two pentesters need to get (legitimate) access to the area, which requires three things: An authorisation token, your signature, and your identity card. The token is ready, the paper sheet signed and… access is granted. Wait, what about the identity card? The friendly security guard is stumped.

“Well, the system says an ID card is not required. Let me check again. Nope, the option’s not checked. But now that you mention it… we had a software upgrade last week. I guess the config just got lost in the process.”

So remember: When doing a software update in a high security area, back up your config files and compare them with the updated configuration. You may spare yourself the unpleasant surprise of having some pentesters notice the lowered security barrier. Or much worse, have a real incident.

Tagged , , ,
2010 02 19 phof RedTeam Comments (0) Permalink

17th DFN-CERT Workshop 09.-10. Feb.

Another year passed by and it’s time again for the annual DFN-CERT workshop. It’s taking place for the 17th time, and this year, Lutz will talk about emulation based unpacking of runtime packed malware in his (German) talk

“Emulationsbasiertes Entpacken von laufzeitgepackten Schadprogrammen und darüber hinaus”

He’ll show you his project “Pandora’s Bochs”, based on the popular Bochs IA-32 Emulator. The talk will be on February 9th, the first workshop day, at 4:15pm. Be aware that the location changed, it now takes place at the Grand Elysée Hamburg.

We are happy to have been accepted for a talk the fourth time in a row, the DFN-CERT workshop it’s always nice to be at the workshop and present some of our research. Be sure to check out the program, there’ll be other interesting talks, too.

Tagged , , ,
2010 02 05 phof Events
Talks Comments (0) Permalink

Scanning JBoss AS for open Invokers

Apparently, the guys at Acunetix were tired of examining their JBoss Application Servers manually for vulnerabilities. In their Web Vulnerability Scanner from Version 6.5 build 20091215 on, they integrated various checks for the stuff from our JBoss paper.

To give you a little reminder: Always check for

  • http://www.example.com/jmx-console
  • http://www.example.com/web-console
  • http://www.example.com/web-console/Invoker
  • http://www.example.com/invoker/JMXInvokerServlet

and any open JBoss Remoting / RMI ports. See the paper for details.

So, if you own a copy of Acunetix WVS, there are no excuses anymore that you accidentally missed an open JMX Invoker ;)

Tagged , , , ,
2010 02 03 phof Hacking
Paper Comments (1) Permalink

New Advisories: Multiple Vulnerabilities in Geo++(R) GNCASTER

RedTeam Pentesting published three new advisories today. During a pentest, we found security vulnerabilities in the Geo++(R) GNCASTER NTRIP Caster:

All vulnerabilities have been fixed by the vendor in version 1.4.0.8, so if you happen to run this software, please update as soon as possible.

Tagged , ,
2010 01 27 phof Advisories Comments (0) Permalink

Shady Work

“So, you hack companies and then tell them that you found security vulnerabilities? And afterwards they hire you to show them what is wrong?”

This is one of the questions you get asked surprisingly often when you explain to people what you do for a living (and the answer is no: we don’t proactively hack companies and then sell our service. That’s what the mafia does). Although pentesting is a term more and more established in IT, the art of finding security vulnerabilities and actively exploiting them to verify the practical impact is still regarded as a rather shady work by many. There’s at least the presumption that all pentesters must’ve been blackhats in their past, as the skills required to do this job can only be acquired hanging out in the dark corners of the Internet, learning from 1337 h4X0rs who hack the gibson on a daily basis. Ok, frankly, you really don’t learn this stuff just by attending classes at university, but I think you get the point.

I guess this may be one of the reasons why from time to time, business offers of a, let’s say, rather questionable kind arrive at our doors. Security experts are in high demand it seems, on both sides of the law.

When you explain why you absolutely need to know what systems/networks are in scope (so we don’t accidentally attack an IP from a range close by, for example), many people drop a sentence about how interesting it would be to know what the competition is doing. Everyone says it with a wink and smile (and, one time, the promise of a small island in return), but sometimes, you’re not quite sure if it would really be out of the question. Competition’s tough these days.

At the other end of the spectrum, there are the phone calls asking if you also work outside of Germany (yes, we do) and what skillsets your “hackers” have (hmm, they’re like, good at what they do?). After some more inquiries, it turned out that this was not meant to be a pentest of a normal company network… suffice to say, we thankfully declined.

I’m being rather vague here to protect the innocent (i.e. me, so I don’t wake up next to this), but just to make this clear again: Either you’re a legit company who wants to know about potential security problems in your own stuff, or we can’t work for you. If you are a legit company in need of a pentest, the contact information’s on the website :).

Tagged , ,
2010 01 18 phof RedTeam Comments (0) Permalink

TLS Renegotiation Vulnerability: Proof of Concept Code Released

As promised, the TLS Renegotiation vulnerability Python PoC is now publicly available on our websites:

http://www.redteam-pentesting.de/publications/tls-renegotiation

RedTeam wishes you all a Merry Christmas. Be sure not to use the code for something naughty, Santa will know ;).

Tagged , , ,
2009 12 21 phof Hacking Comments (0) Permalink

SSL Man-in-the-Middle PoC to come

You might have noticed the SSL/TLS authentication gap vulnerability that was announced publicly in November. If not, you can find the original whitepaper at phonefactor.com. Thierry Zoller also published a detailed analysis and description of the problem.

Like many others, we have spent some time on that vulnerability. Unfortunately, the original Proof-of-Concept code is written in C and cumbersome to use. So Lutz decided to write our own. This PoC is written in Python and is – hopefully – platform independent. It works great for doing Man-in-the-Middle attacks against HTTPS-secured websites. We already used the code in our pentests and demonstrated to our clients what may happen if SSL/TLS renegotiation is enabled.

We are going to release the code in a couple of days on our website, so stay tuned and check the news and this blog for updates.

Tagged , , ,
2009 12 14 jensl Hacking Comments (3) Permalink

JBoss Paper: English version released

We finally came around to translate and release the 27+ pages of our JBoss paper (see also this post). That was quite some work, the first versions of my translations always read like a one-to-one translation from German. Then I read it again and correct those horribly sounding sentences to what I hope is reasonably passable English. Thanks go also to Lutz for proof-reading and riddling the LaTeX sources of the PDF with FIXMEs ;).

The paper should have been released a lot earlier, but as usual, other work took over. But better late than never.

The paper can be found in our “Publications” section as usual. To our knowledge, this is currently the only paper dealing with the JBoss AS and its Invokers from an attacker’s perspective.

Tagged , ,
2009 12 01 phof Hacking
Paper Comments (1) Permalink

English Paper about Man-in-the-Middle Attacks against chipTAN Online

The English version of the paper we released yesterday is now also online, title: “Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System”:

http://www.redteam-pentesting.de/en/publications/MitM-chipTAN-comfort

Have fun.

Tagged , , ,
2009 11 24 phof Hacking
RedTeam Comments (0) Permalink