Publications
MWR InfoSecurity work with the CPNI (Centre for the Protection of National Infrastructure) to publish security advisories (formerly known as UNIRAS Alerts) which we discover via client assignments or research projects. These advisories disclose and discuss vulnerabilities in systems which are in widespread use and CPNI then liaise with the vendors to secure the application in question. The disclosure of these vulnerabilities gives CPNI the ability to provide timely information concerning potential IT security problems that could affect the Critical National Infrastructure community.
The work of CPNI is underpinned by the principle of responsible disclosure. Information is released to stakeholders at the appropriate time, with the aim of minimising any possible disruption from the threat.
Further information on the work of the CPNI can be found at www.cpni.gov.uk
Recent advisories produced by MWR InfoSecurity are listed below in date order. On this page you can also find recent presentations and White Papers from MWR InfoSecurity consultants.
May 06, 2008
White Paper: IBM WebSphere MQ Security
The first in a series of white papers discussing IBM WebSphere MQ security has been released by Martyn Ruks of MWR InfoSecurity.
IBM’s WebSphere MQ is a widely used and respected middleware application for handling messaging within an enterprise network. Its popularity and level of adoption arises from its robustness, scalability, functionality and compatibility with a wide range of platforms and applications. Whilst the software has a large number of security features the complexity of the environments within which it operates often results in it being poorly configured. This environmental complexity and the richness of the product’s feature set can make it an attractive target to attackers. In an era when “front-end” web applications and “back-end” databases are subject to increasingly intensive security testing the weakest link in an application can now often be found in the middleware.
Applications that are not well documented within penetration testing manuals and for which there is no well defined testing toolkit available can often be brushed over during a penetration test. However, a skilled attacker will not concern themselves with such limitations and could exploit any vulnerabilities that are present in the system with devastating effect. This paper documents the results of research and investigation into WebSphere MQ systems and introduces a methodology for assessing the security of the software product from the perspective of a penetration tester.
It has been discovered that WebSphere MQ environments can be secured but this is not a trivial process and a detailed understanding of the technology is required. The information included within this document can be used to understand the requirements of those people who are responsible for the security of such environments.
April 16, 2008
White Paper: Security Implications of Windows Access Tokens
A white paper has been published by Luke Jennings of MWR InfoSecurity which discusses the security exposures that can occur due to the manner in which access tokens are implemented in the Microsoft® Windows Operating System.
A brief overview of the intended function, design and implementation of Windows access tokens is given, followed by a discussion of the relevant security consequences of their design. More specific technical details are then given on how the features of Windows access tokens can be used to perform powerful post-exploitation functions during penetration testing, along with a basic methodology for including an assessment of the vulnerabilities exposed through tokens in a standard penetration test.
Discussion is also included about why many corporate environments (assessed during penetration tests conducted by MWR InfoSecurity) have been found to not be operating in a manner which limits the risk of such issues. Finally, best practice advice is given on how to defend against these attacks.
It must be noted that the security issues discussed in this white paper do not represent a flaw in the Microsoft® Windows Operating System but are an expected consequence based on the design and implementation of Windows access tokens. The important point is that many corporate environments do not account for these issues within their security strategy and, consequently, the controls in many of these environments are not sufficient to withstand the techniques discussed here.
Additionally, it is acknowledged that the security implications of Windows access tokens have been discussed before both in general terms and to different degrees of technical detail. This document is not intended to present such discussions as being fundamentally new; instead it is intended to collate some of the existing knowledge, introduce some new findings and to demonstrate why many years after the general principles discussed were highlighted, many corporate environments are still vulnerable to these issues.
The paper is based upon research originally presented by the author at Defcon 15 and Chaos Computer Congress (CCC) 2007.
September 27, 2007
White Paper: Considerations for the Secure Rollout of Sidebar Gadgets on Windows Vista
This white paper discusses the potential impact of the new Sidebar Gadgets feature of the Microsoft® Windows Vista™ Operating System. It also examines the requirements for its secure rollout and describes in detail different types of attacks and their consequences. Remedial actions and best practice recommendations are also included in this document.
August 03, 2007
Presentation: DefCon Websphere MQ
On Friday 3rd August 2007 MWR InfoSecurity presented a talk about the security of the IBM Websphere MQ software at DefCon 15 in Las Vegas. The presentation from the Websphere MQ talk can be downloaded using the link provided here.
August 05, 2006
Presentation: DefCon 14 IBM Networking
Presentation given by Martyn Ruks at DefCon 14 (2006) on testing IBM Network Security.
