Outstanding Communications Solutions. Root Canal. A new class of SS7 vulnerabilities
|
|
- Bryan Adams
- 5 years ago
- Views:
Transcription
1 Outstanding Communications Solutions Root Canal A new class of SS7 vulnerabilities
2 Agenda SS7 Vulnerable by design Acknowledged signalling vulnerabilities The root problem Mitigation The signaling band-aid A new class of SS7 vulnerabilities Malformed Packets Prerequisites Attacking and Tunneling Multi stage exploit Proposed mitigation and limits 2
3 Introduction Presenter Fredrik Söderlund Symsoft Software and Systems Security Advisor Background in Reverse engineering Debug tools development Telecom security Security researcher and contributor to the GSMA CVD program Worked on multiple SS7 firewall designs both for SMS and full spectrum SS7 3
4 Introduction Symsoft CLX Communications Communications Solutions for Operators 75+ Mobile Operator Customers Enterprise Customers IoT and MVNO Platforms Fraud & Security Real-Time BSS Value Added Services 4
5 SS7 Vulnerable by design Signaling Vulnerabilities 5
6 Acknowledged vulnerabilities Signaling based attacks Location tracking ATI, PSI Spying on subscribers or VIPs Profile manipulation ISD, registerss Fraud, call redirection or denial of service Subscriber hijacking, DoS UL, DSD Eavesdropping, fraud or denial of service 6
7 Acknowledged vulnerabilities Yes they are dangerous, costly and indicates the network is vulnerable But they are also perfectly normal and the expected functionality of an SS7 network The network is doing exactly what is intended Attacks or misuse? These attacks have been known for a long time and were easy to predict. 7
8 Acknowledged vulnerabilities The root problem is always the same Subscriber tracking Lack of authentication (who is reading?) Profile manipulation Lack of authentication (who is writing?) Location update Lack of authentication (who is moving?) 8
9 The root problem Everyone trusts everyone If you re on the network you re a friend Anyone can impersonate anyone If you re on the network we assume you are who you say you are 9
10 Mitigation - The signaling band-aid The obvious answer to signaling problems: Introduce authentication! Let s not do that Instead we will: Cat 1 - Filter network edge for unexpected or unwanted operations Cat 2 - Verify fields across stack layers without 1:1 match of components (CC+NNGT : MCC+MNC) Cat 3 - Verify subscriber location by last known location or plausibility of movement 10
11 Mitigation - The signaling band-aid In addition to filtering we can also configure our networks better Whitelist roaming partners, known nodes/peers Introduce home routing Whitelist exceptions based on origin and opcode The result is a reasonably secure network The Signaling band-aid works pretty good 11
12 Mitigation - The signaling band-aid So what is the problem? 12
13 A new class of SS7 vulnerabilities Malformed Packets 13
14 Well formed Packet 14
15 Malformed Packet 15
16 Malformed Packets Non signaling based attacks in malformed packets Routable attacks using malformed ASN.1 or SCCP layer data Crafted payloads targeting known firmware vulnerable to encoding based attacks Sophisticated attacks most likely using hijacked infrastructure Potential attackers include APTs such as nation states or criminal networks 16
17 Malformed Packets Denial of Service Aim is to crash the targeted network element either to influence network performance or steer traffic to alternative links where attacker may have better visibility Methods include for example: buffer overflows, null pointers, stack depletion, memory corruption, infinite nesting Remote Code Execution Aims to take control of the targeted network element in order to exfiltrate data, scan network, generate traffic, commit fraud or eavesdrop on network traffic or subscribers Methods include the same as Denial of Service attacks but with the goal of executing code via controllable crash. Once code execution has been achieved the attacker is likely to proceed with privilege escalation and full compromise of the network element 17
18 Malformed Packets Compare a normal packet to a letter A letter flows by country, city, street and finally reaches a person In a malformed packet the attacker attempts to interrupt this flow or even trap it in an infinite loop & ultimately crash the application 18
19 Malformed Packets Malformed data can also point to sections of code or data outside the actual packet Such pointers can redirect the flow and introduce a predictable and reproduceable crash of the application 19
20 Malformed Packets Most dangerous is Remote Code Execution The predictable crash is exploited to run code The code installs a Command & Control server Attacker can scan and control the network Worst case - The attack is totally transparent 20
21 A new class of SS7 vulnerabilities Prerequisites 21
22 Prerequisites What we need to launch this attack A vulnerable ASN.1 parser in the target node Some type of UE registered in the target network To act as a known recipient in the target network The ability to send a routable SCCP packet carrying a 500 byte payload 22
23 Prerequisites A vulnerable ASN.1 parser, does it exist? 23
24 Prerequisites Get a handset into the target network should be doable 24
25 Prerequisites Sending a 500 byte payload over SS7 Over M3UA it seems that most nodes accept payloads above 500 byte size without question Over MTP3 there is a physical limit of 272 bytes This limitation may carry over to M2PA This could be a bottleneck... 25
26 Prerequisites Full length or concatenated SMS are larger than 272 bytes They usually consist of an empty TCAP Begin followed by the payload in a TCAP Continue Payloads larger than 272 bytes can be sent divided into multiple parts This means that also SS7 has ways of passing larger packets to the application layer 26
27 Prerequisites SCCP UDT (Unitdata) has a size limitation (still however well above what an attacker needs) If a packet however exceeds the size limit of 272 bytes it may be transported over XUDT to accommodate the legacy size limit SCCP XUDT (Extended Unitdata) offers fragmentation and can therefore encapsulate larger packets also over MTP3 and M2PA Fragmented packets are reassembled on arrival and passed in original form to the application 27
28 Prerequisites We have a method of delivery Regular SCCP UDT over M3UA appears to be widely accepted with larger packets sizes XUDT over MTP3/M2PA offers a fragmented alternative to overcome physical barrier of legacy technology 28
29 A new class of SS7 vulnerabilities Attacking and Tunneling 29
30 Attacking and Tunneling Crafting the attack We are still subject to some limits with regards to size of the attacks. No hard cap, but an attacker needs to limit size of initial infection for better chance of success This means crafting a multi stage attack Characteristics of the ideal MAP operation for initial infection: Spoofable (we don t need the returnresult) Variable size Optional parameters 30
31 Attacking and Tunneling MAP reset Fits the description Spoofable and contains a variable size hlr-list of IMSI:s as optional parameter 31
32 Multi stage exploit Primary infection: 500 bytes carried in the optional list parameter of MAP reset Trigger vulnerability, start execution Allocate space for hook procedures Adjust memory protection of 1 page of code Patch recv function and install hook 1 Hook 1 filters all incoming SMS traffic towards the attacker UE registered in the target network Chunks of executable code are delivered and assembled into second stage of infection When all chunks have been delivered, hook 1 is replaced by hook 2 32
33 Multi stage exploit Secondary infection: 2000 bytes of PoC code Does not need to connect back to original attacker GT - The Primary infection may be spoofed Offers the ability to execute commands on target Has the ability to report back to attacker Data is tunneled to target using MT SMS Data is tunneled from target using MO SMS Infection is transparent to target node and leaves no stains on the file system. 33
34 Call Flow Multiple stage attack using MAP reset and MT SMS Delivers exploit, installs Command & Control (C2) Attacker can proceed to control network remotely Scan, cross infect, commit fraud, deny service 34
35 Call Flow First stage attacks encoding at ASN.1 or SCCP Crashes the MSC in a predictable way Installs hook procedure to filter incoming MT SMS Returns control to application and starts filtering 35
36 Call Flow Second Stage is built using MT SMS MT SMS contain code for C2 in TPDU User-Data Hook detects incoming MT SMS by known UE IMSI Reassembles MT SMS chunks to build C2 server 36
37 Call Flow C2 server acts as attacker inside network Attacker send commands using MT SMS C2 executes attacker commands C2 functionality can be extended if required 37
38 Multi stage exploit Alternative methods Using SMS leaves CDR records Is it possible to build a stealth version to avoid or limit CDR records? And what about evading SS7 Firewalls? 38
39 Multi stage exploit (stealth ver) extensioncontainers privateextensionlist Encoding can be vendor specific 39
40 Multi stage exploit (stealth ver) A sophisticated attacker could use extensioncontainers both for primary attack and tunneling Could use fake UL from hook to trigger stream of ISD from attacker ISD can carry extensioncontainers This could be very difficult to detect Vendor specific encoding must either be ignored by SS7 Firewall or blocked by default. So extensions may actually pass through firewalls unfiltered 40
41 Multi stage exploit (stealth ver) An attacker could also create virtual subscribers on the hijacked MSC to obfuscate and hide tunneled data further Generate UL to simulate an inbound roamer registering with the network This could also leave limited or no information in CDRs especially if virtual subscribers are created at random by the attacker 41
42 Multi stage exploit (SMS vs PE) MT SMS +Easy tunneling, simple encoding and exchange +Control network node without SS7 connectivity (after initial hook all other things can be done from a phone) -All communications logged in CDRs Unless attacker wipes them, if possible Private Extensions +Possibly better stealth capability +May pass through SS7 Firewalls as it relies on propriety data structures -More complex encoding and exchange -Less bandwidth than SMS tunneling 42
43 A new class of SS7 vulnerabilities Proposed Mitigation and Limits 43
44 Proposed mitigation and limits Denial of Service Protection Mechanisms Validation of encoding and packet structure ASN.1 Validation for TCAP, MAP, CAP layers Validation of packet size, pointers, nesting levels, adherence to specification Parameter validation for SCCP Parameter size/position Flags, bitmasks and format of data, such as invalid structure of parameters or pointers reaching outside the SCCP packet 44
45 Proposed mitigation and limits Remote Code Execution - Protection Mechanisms Payload size monitoring For an attacker to successfully perform an encoding based attack the initial attack must contain both an exploit part and actual code. Some specific SS7 Operations, such as MAP reset, can be monitored specifically for abnormal size Fragmentation checks XUDT/XUDTS Generally fragmented traffic is very rare and occur if traffic has passed through E1/TDM type networks or potentially M2PA links Monitor fragmented traffic, if there are spikes it could be an indication that attack testing is being conducted towards receiving network 45
46 Proposed mitigation and limits There are limits to what can be protected The initial attack could be delivered over any interface that accept packets above 500 bytes in size That could be almost any interface Initial attack could arrive over OAM, SIP, HTTP, Charging or any proprietary interface on the target SS7 node. As long as the vulnerability is known it can switch to SS7 tunneling after hook 1 is installed. 46
47 Proposed mitigation and limits Reasonable protection can be achieved Main responsibility sits with vendors Encourage development of secure parsers Ask the right questions Don t assume another node will deal with the problem. The edge/firewall/security GW needs to handle it. 47
48 General Recommendations Enforcing ASLR While not a perfectly reliable protection, Address Space Layout Randomization does make certain attacks more difficult Process privilege levels Ensure only required privileges are granted Vendors should be required to perform fuzz tests of critical code Fuzz any code that manage data generated either directly or indirectly from processing signaling traffic Fuzz network stack and parsers at any routable layer (SCCP and above). Monitoring of outbound traffic can help detect if a network element has been compromised Consider blocking of private extension containers since they can contain vendor specific proprietary data structures that an SS7 Firewall may be unable to inspect 48
49 Proof of Concept Demo attack Vulnerable MSC attack simulation 49
50 Real World Bonus Content Please memset 50
51 SS7 vs ASLR The following capture is from a production environment Network specific details have been blacked out Illustrates how poorly written encoders can leak information 51
52 SS7 vs ASLR THREE SLIDES FROM THE ORIGINAL PRESENTATION HAVE INTENTIONALLY BEEN REMOVED. THEY ILLUSTRATE BROKEN ENCODER LEAKING STACK INFORMATION VIA BADLY IMPLEMENTED PADDING OF SCCP LAYER 52
53 SS7 vs ASLR Poorly written encoder Leaves scraps from local variables in the padding Can give hints about where modules are loaded Can expose base address of stack Attacker can simply ask for ASLR details Send an invoke to get returnresult or trigger ISD Answer contains fragments of local variables Suddenly ASLR isn t R at all 53
54 Questions 54
Effective SS7 protection ITU Workshop on SS7 Security, June 29 th 2016
Effective SS7 protection ITU Workshop on SS7 Security, June 29 th 2016 Luca Melette SRLabs Template v12 Motivation: Operators and their users still vulnerable to SS7 attacks Agenda 3 attack
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationTaking Over Telecom Networks
Taking Over Telecom Networks Hardik Mehta (@hardw00t) Loay Abdelrazek (@sigploit) Taking Over Telecom Networks - Hardik Mehta (@hardw00t) and Loay Abdelrazek (@sigploit) 1 Press Release: some highlights
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationComputer Security and Privacy
CSE P 590 / CSE M 590 (Spring 2010) Computer Security and Privacy Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationCyber Security Threats to Telecom Networks. Rosalia D Alessandro Hardik Mehta Loay Abdelrazek
Cyber Security Threats to Telecom s Rosalia D Alessandro Hardik Mehta Loay Abdelrazek Press Release: some highlights Cyber Security Threats to Telecom s - Rosalia D Alessandro, Hardik Mehta and Loay Abdelrazek
More informationSurvey of Cyber Moving Targets. Presented By Sharani Sankaran
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of
More informationSome of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras
Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Firewalls Chester Rebeiro IIT Madras Firewall Block unauthorized traffic flowing from one network to another
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationCompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management
CompTIA Security+ Lecture Six Threats and Vulnerabilities Vulnerability Management Copyright 2011 - VTC Malware Malicious code refers to software threats to network and systems, including viruses, Trojan
More informationTrojans in SS7 - how they bypass all security measures
Sergey Puzankov Trojans in SS7 - how they bypass all security measures ptsecurity.com SS7 in the 20 th century SCP STP STP SSP SCP SSP STP PSTN STP SSP SS7 (Signaling System #7): a set of telephony protocols
More informationForeword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1
Brief Contents Foreword by Katie Moussouris.... xv Acknowledgments... xvii Introduction...xix Chapter 1: The Basics of Networking... 1 Chapter 2: Capturing Application Traffic... 11 Chapter 3: Network
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More informationCTS2134 Introduction to Networking. Module 08: Network Security
CTS2134 Introduction to Networking Module 08: Network Security Denial of Service (DoS) DoS (Denial of Service) attack impacts system availability by flooding the target system with traffic or by exploiting
More information20-CS Cyber Defense Overview Fall, Network Basics
20-CS-5155 6055 Cyber Defense Overview Fall, 2017 Network Basics Who Are The Attackers? Hackers: do it for fun or to alert a sysadmin Criminals: do it for monetary gain Malicious insiders: ignores perimeter
More informationGhost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI
Ghost Telephonist Link Hijack Exploitations in 4G LTE CS Fallback Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI UnicornTeam, 360 Technology July 27, 2017 Who We Are? 360 Technology is a leading
More informationAnalysis of MS Multiple Excel Vulnerabilities
Analysis of MS-07-036 Multiple Excel Vulnerabilities I. Introduction This research was conducted using the Office 2003 Excel Viewer application and the corresponding security patch for MS-07-036 - Vulnerabilities
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2014 www.cs.cmu.edu/~prs/15-441-f14 Yes: Creating a secure channel for communication (Part I) Protecting
More informationBypassing Web Application Firewalls
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing
More information4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare
4.. Filtering Filtering helps limiting traffic to useful services It can be done based on multiple criteria or IP address Protocols (, UDP, ICMP, ) and s Flags and options (syn, ack, ICMP message type,
More informationSecure Telephony Enabled Middle-box (STEM)
Report on Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen 04/14/2003 Dr. Mark Stamp - SJSU - CS 265 - Spring 2003 Table of Content 1. Introduction 1 2. IP Telephony Overview.. 1 2.1 Major Components
More informationCSC Network Security
CSC 474 -- Security Topic 9. Firewalls CSC 474 Dr. Peng Ning 1 Outline Overview of Firewalls Filtering Firewalls Proxy Servers CSC 474 Dr. Peng Ning 2 Overview of Firewalls CSC 474 Dr. Peng Ning 3 1 Internet
More informationIt was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to
1 2 It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to keep putting garbage characters into the command
More informationCSCI 680: Computer & Network Security
CSCI 680: Computer & Network Security Lecture 15 Prof. Adwait Nadkarni Fall 2017 Derived from slides by William Enck and Micah Sherr 1 Grading Class Participat ion and Quizzes 10% Grade Breakdown Homewo
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationlet your network blossom Orchid One Security Features
let your network blossom Orchid One Security Features Security Security Features Features Orchid Orchid One One 1 2014 2014Cataleya CataleyaPrivate PrivateLimited. Limited.All Allrights rightsreserved.
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationGhost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI
Ghost Telephonist Link Hijack Exploitations in 4G LTE CS Fallback Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI UnicornTeam, 360 Technology July 27, 2017 Who We Are? 360 Technology is a leading
More informationPing of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods
Ping of death Land attack Teardrop Syn flood Smurf attack DOS Attack Methods Ping of Death A type of buffer overflow attack that exploits a design flaw in certain ICMP implementations where the assumption
More informationHacking Terminology. Mark R. Adams, CISSP KPMG LLP
Hacking Terminology Mark R. Adams, CISSP KPMG LLP Backdoor Also referred to as a trap door. A hole in the security of a system deliberately left in place by designers or maintainers. Hackers may also leave
More informationProxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking
NETWORK MANAGEMENT II Proxy Servers Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking resources from the other
More informationCyberFence Protection for DNP3
CyberFence Protection for DNP3 August 2015 Ultra Electronics, 3eTI 2015 DNP3 Issues and Vulnerabilities DNP3 is one of the most widely used communications protocols within the utility space for the purpose
More informationCSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers
CSC 6575: Internet Security Fall 2017 Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee
More informationIPSec. Slides by Vitaly Shmatikov UT Austin. slide 1
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service
More informationMobile operators vs. Hackers: new security measures for new bypassing techniques
Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com SS7 in the 20 th century SCP STP STP SSP SCP SSP STP PSTN STP SSP SS7 Signaling System #7,
More informationTHREATS TO PACKET CORE SECURITY OF 4G NETWORK
07 CONTENTS Terms and abbreviations... : main components and protocols...4 Attack scenarios...5 What is necessary for a successful attack...5 Threats to EPC security...7. Fraud...7. Connection hijacking...8.
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationReal-time Communications Security and SDN
Real-time Communications Security and SDN 2016 [Type here] Securing the new generation of communications applications, those delivering real-time services including voice, video and Instant Messaging,
More informationSignaling System 7 (SS7) By : Ali Mustafa
Signaling System 7 (SS7) By : Ali Mustafa Contents Types of Signaling SS7 Signaling SS7 Protocol Architecture SS7 Network Architecture Basic Call Setup SS7 Applications SS7/IP Inter-working VoIP Network
More informationMalware and Vulnerability Check Point. 1. Find Problems 2. Tell Vendors 3. Share with Community
Malware and Vulnerability Research @ Check Point 1. Find Problems 2. Tell Vendors 3. Share with Community TR-069 quick tour / DEF CON recap Motivation The TR-069 Census 2014 Research Highlights Mass Pwnage
More informationGPRS security. Helsinki University of Technology S Security of Communication Protocols
GPRS security Helsinki University of Technology S-38.153 Security of Communication Protocols vrantala@cc.hut.fi 15.4.2003 Structure of the GPRS Network BSS GTP PLMN BSS-Base Station sub-system VLR - Visiting
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationGSMK. Cryptography Network Security. GSMK Oversight SS7 Firewall and Intrusion Detection System
Cryptography Network Security GSMK Firewall and Intrusion Detection System GSMK Firewall and intrusion detection system to prevent attacks via interconnect. Protect your Network s Achilles Heel. With the
More informationEndpoint Security - what-if analysis 1
Endpoint Security - what-if analysis 1 07/23/2017 Threat Model Threats Threat Source Risk Status Date Created File Manipulation File System Medium Accessing, Modifying or Executing Executable Files File
More informationEnterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions
Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions Chapter 1: Solving Integration Problems Using Patterns 2 Introduction The Need for Integration Integration Challenges
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationMobile Security Fall 2013
Mobile Security 14-829 Fall 2013 Patrick Tague Class #4 Telecom System Security General Vulnerabilities Service interruption vulnerabilities Due to increased capacity offered by high speed communication
More informationGrandstream Networks, Inc. UCM6100 Security Manual
Grandstream Networks, Inc. UCM6100 Security Manual Index Table of Contents OVERVIEW... 3 WEB UI ACCESS... 4 UCM6100 HTTP SERVER ACCESS... 4 PROTOCOL TYPE... 4 USER LOGIN... 4 LOGIN TIMEOUT... 5 TWO-LEVEL
More information18-642: Security Mitigation & Validation
18-642: Security Mitigation & Validation 11/27/2017 Security Migitation & Validation Anti-Patterns for security mitigation & validation Poorly considered password policy Poorly considered privilege management
More informationSingle Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking
1 Review of TCP/IP working Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Frame Path Chapter 3 Client Host Trunk Link Server Host Panko, Corporate
More informationBlack Hat Europe 2009
Black Hat Europe 2009 Mobile Security Lab Hijacking Mobile Data Connections 1 Provisioning & WAP primer Forging Messages Demo: Remote provisioning Provisioning: Process and Issues Attack scenario and exploiting
More informationDistributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:
More informationRecommendations for Device Provisioning Security
Internet Telephony Services Providers Association Recommendations for Device Provisioning Security Version 2 May 2017 Contact: team@itspa.org.uk Contents Summary... 3 Introduction... 3 Risks... 4 Automatic
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationWhite Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection
White Paper New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection The latest version of the flagship McAfee Gateway Anti-Malware technology adapts to new threats and plans for future
More informationInternet Security: Firewall
Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationPosition of IP and other network-layer protocols in TCP/IP protocol suite
Position of IP and other network-layer protocols in TCP/IP protocol suite IPv4 is an unreliable datagram protocol a best-effort delivery service. The term best-effort means that IPv4 packets can be corrupted,
More informationDrone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created
Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationIP Access List Overview
Access control lists (ACLs) perform packet filtering to control which packets move through a network and to where. The packet filtering provides security by helping to limit the network traffic, restrict
More informationCompetitive Analysis. Version 1.0. February 2017
Competitive Analysis Version 1.0 February 2017 WWW.SOLIDASYSTEMS.COM Introduction This document discusses competitive advantages between Systems security appliances and other security solutions in the
More informationFirewalls, IDS and IPS. MIS5214 Midterm Study Support Materials
Firewalls, IDS and IPS MIS5214 Midterm Study Support Materials Agenda Firewalls Intrusion Detection Systems Intrusion Prevention Systems Firewalls are used to Implement Network Security Policy Firewalls
More informationIn-Memory Fuzzing in JAVA
Your texte here. In-Memory Fuzzing in JAVA 2012.12.17 Xavier ROUSSEL Summary I. What is Fuzzing? Your texte here. Introduction Fuzzing process Targets Inputs vectors Data generation Target monitoring Advantages
More informationGladiator Incident Alert
Gladiator Incident Alert Allen Eaves Sabastian Fazzino FINANCIAL PERFORMANCE RETAIL DELIVERY IMAGING PAYMENT SOLUTIONS INFORMATION SECURITY & RISK MANAGEMENT ONLINE & MOBILE 1 2016 Jack Henry & Associates,
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationGSM security country report: Estonia
GSM security country report: Estonia GSM Map Project gsmmap@srlabs.de Security Research Labs, Berlin September 2014 Abstract. GSM networks differ widely in their protection capabilities against common
More information9. Security. Safeguard Engine. Safeguard Engine Settings
9. Security Safeguard Engine Traffic Segmentation Settings Storm Control DoS Attack Prevention Settings Zone Defense Settings SSL Safeguard Engine D-Link s Safeguard Engine is a robust and innovative technology
More informationIndustrial Control System Security white paper
Industrial Control System Security white paper The top 10 threats to automation and process control systems and their countermeasures with INSYS routers Introduction With the advent of M2M (machine to
More informationIP Named Access Control Lists
Access control lists (ACLs) perform packet filtering to control the movement of packets through a network. Packet filtering provides security by limiting the access of traffic into a network, restricting
More informationRussian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall
Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall 1 U.S. and U.K. authorities last week alerted the public to an on-going effort to exploit network infrastructure devices including
More informationHistory Page. Barracuda NextGen Firewall F
The Firewall > History page is very useful for troubleshooting. It provides information for all traffic that has passed through the Barracuda NG Firewall. It also provides messages that state why traffic
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationApplication Inspection and Control for SMTP
Application Inspection and Control for SMTP First Published: July 11, 2008 Last Updated: July 11, 2008 The Application Inspection for SMTP feature provides an intense provisioning mechanism that can be
More informationSmart Attacks require Smart Defence Moving Target Defence
Smart Attacks require Smart Defence Moving Target Defence Prof. Dr. Gabi Dreo Rodosek Executive Director of the Research Institute CODE 1 Virtual, Connected, Smart World Real World Billions of connected
More informationCIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec
CIS 6930/4930 Computer and Network Security Topic 8.1 IPsec 1 IPsec Objectives Why do we need IPsec? IP V4 has no authentication IP spoofing Payload could be changed without detection. IP V4 has no confidentiality
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter
More informationCisco IP Fragmentation and PMTUD
Table of Contents IP Fragmentation and PMTUD...1 Introduction...1 IP Fragmentation and Reassembly...1 Issues with IP Fragmentation...3 Avoiding IP Fragmentation: What TCP MSS Does and How It Works...4
More informationTransport of (Legacy) Signaling over IP. Summary of course scope
Transport of (Legacy) Signaling over SIGTRAN architecture (http://www.ietf.org/html.charters/sigtran-charter.html) Raimo Kantola S- 2004 Signaling Protocols 15-1 Summary of course scope PABX H.323 or S
More informationAttacks on WLAN Alessandro Redondi
Attacks on WLAN Alessandro Redondi Disclaimer Under the Criminal Italian Code, articles 340, 617, 617 bis: Up to 1 year of jail for interrupting public service 6 months to 4 years of jail for installing
More informationConfiguring Access Rules
Configuring Access Rules Rules > Access Rules About Access Rules Displaying Access Rules Specifying Maximum Zone-to-Zone Access Rules Changing Priority of a Rule Adding Access Rules Editing an Access Rule
More informationRemotely crashing HLR Why it took telecom industry 20 years to recognize the problems with SS7. Philippe Langlois, P1 Security
Remotely crashing HLR Why it took telecom industry 20 years to recognize the problems with SS7 Philippe Langlois, P1 Security Philippe Langlois Intro Founder of Qualys, Worldnet, TSTF, WaveSecurity, Non-
More informationAre You Fully Prepared to Withstand DNS Attacks?
WHITE PAPER Are You Fully Prepared to Withstand DNS Attacks? Fortifying Mission-Critical DNS Infrastructure Are You Fully Prepared to Withstand DNS Attacks? Fortifying Mission-Critical DNS Infrastructure
More informationW is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation
W is a Firewall firewall = wall to protect against fire propagation Internet Security: Firewall More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationNetwork Control, Con t
Network Control, Con t CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationSimple and Powerful Security for PCI DSS
Simple and Powerful Security for PCI DSS The regulations AccessEnforcer helps check off your list. Most merchants think they are too small to be targeted by hackers. In fact, their small size makes them
More informationCISNTWK-440. Chapter 5 Network Defenses
CISNTWK-440 Intro to Network Security Chapter 5 Network Defenses 1 Objectives Explain how to enhance security through network design Define network address translation and network access control List the
More informationNetwork Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018
Network Security Evil ICMP, Careless TCP & Boring Security Analyses Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018 Part I Internet Control Message Protocol (ICMP) Why ICMP No method
More informationWHITE PAPER. Session Border Controllers: Helping keep enterprise networks safe TABLE OF CONTENTS. Starting Points
WHITE PAPER Session Border Controllers: Helping keep enterprise networks safe TABLE OF CONTENTS Starting Points...1 The Four Essentials...2 The Business Case for SIP Trunks...3 To benefit from the latest
More informationNext Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line
Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line Designed to Prevent, Detect, and Block Malicious Attacks on Both IPv4 and IPv6 Networks TM Introduction With the exponential
More informationScribe Notes -- October 31st, 2017
Scribe Notes -- October 31st, 2017 TCP/IP Protocol Suite Most popular protocol but was designed with fault tolerance in mind, not security. Consequences of this: People realized that errors in transmission
More informationInfecting the Embedded Supply Chain
SESSION ID: PDAC-F01 Infecting the Embedded Supply Chain Zach Miller Security Researcher in8 Solutions (Formerly Somerset Recon) @bit_twidd1er Inspiration Inspiration Countless embedded devices exist Each
More information