Whitepapers and presentations produced by consultants and the team at Aura Information Security relating to topics on security, policy, and more.
The Three Billion Dollar App
Aura’s Vladimir Wolstencroft presents his research, “The 3 Billion Dollar App”, at the Troopers infosec conference in Germany. Mobile social applications are proliferating through our society and are starting to take the lime light away from traditional social networks such as Facebook. Younger people especially, are moving towards applications such as WhatsApp and SnapChat. Incumbent companies are eager to exploit this new user base and are willing to offer billions to purchase these apps. Clearly the value is driven by access to this user base and the ability to collect information about users or deliver ads direct to users.
But do we need to spend billions to gain access to this user base? What if we don’t need to spend anything - what if there was a way to deliver content to all the users just by using the app? This talk details what is possible after reverse engineering the SnapChat app and will show how you don’t have to spend billions of dollars to deliver content to SnapChat users.
Bluevox: Attacking One Time Passwords at 1100Hz
Graeme Neilson and Shingirayi Padya presented at Kiwicon 6 about cracking Audio One Time passwords.
Demonic Possession of Browsers. BeEF Issue #666
Mike Haworth presented Demonic Possession of Browsers BeEF Issue #666 at Kiwicon 6.
X-Excess: WebApps meet Native Apps
Mike Haworth and Aura associate Kirk Jackson talked at Kiwicon 5 about issues where the boundary between web apps and native apps gets blurry.
File Upload Considerations
Kirk Jackson presented at OWASP New Zealand Day 2011 on File Upload Considerations.
Welcome to Rootkit Country
Graeme Neilson presented at the CanSetWest Conference in Vancouver (March 11 2011) on developing rootkits for the top ten firewall / UTM manufacturers.
Tales from the Crypt0
Graeme Neilson presented with Kirk Jackson from Xero on cryptography at the OWASP Day New Zealand 15th July 2010.
Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?
Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users.
Netscreen of the Dead
Graeme Neilson presented at RuxCon in Sydney Australia (2008) and BlackHat, Las Vegas USA (2009). The presentation covered Graeme’s research on how he’s developed a trojan ScreenOS operating system that when loaded onto any Juniper Firewall turns it into a ZOMBIE, giving Graeme full access to the underlying firewall, bypassing all rules and passwords
We must of cause mention Juniper at this point – “we express our appreciation for your pragmatic and careful handling of this case” (Juniper, 28 Nov 08). They also released a tech bulletin: PSN-2008-11-111, “ScreenOS Firmware Image Authenticity Notification” which states: “All Juniper ScreenOS Firewall Platforms are susceptible to circumstances in which a maliciously modified ScreenOS image can be installed.”