Pages

Thursday, September 8, 2016

Online Banking Vulnerabilities: Authorization Flaws Lead the Way



Online banking (OLB) systems are publicly available web and mobile applications, so they suffer from vulnerabilities typical of both applications and banking systems. Bank-specific threats include theft of funds, unauthorized access to payment card data,  personal data and bank secrets, denial of service and many other attacks that can trigger significant financial and reputation losses.

This report synthesizes statistics that were gathered during OLB security audits performed by Positive Technologies in 2015. Comparison with the results obtained in 2013 and 2014 vividly illustrates the dynamics of information security development in modern OLB systems.

Wednesday, August 31, 2016

Attacking SS7: Mobile Operators Security Analysis



The interception of calls is quite a challenging task, but not only intelligence services can pull it off. A subscriber may become a victim of an average hacker who is familiar with the architecture of signaling networks. Commonly known SS7 vulnerabilities allow for the interception of phone calls and texts, can reveal a subscriber’s location, and can disconnect a mobile device from a network.

In 2015, Positive Technologies experts conducted 16 sets of testing involving SS7 security analysis for leading mobile EMEA and APAC operators. The results of the top three projects are included in the statistics below. In this article, we will review the security level experienced by mobile network subscribers, as well as all industrial and IoT devices — from ATMs to GSM gas pressure control systems, which are also considered mobile network subscribers. This article describes detected issues and suggests ways to counter threats.

Thursday, August 25, 2016

Pattern language for a universal signature-based code analyzer

The process of signature-based code analysis in PT Application Inspector is divided into the following stages:
  1. Parsing into a language dependent representation (abstract syntax tree, AST).
  2. Converting an AST to a language (agnostic) unified format.
  3. A direct comparison with patterns described in the DSL.

The present article focuses on the third stage, namely: ways of describing patterns, development of a custom DSL language, which allows to describe patterns, and patterns written in this language.

Tuesday, August 23, 2016

Web Application Vulnerabilities-2016: Users Unprotected



Modern web technologies allow businesses to solve organizational issues cost-effectively and efficiently and demonstrate their services and products to a wide range of audiences through the Internet. However, attackers may exploit websites as an easy access point to company infrastructure. This can cause financial and reputational damage, and despite well documented incidents involving compromised security, developers and administrators still pay little attention to the security of web applications.

Positive Technologies experts examine around 300 web applications each year using various techniques from instrument to source-code analysis. This report provides a summary of statistics and findings gathered during penetration testing of web applications in 2015. It also compares 2015 results to those in 2013 and 2014 and tracks the dynamics of web application development in the context of delivering information security.

Wednesday, July 27, 2016

Tree structures processing and unified AST

The previous article in this series discussed the theory of source code parsing in ANTLR and Roslyn. The article pointed out that a signature-based code analysis in PT Application Inspector is divided into the following stages:
1.        Parsing into a language dependent representation (abstract syntax tree, AST).
2.        Converting AST to a language independent unified format (unified AST, UAST).
3.        A direct comparison with patterns described in the DSL.
The current article focuses on the second stage that includes AST processing using Visitor and Listener strategies, converting AST to a unified format, simplifying an AST, and the algorithm for matching tree structures.

Contents

          AST Traversing
         Visitor and Listener
         Grammar and Visitor in ANTLR
          Types of nodes in a unified AST
          Testing of converters
          Simplifying an UAST
          Conclusion

Tuesday, July 19, 2016

A Positive Technologies Expert Helped to Protect ABB Digital Substations from Cyberattacks


Image credit: ABB    

 ABB, a Switzerland-based company that produces software for control systems in the energy industry, has acknowledged that its PCM600 suffers from four vulnerabilities related to insecure password storage. The one who detected and reported them to the vendor was Ilya Karpov, an ICS security expert from Positive Technologies.

As noted in the ICS-CERT advisory, the ABB engineer software for industrial automation management (protective relay, IED) is deployed in electric power substations around the world. PCM600s up to and including version 2.6 suffer from the vulnerabilities found by Ilya Karpov. Exploiting these flaws allows a low-skilled attacker or malicious software access a local machine that has ABB's PCM600 installed, reconfigure a project or obtain critical information to leverage read and write access via OPC.

Friday, June 24, 2016

Antivirus As a Threat


Many people do not consider antivirus tools to be a threat. Antivirus software is frequently considered a trusted application; it may cause the reduction of information system efficiency, but provides protection against different types of attacks. As a result, antivirus can be the sole protection tool for the end-user while a set of antivirus software becomes the principal security method for enterprises.

However, as with any complicated programs, antiviruses are inherently vulnerable. Antivirus processes are trusted and run in privileged mode with extensive access rights and that makes antiviruses appealing for attackers, as their exploitation can lead to system compromise.
Currently, more attention is paid to vulnerabilities of protection software and antiviruses in particular. The swelling numbers of exploits found and published in exploit-db and other resources indicate that this is a growing problem.

The chart above demonstrates the number of vulnerabilities found yearly in well-known antivirus software for the last 15 years. In the 2000s, information about antivirus vulnerabilities was published rarely, but in 2015, more than 50 exploits based on such critical vulnerabilities in antiviruses as authentication bypass, privilege escalation, and remote code execution were published.