Tuesday, December 2, 2014

DDoS attack over Load Balancer: secure your cookies!

In security analysis, we deal with various network devices, both well-known and rare ones. Among the latter, load balancers can be singled out. Today we would like to talk about session persistence methods of F5 BIG-IP load balancer. As we found out, an intruder is able to attack such a system and bypass the specified load balancing algorithm by manipulating with cookies’ value.

What is load balancer? It’s a network device that distributes application traffic between servers and allows to control and change traffic characteristics due to specified parameters. When using applications, a client session should be served by the same server. For this purpose BIG-IP monitors and saves session information, which includes an address of a certain web server that serves the client. This information is used mainly for sending client requests to one and the same web server during the session lifetime.

Wednesday, September 17, 2014

Microsoft Windows 8.1 Kernel Patch Protection Analysis & Attack Vectors

Authors: Mark Ermolov, Artem Shishkin // Positive Research

PDF version: link

Kernel Patch Protection (also known as "patchguard") is a Windows mechanism designed to
control the integrity of vital code and data structures used by the operating system. It was
introduced in Windows 2003 x64 and has been constantly improved in further Windows
versions. In this article we present a descriptive analysis of the patchguard for the latest
Windows 8.1 x64 OS, and primarily focus on patchguard initialization and attack vectors related
to it.

It is natural that kernel patch protection is being developed incrementally, so the initialization
process is common for all versions of Windows that have patchguard. There are a lot of papers
published about kernel patch protection on Windows, which describe the process of its
initialization, so you may use references at the end of this article to obtain details.

Sunday, August 3, 2014

Cell Phone Tapping: How It Is Done and Will Anybody Protect Subscribers

You probably have read on various news websites about surveillance programs led by security services in different countries that reach phone and Internet communications of ordinary citizens. We have already wrote about possible threats to mobile telecommunication networks and today we want to put more emphasis on one of the attack vectors against mobile subscribers.

In short, the outline is like this. The attacker penetrates into the SS7 (Signaling System's No. 7) network and sends a Send Routing Info For SM (SRI4SM) service message to the network channel, specifying the phone number of an attacked subscriber A as a parameter. The subscriber's A home network sends the following technical information as a response: IMSI (International Mobile Subscriber Identity) and address of the MSC currently providing services to the subscriber.

Monday, July 28, 2014

What Is So Dangerous in Smart Grids?

Electricity is rising in price, and the world economy is looking for new ways to improve energy efficiency. In addition to solar and wind stations, everyone around the world is actively building Smart Grids allowing effective energy use. Because they are usually connected to the Internet, there is natural interest in their security level.

Sunday, July 20, 2014

Review of Hash Runner Tasks


This year, Hashrunner had been taking place during three days before Positive Hack Days — from May, 16 19:00 (UTC+4, Moscow) till May, 19 19:00 (UTC+4, Moscow). Among other matters, we were trying to respect the interests of all geographically dispersed teams and cover 48 hours of two weekend days for every time zone. We received great positive feedback about including the whole weekend and thus we’ll try to keep it this way.

Congratulations to the winners!

  1. InsidePro with 22.81% (write-up) won two R290x video cards plus souvenirs.
  2. hashcat with 21.23% (write-up) won an R290x video card plus souvenirs.
  3. john-users with 12.78% (write-up) won souvenirs.

Within three years of the contest, we had three unique winners: hashcat in 2012, john-users in 2013, and InsidePro in 2014. Every year, most submissions were received in the last 15 minutes and thus the winner was determined in the very nick of time. In 2012 and 2013, InsidePro was beaten into the second place by hashcat and john-users, respectively. This year, InsidePro finally became the first.

Wednesday, July 16, 2014

Review of Competitive Intelligence Tasks

Today we'd like to speak about certain practical aspects of confidential data gathering in terms of tasks of the online contest Competitive Intelligence, which was held during May 15, 16 and 17.

Monday, July 14, 2014

Review of WAF Bypass Tasks

This year, the visitors of the Positive Hack Days Forum were invited to have a shot at bypassing the PT Application Firewall in the contest called WAF Bypass. It was a good opportunity for us to test our product in action, because the forum gathered the best information security experts. We had prepared a set of tasks for the contest, each representing a script with a typical vulnerability.

The participants were invited to use these vulnerabilities to get flags.  All tasks were solvable, though some solutions were not obvious. The contestants were provided with the report about scanning the tasks' source code with another Positive Technologies product Application Inspector. In this article, we will consider the contest tasks, bypassing methods, and the experience we have obtained.