Flag Flag

November 30th 2010

logo Confidence

Biological sequence alignment and IT security - presentation on Confidence 2010 2.0 conference

Besides their everyday work devoted to securing the infrastructure of PSNC and PIONIER & POZMAN networks, as well as participation to R&D projects, PSNC Security team conduct a lot of research, which is often not related with IT security at first glance.

Recently, Mateusz Drygas and Tomasz Nowak have been investigating the opportunity of applying tools for biological sequence alignment to optimize fuzzing techniques (namely - to support recognition the structures of file formats and network protocols. It appears that after having transformed particular concept from the world of networking towards the area of biological sequence alignment, it is possible to use free and well-proven bioinformatics tools in order to significantly accelerate the analysis of acquired network traffic.

We presented the results of the research during the international IT security conference - Confidence 2010 2.0 that took place in Prague (Czech Republic) on November 29-30. During the second day of the conference Tomasz Nowak gave a talk entitled "Discovery and visualization of network protocols with tools for biological sequence alignment" The talk on the mentioned subject triggered an interesting discussion that created an opportunity to exchange opinions with authors of other fuzzers. Tomasz Nowak during the talk

During the conference a number of lectures on different technical levels were given. The selected topics include: social attacks, using tools for extracting metadata from documents, IPv6 security or debugging application and network protocols with low-level programming. During the breaks and the evening events the lecturers could share their experience with the participants, and also many talks, addressing IT security in general, were held.

We encourage you to read the prepared presentation, available in English as a PDF file.

Mateusz Drygas, Tomasz Nowak .Discovery and visualization of network protocols with tools for biological sequence alignment. (PDF, 942 KB)

October 26th 2010

Browsers Logo

Security tests of Web browsers

Poznan Supercomputing and Networking Center Security Team conducted a set of comparative tests of Web browsers, addressing resilience to attacks on SSL/TLS encrypted tunnels. Particular emphasis was put on if the browsers are able to detect those attacks at all and how the user is informed (including the users without specialized knowledge on IT issues).

5 most popular browsers were tested, in alphabetical order: Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox and Opera. Among others, the set of implemented encryption algorithms was verified, as well as efficiency of exchanging encrypted data under non-standard conditions in the network. However, the key part of the tests was the analysis of interaction between the browser and its user in cases of occurring different types of security errors embedded within browsed Web pages. For instance, an outdated certificate or unencrypted content within an HTTPS page cases were tested. It was verified whether the idiosyncrasy had been detected at all, and then . if the information about it was presented to the user in a visible, detailed and convenient way. The default settings of all browsers were assessed as well.

On the other hand, it must be clearly stated that the current stage of the tests did not concern potential vulnerabilities in the code of the browsers and any conclusions about quality in terms of software vulnerabilities must not be drawn.

It may be clearly seen that the vendors aim to create for their users conditions that would allow them to browse the Web in a secure way. However, the implementation of that goal varies between particular browsers (and sometimes is quite heterogenic within single applications). The amount of displayed information on errors that had occurred significantly varies among the browsers, which may be meaningful for particular groups of users in order to select their favorite application.

According to obtained results, no absolute leader or outsider among the tested browsers may be pointed out. In the subjective assessment of the report authors, the two most popular browsers (i.e. Firefox and Internet Explorers) fulfill the majority of basic requirements for secure handling of SSL/TLS encrypted tunnels, while Firefox appears to have better interaction with the user and slightly more secure default settings . and Internet Explorer appeared to be more efficient during sending data through encrypted tunnels.

Amongst the rest of the browsers, not so popular in the market, the report authors honored Opera for the most sophisticated error reporting facilities. It also seems that the developers of Safari still have the most work to do.

It also appears that using only one browser (not only in terms of SSL/TLS tunnels) is a solution that limits the opportunities to perceive various types of security problems . especially those users who are technically oriented.

We encourage you to download the detailed report (PDF, 3.3 MB). Currently it is available in Polish, but the authors will prepare an English, shortened version soon.

March 31th 2010

Software BUG

SQL Injection vulnerability in TikiWiki 4.1

During internal works carried out by our team, Mateusz Drygas discovered SQL Injection vulnerability in TikiWiki portal system. This problem affects all versions up to 4.2 and 3.5 LTS.
Please look at our full advisory.

June 18th 2009

StartUp

Bypassing firewalls in Windows systems

On 18th June 2009, PSNC Security Team members for the first time in the history of MIC training program organized a BYOL-style security workshop. Mateusz Drygas, Marcin Jerzak and Jakub Tomaszewski prepared especially for this occasion an actual real system attack scenario. This scenario was then carried out by the participants step by step. The details about Warsztaty the target system as well as the tips about its vulnerabilities were successively revealed - each one followed by a couple of minutes delay for the participants to enable them overcoming security measures in practice. This way the entrants were forced to actively participate in the workshop and, most importantly, to understand the significance of their individual initiative in the bughunting process. Each participant had his own remote target-system kept on the server in a separate virtual machine box as well as the attacker-system - an especially prepared bootable pendrive which everyone had been given at the beginning of the workshop. This way the participants didn't disturb each other during the session. This training was the second part of a Bypassing Windows Firewalls series (the first part took place six months earlier, on 18th December 2008 as a introduction to this one).

For further information - please download the prepared presentation (in Polish):

June 5th 2009

StartUp

Advertising on the Internet - workshop

On 5th June 2009 Poznan University of Technology held another meeting as a part of the Startup-IT program. This time entitled "Internet Advertising - how to promote your own portal". Security Team member Jakub Tomaszewski described easy-to-apply and effective ways to block addvertising on the web. We encourage everyone to download the presentation (in polish) we prepared especially for this occasion.

April 29th 2009

Presentation from the PSNC Supercomputing Department training

On 29 April 2009, PSNC Security Team for the first time in this year has performed a lecture in a Supercomputing Department training series. Tomasz Nowocien prepared a introduction to web applications security.

For more information - please download materials.

February 26th and 27th 2009

StartUp

Poznan .NET Group meeting and Startup IT - performances

Please take a look at latest performances done by PSNC Security Team at the end of February. This time we had the opportunity to participate in both Poznan .NET Group meeting (Gerard Frankowski, 26.02) and Startup IT initiative (Gerard Frankowski and Jakub Tomaszewski, 27.02). The presentations were deliberately prepared to help people thinking about starting their own microenterprises.

For further information - please download available materials:

October 24th and 29th 2008

StartUp

Schools and microenterprises security

After the SECURE 2008 conference speech, PSNC Security Team members once again had the opportunity to promote IT security in different environments. Presentations were conducted as a part of StartUp-IT program and "Secure Internet" conference.

October 15th 2008

Live show at PGCIC meeting in Poznan

AHK

Members of PSNC Security Team, Marcin Jerzak and Jakub Tomaszewski, participated in a Polish-German Chamber of Industry and Commerce meeting held on 15 October in Sheraton Hotel in Poznan. Polish-German Chamber of Industry and Commerce (PGCIC) is the largest organization of that kind in Poland, bringing together more than 950 companies. The main tasks of PGCIC is supporting German companies in Poland as well as Polish companies in Germany and also informing about the German market. PGCIC is one of 83 German Foreign Chambers of Commerce and Industry AHK, considered by the German Association of Chambers of Commerce and Industry (German Deutscher Industrie-und Handelskammertag, DIHK) and the National Chamber of Commerce.

During the meeting, Jakub and Marcin conducted presentations "Data loss in companies - Facts and Myths". Participates learned - among other things - on risks in different areas of IT in today's organizations. Particular interest, however, aroused a live attack show on the encrypted connection of several popular sites that offer free access to the mail by WWW (webmail). Speeches met with great approval of participants and a the live show met an especial interest.

Marcin Jerzak, Jakub Tomaszewski: Data loss prevention - Facts and Myths (PDF, 0.7 MB)

October 3th 2008

Presentation at Secure 2008 conference

Secure2008

Members of PSNC Security Team, Blazej Miga and Gerard Frankowski, performed at the SECURE 2008 conference (2-3 October 2008, Hotel Hyatt Regency Warsaw). SECURE is one of the oldest polish conferences about networks and ICT systems security. It has an opinion of one of the biggest events of this type in Europe. This year's twelfth edition was organized jointly by NASK, CERT Poland and the ENISA organization (polish National Security Agency was also the conference co-organizer). The conference was also under the patronage of Minister of Science and Higher Education, Professor Barbara Kudrycka and Vice-President of the Council of Ministers, Minister of Internal Affairs and Administration, Grzegorz Schetyna.

At the end of the second day of the conference Blazej and Gerard presented the results of studies on public-key infrastructure in the context of the bug (published in May 13, 2008) in a Pseudo-Random Number Generator in one of the open source operating systems. During the presentation Gerard and Blazej explained how public key infrastructure works, how one can break some a RSA key, and why we cannot totally trust all the certificates issued by a trusted certification centers (CA). Despite the unfortunate time of presentation (last spot on the agenda on Friday!), the performance has been received very well. We encourage you to download a slightly extended version of slides (a couple additional ones with examples) - in Polish.

More information about the conference http://www.secure.edu.pl

Blazej Miga, Gerard Frankowski: 13.05.2008 (PDF, 2.8 MB)

September 23th 2008

Performance at Microsoft Academic Conference

PSNC Security Team representative, Marcin Jerzak occurred at Microsoft's annual Academic Conference held on 22-24 September by Microsoft Education Team in Rosn├│wko near Poznan.

The main topics of the conference were the latest Microsoft Universities cooperation programs, which are to be introduced in the upcoming academic year, and the latest Microsoft technology. On the second day of the conference presentations conducted Marcin Jerzak. He explained how to secure now widely used platform Windwos 2003 Server.

Marcin Jerzak Securing Windows Server 2003 platform (PDF, 2.3 MB)

March 20th 2008

IDC Security Roadshow 2008 conference performance

IDC Security Roadshow 2008

Members of PSNC Security Team were invited to     participate in IDC Security Roadshow 2008 - Business Protection: People and Technology conference as independent experts to perform presentation regarding security services outsourcing.

During presentation of the topic, which took place in Warsaw Mariott hotel, Gerard Frankowski and Jakub Tomaszewski explained how external security audits work, what problems they stumbled across and solutions they suggest are the most accurate. Presentation has been very well perceived.

Presentation available for download (PDF, in polish)

Gerard Frankowski, Jakub Tomaszewski External Security Audits (1.8 MB)

November 9th 2007

Report about security of on-line shopping

PSNC Security Team evaluated a security level of on-line shopping services available on the Polish market. The revenue of the firms providing services in that sector (on the Polish market) oscillated around ... in the year 2007. Thus it is worth to make sure that the customers money are safe and secure.

We decided to check 50 randomly chosen Polish on-line shops. We directed our tests to evaluate only the sessions and cookieshandling mechanisms. If you are interested please do not hesitate to read our report.

Report in PDF file (154 KB, available only in Polish)

November 9th 2007

Conference talk on the IT Underground 2007

IT Underground

Blazej Miga and Gerard Frankowski were speakers on IT Underground 2007 Conference.The international conference that last three days and took place in Warsaw gathered together large number of security specialists. The topic of our representatives talk was about security of the Microsoft Information Services in version 7.0. The number of questions raised by the audience proof that the presentation was very interesting and worth attending.

Our presentation is available for download.

Presentation (PDF, 1.8 MB).

October 21st 2007

SecureCON 2007 Conference (Wroclaw)

SecureCON 2007

Congress Center of the Wroclaw University of Technology was a venue of SecureCON 2007 conference devoted to all aspects of computer security. The motto of the conference was the phrase: "In Secure World We Trust". More than 200 participants have an opportunity to watch the presentation prepared by members of Security Team of PSNC. Blazej Miga and Gerard Frankowski inaugurated the first day of conference. They spoke about research project connected with security of Microsoft IIS 7.0. The project is part of the work done as a result of Microsoft Innovation Center initiative.

We encourage you to download the presentation prepared exclusively for that conference.

Presentation (PDF, 3.5 MB).

May 29th 2007

Apache httpd vulnerabilities

Apache httpd vulnerabilities PSNC Security Team would like to communicate that as a result of the Apache httpd (ver 1.3.x, 2.x) source code audit, several security vulnerabilities have been found. These vulnerabilities make a successful DoS attack against services and local system possible. The basic information about vulnerabilities:

Vuln #1
Httpd Server DoS
Tested versions: ver 2.0.59, 2.2.4, prefork mpm module

Vuln #2
SIGUSR1 killer
Tested versions: ver 2.0.59, 2.2.4, prefork mpm module

Vuln #3
SIGUSR1 killer
Tested versions: ver 1.3.37

Vuln #4
System DoS
Tested versions: ver 2.0.59, 2.2.4, prefork mpm module

The full notice about bugs mention above has been sent to Apache Software Foundation on May 16th 2006 (sic!). After a year, official patch has not been released.

More information about vulnerabilities in the report (in Polish).

August 31st 2006

Internet Banking Security 2006

Internet Banking Security 2006 conference took place in Mikolajki and last from August 28th to August 30th. During the conference the PSNC Security Team represented by Jaroslaw Sajko and Michal Melewski presented a report about security of electronic banking extended by some additional, practical information.

The talk had been warmly welcomed and followed by long lasting discussion. The discussion concentrated around policies of disclosures of vulnerabilities notes and an influence of such vulnerabilities on the overall security level of e-banking services. Moreover the participants discussed also the procedures that could reduce the risk level caused by improperly patched or configured systems in the future.

May 14th 2006

Big Image

CONFidence 2006 in Cracow

It was a pleasure for the Team members to participate again (for the second time) in CONFidence conference. The conference is devoted to security systems and physical security. Blazej Miga and Jaroslaw Sajko presented talks about security of Apache web server and extensions of iptables, respectively. The speakers were supported by the presence of Michal Melewski. He was responsible for asking them thought questions. The content of the talks appeared to be the natural base for the conversations during informal part of the conference.

The presentations (in Polish) are available for download:
Blazej Miga - Hacking Apache Web Server
Jaroslaw Sajko - IPTables Hacking

All persons that would like to extend their knowledge about iptables are kindly invited to attend the course organized by Supercomputing Department of PSNC. The final date of the course will be available soon. For further information please see these web-site.

February 14th 2006

Big Image

"Secure" E-Banking

Nowadays, the fast growth of Electronic banking services made them as popular as automatic teller machines (ATMs). On the web pages of the most banks it is quite easy to find login panel. After successful log we get the access to the information about our account. We can check current balance, debits, credits, open an account or apply for a loan. Most of these data of course are confidential. Banks usually convince that they properly secure the clients data as well as their money. Should we trust banks' spokesmen before we check the truth?

The PSNC Security Team analyzed publicly available data about the configuration of secure connections (based on Secure Socket Layer) to e-banking systems. The analysis covered 41 e-banking portals providing services in Poland. Although the tests concern only narrow range of security analysis, the results allow to formulate valuable conclusions. If you are interested then read the report (in Polish).

Report - version 1.09 (in Polish)

Main topics:

Security tests of Web browsers
PSNC Security Team conducted a set of comparative tests of Web browsers, addressing resilience to attacks on SSL/TLS
We encourage you to take a look on our detailed report (currently in Polish only).

More

GN3 project: security training for the developers
PSNC Security Team took a key part in preparing a complex, two-day training on secure programming that was organized in Pozna˝ for the participants of one of the largest European research projects: GN3.

We encourage you to download the prepared presentations.

More information

Related topics:

Security services
New PSNC Security Team Security Services catalogue is available in Services section
Catalogue (in Polish)

On-line shopping security
PSNC Security Team decided to take a closer look at electronic shopping service. The result of our work is a report (in Polish).

Internet Banking
Report about internet banking security status in Poland is available here and the reaction in media here