Context publishes white papers as part of the company’s commitment to share knowledge with a wider audience, thereby helping to raise awareness of security issues and promote best practice.
We seek to communicate ideas and key information in a straightforward way, to help organisations take swift action where necessary, but a white paper also provides enough space to analyse technical issues in more detail, or to consider the full implications of a specific vulnerability, or the likely origins and purpose of a particular type of threat.
Previous publications, including our studies of cloud technologies and our examination of the challenges faced by organisations seeking to secure mobile technologies, have been well received. They have sparked debate and ongoing dialogue with readers, including, in some cases, technology providers keen to work with us to mitigate vulnerabilities or risks of which they had not previously been aware.
Exploiting XML Digital Signature Implementations
James Forshaw - October
There are a number of XML uses which would benefit from a mechanism
of cryptographically signing content. For example, Simple Object Access
Protocol (SOAP) which is a specification for building Web Services that
makes extensive use of XML could apply signatures to authenticate the
identity of the caller. This is where the XML Digital Signature
specification comes in, as it defines a process to sign arbitrary XML
content such as SOAP requests.
MDM. The solution to BYOD?
Alex Chapman - October
Managing Bring Your Own Device (BYOD) within an enterprise
environment poses a serious, continuous challenge for IT security
professionals. As the line between the organisation and outside systems is
blurred, the overall security of the enterprise can be affected. Organisations
seeking to take full advantage of the numerous business benefits that
widespread use of mobile devices by the workforce can offer, must strike a
delicate balance between security requirements and the need to create a BYOD
environment that users will be happy to utilise – in part because if users come
to regard security measures as unacceptably onerous they may seek to bypass
them, thereby creating additional security vulnerabilities.
Pixel Perfect Timing Attacks with HTML5
Research - Paul Stone - August 2013
HTML 5 and related technologies bring a whole slew of new features to web browsers, some of which can be a threat to security and privacy. This paper describes a number of new timing attack techniques that can be used by a malicious web page to steal sensitive data from modern web browsers, breaking cross-origin restrictions.
Web Application Vulnerability Statistics 2013
Assurance - Jan Tudor - May 2013
Over the past three years Context
has gathered statistics from a range of IT security activities and consultancy
engagements. One of the most common activities performed during this period has
been web application penetration testing. This whitepaper will provide a unique
insight into the state of web application security, presenting penetration test
analysis drawn from a dataset containing nearly 12,000 confirmed
vulnerabilities, found in almost 900 pre-release and production web
applications during the period between January 2010 and December 2012.
Kevin O'Reilly- 22nd March 2013
Network monitoring need not be an impossible dream, you just have to be realistic in what you want to achieve. This paper seeks to educate the reader on the benefits of internal network monitoring, and at what point you should call in professional help. It will also guide the reader on how best to prepare for dealing with what you find from a detection program, and how to start thinking about raising network security in general. This is not a hands-on technical guide, but rather an article to stimulate thought and provoke discussion within an organisation.
PlugX - Payload Extraction
Kevin O'Reilly - 22nd March 2013
The remote access Trojan malware strain known as PlugX has attracted a certain amount of attention in the security world during the last few months. PlugX is a relatively new backdoor implant, implicated in security problems experienced by a number of different organisations. It provides backdoor or remote access functionality, allowing an attacker to obtain information about infected systems and to egress data from the target. This white paper outlines analysis conducted by Context of PlugX in action within a client network. Below you will find details of the intelligence gathered during this process, including a description of how PlugX hides itself on disk using custom encryption. We also release source code for the command line tool that accompanies this paper, designed to recognise if a given file is in fact a PlugX payload file, and extract the executable and data contents ready for further analysis.
The information and the accompanying source code will be useful to those of you who are dealing with a suspected PlugX infection, or require a command line tool to decrypt and decompress payload files automatically. Please download a copy of the source code for this tool from the main PlugX page or to request a pre-compiled version, email email@example.com.
Tablets In The Enterprise
It is difficult to ignore the growing presence of tablet computers in schools and workplaces around the world. Tablets are conveniently small, light and powerful, are less expensive than many laptops, yet have excellent storage facilities and connectivity. They are often sold with built-in apps or accompanying desktop software, which provides access to rich multimedia content for entertainment on-the-go and allows the tablet’s data to be backed up to a local computer or to a cloud-based service. The device format is perfect for social networking, but also for creating documents, presentations and other content on-the-fly, then, with a few taps and swipes, sharing it with the management team, or the wider world. It is easy to see why growing numbers of people prefer tablets to desktops and laptops: they allow a blend of productivity, connectivity and physical freedom which has never quite been achieved before.
Are You My Type?
The process of serialization is a fundamental function of a number of common application frameworks, due to the power it provides a developer. Serializing object states is commonly used for persistent storage of information as well as ephemeral data transport such as remote object services.
The .NET framework provides many such techniques to serialize the state of objects but by far the most powerful is the Binary Formatter; a set of functionality built into the framework since v1.0. The power provided by this serialization mechanism, the length of time it has been present as well as the fact it is tied so closely into the .NET runtime makes it an interesting target for vulnerability analysis.
This whitepaper describes some of the findings of an analysis on the properties of the .NET Binary serialization process which led to the discovery of some fundamental vulnerabilities which allow remote code execution, privilege escalation and information disclosure attacks against not just sandboxed .NET code (such as in the browser) but also remote network services using common framework libraries. It should be of interest to both security researchers to demonstrate some interesting attack techniques which could apply to other serialization technologies as well as .NET developers to help them avoid common mistakes with binary serialization.
Crouching Tiger, Hidden Dragon, Stolen Data
Media reports show that targeted cyber attacks against government and commerce have
been ongoing since at least 2003 and possibly some time before that. By far the largest
sponsor of these attacks is the Chinese state. This is not a new problem; it is espionage with a
These attacks are far from random or indiscriminate. They are designed to steal
information that will fulfil a clear set of requirements set by the Chinese state and furnish
them with political, commercial and security/intelligence information. These requirements
are carefully and clearly identified, shared with a number of government departments and
constantly updated. There is evidence of worldwide targeting but only a minority of attacks
are identified and fewer still made public.
Web Application Vulnerability Statistics 2010-2011
Over the past two years Context have been amassing statistics on a range of IT security activities based on the output of real-world IT security consultation engagements. One of the most common activities performed during this period has been web application penetration tests. This whitepaper will provide a unique insight into the state of web application security, presenting penetration test analysis from a dataset containing nearly eight thousand confirmed vulnerabilities found in almost six hundred pre-release web applications during the period January 2010 and December 2011.
Assessing Cloud Node Security
Some major Cloud providers currently expose their clients’ data to the risk of compromise as a result of serious flaws in the implementation of their technologies. This is the key finding of a major new survey of the security of Cloud nodes completed by Context Information Security.
Smartphones in the Enterprise
Following a recent surge of concerned customers coming to us regarding the security considerations of enterprise wide Smartphone deployments, coupled with the fact that the millions of Smartphone devices shipped worldwide in 2010 cementing their ubiquity as a global business tool. Context decided to take their experiences in the field and build upon them through dedicating independent research effort into investigating the leading technologies in the Smartphone marketplace, specifically taking a security in enterprise perspective.
Clickjacking - Black Hat 2010
Paul Stone, a consultant at Context, has conducted research into Clickjacking and produced a white paper which was premiered at Black Hat 2010, in a talk of the same title – Next Generation Clickjacking.
Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.
Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice.