Attacking SS7: Mobile Operators Security Analysis

The interception of calls is quite a challenging task, but not only intelligence services can pull it off. A subscriber may become a victim of an average hacker who is familiar with the architecture of signaling networks. Commonly known SS7 vulnerabilities allow for the interception of phone calls and texts, can reveal a subscriber’s location, and can disconnect a mobile device from a network.

In 2015, Positive Technologies experts conducted 16 sets of testing involving SS7 security analysis for leading mobile EMEA and APAC operators. The results of the top three projects are included in the statistics below. In this article, we will review the security level experienced by mobile network subscribers, as well as all industrial and IoT devices — from ATMs to GSM gas pressure control systems, which are also considered mobile network subscribers. This article describes detected issues and suggests ways to counter threats.

Pattern language for a universal signature-based code analyzer

The process of signature-based code analysis in PT Application Inspector is divided into the following stages:

1. Parsing into a language dependent representation (abstract syntax tree, AST).
2. Converting an AST to a language (agnostic) unified format.
3. A direct comparison with patterns described in the DSL.

The first two stages were discussed earlier in Theory and Practice of Source Code Parsing with ANTLR and Roslyn and Tree Structures Processing and Unified AST articles. 

The present article focuses on the third stage, namely: ways of describing patterns, development of a custom DSL language, which allows to describe patterns, and patterns written in this language.

Web Application Vulnerabilities-2016: Users Unprotected

Modern web technologies allow businesses to solve organizational issues cost-effectively and efficiently and demonstrate their services and products to a wide range of audiences through the Internet. However, attackers may exploit websites as an easy access point to company infrastructure. This can cause financial and reputational damage, and despite well documented incidents involving compromised security, developers and administrators still pay little attention to the security of web applications.

Positive Technologies experts examine around 300 web applications each year using various techniques from instrument to source-code analysis. This report provides a summary of statistics and findings gathered during penetration testing of web applications in 2015. It also compares 2015 results to those in 2013 and 2014 and tracks the dynamics of web application development in the context of delivering information security.