Wednesday, November 18, 2015

Web-application vulnerabilities: no light at the end of the tunnel

There has been significant growth in web applications, from official sites and ERP systems, to e-commerce and e-banking platforms, and portals providing government services. These applications have increasingly become a target for hackers attempting to target enterprise information systems. Positive Technology conducted a study in 2014 to assess the state of web application security. The key findings are discussed below.

Friday, October 30, 2015

HackerSIM: Blamestorming

Recently, there have been a lot of articles about a SIM card that has some incredible features. This topic sparked a lively discussion full of skepticism and mind-blowing theories. Let's lift the veil on some technical aspects of this story. Of course, we wouldn't be able to carry out the tests without the SIM card provided by @MagisterLudi.

A short resume for those who don't want to read the whole review:
  • There is no forced encryption, protection from intercept complexes, connection to a base station with the second strongest signal, IMSI and location hiding.
  • There is phone number substitution, voice substitution, and billing.
Let's take a closer look at each of these features.

Thursday, October 22, 2015

Vulnerability Assessment According to CVSS 3.0

We have been using this assessment system since we created our vulnerability base and developed our first product, XSpider (I hope there are some who remember it). It is very important for us to maintain the knowledge base that we use in our products and services and keep it up-to-date. Since the guidelines to CVSS metrics do not cover all the possible vulnerabilities, the question arises: what is the best way to make the index reflect the real severity level of a vulnerability?

We are constantly monitoring the development of the standard, so we have been waiting for the final version of CVSS. When I opened the specification, I wanted answers to the following questions. What was improved? What exactly was changed? Can we apply the new standard to our products? And — considering the fact that the database is often managed by new specialists — how much time do you need to master the assessment procedure? And how clear are the criteria?

This article appeared in the course of studying the standard and will, hopefully, help you to understand the new vulnerability assessment procedure.

Monday, October 12, 2015

Industrial control system security in 2014: trends and vulnerabilities

In recent years, the industrial control systems (ICS) have become a popular target for malicious users and cyber criminals. The Stuxnet (2010) and Flame (2012) worms were replaced by more complicated malware and sophisticated attack schemes in 2014. For example, hackers spread the Havex Trojan horse by injecting malicious code into SCADA software on vendors' websites. This malicious software was then downloaded in factories, so that attackers could obtain administrative access to industrial control systems in several European countries.

In 2012, specialists from Positive Technologies published a research paper entitled "SCADA Safety in Numbers". The current report is an update on that paper through 2015. Key trends in ICS security are listed below:

Friday, October 2, 2015

Positive Technologies Experts Detect Critical Vulnerability in Huawei LTE Modems

Huawei thanked the Positive Technologies experts Timur Yunusov and Kirill Nesterov and the information security specialist Alexey Osipov, who detected a harmful vulnerability in Huawei 4G USB modems (E3272s) and helped to fix it.

Upon the research, the Chinese telecommunications equipment company issued a software update for the device.

According to the Huawei PSIRT bulletin, a potential intruder can block the device by sending a malicious packet. The Positive Technologies researchers claim that the vulnerability may lead to a DOS attack and remote arbitrary code execution via an XSS attack or stack overflow.

Wednesday, September 2, 2015

Key Vulnerabilities in Corporate Information Systems in 2014: Web Applications, Passwords and Employees

From 2013 to 2014, there was an increase in the vulnerability of the information systems of large enterprises. In about 60% of system attacks, the network perimeters were penetrated via web application vulnerabilities. Additionally in 2014, there was decreased awareness among employees regarding security issues, as they were more likely to follow unverified links and open files attached to e-mails from unknown sources.

These findings are outlined in detail in Positive Technologies’ 2014 penetration testing results publication and contrast significantly from the 2013 findings. The penetration testing simulates a hacker attack and provides a more realistic assessment than traditional auditing techniques alone.

Friday, August 21, 2015

Positive Technologies helps to eliminate critical vulnerabilities in Siemens and Schneider Electric SCADA systems

Ilya Karpov, a Positive Technologies expert, detected vulnerabilities in products intended for building automation systems in various industries — from petrochemical to power plants.

Ilya found a problem related to clear-text password storage in Schneider Electric systems — InTouch Machine Edition 2014 (version 7.1, Service Pack 3, Patch 4) and InduSoft Web Studio (, as well as in their previous builds. The vulnerability that got the CVE-2015-1009 identifier and 6.4 base mark though cannot be exploited remotely requires only a low-qualified internal attacker.