This site,, was originally created back in 2001 to act as the home of whitepapers and articles written by Gunter Ollmann.  Right from the beginning, Gunter strove to dissect the techno-babble of Internet security and to carefully explain what it was actually all about in as simple manner as possible - while still keeping the content educational.

In this section of the site you will find copies of all the major whitepapers produced by Gunter.  Given the different security roles and companies he has worked for since 2000, the papers tend to reflect the emphasis of his work at that period in history - so, the topics tend to be a little varied.

Botnet Communication Topologies
Understanding the intricacies of botnet Command-and-control
A clear distinction between a bot agent and a common piece of malware lies within a bot’s ability to communicate with a Command-and-Control (CnC) infrastructure. CnC allows a bot agent to receive new instructions and malicious capabilities, as dictated by a remote criminal entity. This compromised host then can be used as an unwilling participant in Internet crime as soon as it is linked into a botnet via that same CnC.
The criminals actively controlling botnets must ensure that their CnC infrastructure is sufficiently robust to manage tens-of-thousands of globally scattered bot agents, as well as resist attempts to hijack or shutdown the botnet. Botnet operators have consequently developed a range of technologies and tactics to protect their CnC investment. This paper reviews the tactics commonly employed by botnet operators to maintain control of their botnets and the impact of these tactics on standard network-blocking protection stratagems.
Whitepaper3 The Botnet vs. Malware Relationship
The one-to-one botnet myth

A common misperception of cyber-crime botnets is that a one-to-one relationship exists between a malware bot agent and an individual botnet. Even if this had been a true statement back when botnets first began to appear, it is not true today. The key is the development of commercial build-it-yourself malware kits. These professional-grade tools lower the entry-level requirements for creating a malware bot agent, constructing a Command-and-Control (CnC) structure, and controlling the resultant botnet.
As a result, sophisticated botnets are well within the grasp of any technically-savvy user who knows how to use an Internet search engine and build a Web site. Enterprise organizations must change their focus from identifying malware by name to identifying the criminals behind individual botnets in order to keep up with this evolving threat.

Anti-Fraud Image Solutions
The Use of Distribution Tracing Within Web Content to
Identify Counterfeiting Sources

Many of today’s more successful Internet-based fraud tactics require the counterfeiting of popular transactional Web sites such as financial portals, stock-trading platforms and online retail sites. For the fraud to be successful, the cyber-criminal must typically clone most, if not all, of the targeted site’s content and host the counterfeit site on a Web server under their control. With some minor modifications to the underlying HTML code and changes to the application logic, the cyber-criminal will seek to steal the personal authentication or authorization credentials of unlucky victims who fall to the counterfeit site. Armed with these credentials, the cyber-criminal will subsequently attempt to defraud the accounts of their victim.

This whitepaper provides an overview of the techniques available to organizations that wish to undertake such identification activities – evaluating the pro’s and con’s of the various mechanisms and providing advice on how to employ this class of investigative technology.
Whitepaper5 Continuing Business with Malware Infected Customers
Best Practices and the Security Ergonomics of Web Application Design for Compromised Customer Hosts
Today’s media is full of statistics and stories detailing how the Internet has become an increasingly dangerous place for all concerned. Figures of tens of millions and hundreds of millions of bot-infected computers are regularly discussed, along with approximations that between one-quarter and one-third of all home computer systems are already infected with some form of malware. With a conservative estimate of 1.4 billion computers browsing the Internet on a daily basis (mid-2008 figures), that could equate to upwards of 420 million computers that can’t be trusted – and the numbers could be higher as criminals increasingly target Web browser technologies with malicious Web content – infecting hundreds of millions more along the way.

Despite these kinds of warnings and their backing statistics, online businesses have yet to fully grasp the significance of the threat. Most of the advice about dealing with the problem has focused on attempting to correct the client-side infection and yet, despite the education campaigns and ubiquity of desktop anti-virus solutions, the number of infected computers has continued to rise. The problem facing online businesses going forward is, if upwards of one-third of their customers are likely to be using computers infected with malware to conduct business transactions with them, how should they continue to do business with an infected customer base?

This paper discusses many of the best practices businesses can adopt for their Web application design and back-office support processes in order to minimize this growing threat, along with helping to reduce several of the risks posed with continuing to do business customers likely to be operating infected computers.
SEO Code Injection
Search Engine Optimization Poisoning
Search Engine Optimization (SEO) is a critical component in an organizations ability to be discovered by prospective customers and clients as they conduct online searches for information and products. It is a technique commonly employed by the largest and most sophisticated Internet businesses, and a key component of their online business strategy.

Unfortunately the nature of the SEO algorithms, and the subsequent modification of dynamic site content that they promote, means that they can often be manipulated by an attacker. Vulnerable Web applications can be used to propagate infectious code capable of compromising the organizations prospective customers and clients. This brief paper explains the technique referred to as SEO Code Injection or Poisoning, and the steps that may be taken to detect and mitigate the vulnerability.
Whitepaper4 Understanding the Web browser threat
Examination of vulnerable online Web browser populations and the "insecurity iceberg"
In recent years the Web browser has increasingly become targeted as an infection vector for vulnerable hosts. Classic service-centric vulnerability exploitation required attackers to scan for and remotely connect to vulnerable hosts (typically servers) in order to exploit them. Unlike these, Web browser vulnerabilities are commonly exploited when the user of the vulnerable host visits a malicious Web site.

Attacks against Web browsers depend upon malicious content being rendered by the appropriate built-in interpreter (e.g., HTML, JavaScript, CSS, etc.) or vulnerable plug-in technology (e.g., Flash, QuickTime, Java, etc.). Vulnerabilities lying within these rendering technologies are then exposed to any exploit techniques or malicious code developed by the attacker. Vulnerability trend reports have indicated that remotely exploitable vulnerabilities have been increasing since the year 2000 and reached 89.4% of vulnerabilities reported in 2007. A growing percentage of these remotely exploitable vulnerabilities are associated with Web browsers.

Profit motivated cyber-criminals have rapidly adopted Web browser exploitation as a key vector for malware installation. Due to the methodology of exploiting Web browser vulnerabilities and the unpredictable browsing patterns of typical users, for widespread infection of vulnerable hosts the criminals must seed a mix of popular and high-traffic websites, or incentivize users through email spam, with URLs directing potential victims to Web servers hosting their malicious content. The former method is commonly known as drive-by download, where drive-by refers to the fact that Web browsers must initially navigate to a malicious page and download refers to the covertly downloaded and executed malware - typically Trojans.
Old Threats Never Die
Why Protection for Old Vulnerabilities can never be Retired
With year-on-year increases in vulnerabilities, malware and new threat vectors, businesses must deal with an expanding barrage of attacks.  As threats mount, businesses place greater pressure on alerting and protection technologies designed to identify and block threats before they cause damage. Under pressure, protection performance and defense robustness can visibly weaken. In the physical world, when pressures mount, civil engineers consider their options.
Unfortunately, many organizations have mistakenly opened spillways in their IT security defenses, allowing entire classes of attack to penetrate the network. The misguided decision to allow certain malicious traffic stems from underestimating the duration of a particular threat, or investing in protection technologies unable to cope with mounting pressure—  technologies now rendered obsolete in the face of advanced threats.
Businesses must understand basic aspects of the lifecycle of Internet threats in order to apply the proper security strategy. In particular, organizations need to be aware that old threats never actually retire from the digital landscape. Rather, they tend to become background noise on the Internet— – ready to burst into life with each new software update, host recovery, device deployment or embedded system release.
Whitepaper X-morphic Exploitation
One-of-a-kind Exploit Delivery Systems and Services
Traditionally, Web browser attacks have relied on fairly simple exploit code, typically written as scripts within HTML documents. Consequently, Web browser exploits are easy to block. Using standard regular-expression and heuristic-based signature engines, exploit patterns are easily identified, and the attack can be thwarted over the network or at the host.  
Unlike self-replicating malware, which must carry with it the means of altering itself, Web exploit developers can host their morphing algorithms and code on the Web server itself and do not need to make that code visible to the victim. Consequently, unlike morphing malware, morphed Web browser exploits do not contain superfluous morphing code, which makes these attacks considerably more difficult to detect.  
Welcome to the world of personalized, one-of-a-kind Web browser exploits and the dawn of x-morphic exploitation.  
The Vishing Guide
A close look at voice phishing
Many of today’s widespread threats rely heavily on social engineering—techniques used to manipulate people into performing actions or divulging confidential information—to leverage and exploit technology weaknesses. For example, “phishing” is perhaps the most commonly exploited threat currently plaguing the Internet and its users. At one point, phishing referred exclusively to the use of e-mail to deliver messages whose purpose was to persuade recipients to visit a fake Web site designed to steal authentication details.
Phishing has increasingly developed into a broader category of threats that rely on social engineering to cause a message recipient to perform auxiliary activities that enable the phisher to conduct the second phase of the attack. Phishers rely on numerous Internet messaging systems to propagate their attacks. As such, many similar-sounding threats have been named based on the messaging system being used—each with its own nuances and target audiences.
Whitepaper4 The Pharming Guide
Exploiting well known flaws in DNS services and the way in which host names are resolved to IP addresses, Phishers have upped the ante in the cyber war for control of a customer’s online identity for financial gain.
A grouping of attack vectors now referred to as “Pharming”, affects the fundamental way in which a customer’s computer locates and connects to an organisations online offering. Enabling the Pharmer to reach wider audiences with less probability of detection than their Phishing counterparts, pharming attacks are capable of defeating many of the latest defensive strategies used customer and online retailer alike.
This paper, extending the original material of “The Phishing Guide”, examines in depth the workings of the name services of which Internet-based customers are dependant upon, and how they can be exploited by Pharmers to conduct identity theft and financial fraud on a massive scale.
Part (1) - How DNS works and what is "Pharming"
Part (2) - The attacks and the protection
The Phishing Guide
Understanding and Preventing Phishing Attacks
Phishing is the new 21st century crime. The global media runs stories on an almost daily basis covering the latest organisation to have their customers targeted and how many victims succumbed to the attack. While the Phishers develop evermore sophisticated attack vectors, businesses flounder to protect their customers’ personal data and look to external experts for improving email security. Customers too have become wary of “official” email, and organisations struggle to install confidence in their communications.
While various governments and industry groups battle their way in preventing Spam, organisations can in the meantime take a proactive approach in combating the phishing threat. By understanding the tools and techniques used by professional criminals, and analysing flaws in their own perimeter security or applications, organisations can prevent many of the most popular and successful phishing attack vectors.
This paper covers the technologies and security flaws Phishers exploit to conduct their attacks, and provides detailed vendor-neutral advice on what organisations can do to prevent future attacks. Security professionals and customers can use this comprehensive analysis to arm themselves against the next phishing scam to reach their in-tray. [Part 1] & [Part 2]
Whitepaper6 Stopping Automated Attack Tools
An analysis of web-based application techniques capable of defending against current and future automated attack tools
For an increasing number of organisations, their web-based applications and content delivery platforms represent some of their most prized and publicly visible business assets. Whether they are used to provide interactive customer services, vital client-server operations, or just to act as informational references, these assets are vulnerable to an increasing number of automated attack vectors – largely due to limitations within the core protocols and insecure application development techniques.
As these web-based applications become larger and more sophisticated, the probability of security flaws or vulnerabilities being incorporated into new developments has increased substantially. In fact, most security conscious organisations now realise that their web-based applications are the largest single source of exploitable vulnerabilities.
Anti Brute Force Resource Metering
Helping to Restrict Web-based Application Brute Force Guessing Attacks through Resource Metering
For most web-based applications that require customers to uniquely identify themselves prior to granting access to key functional aspects of the online system, a solid and reliable authentication process is the primary security barrier. When these applications are providing online services to a large and/or diverse customer base, the authentication process must be able to withstand an increasing number of malicious attack vectors. Poorly designed or implemented authentication processes are easily exposed and as a consequence are likely to result in subsequent exploitation resulting in an increase in adverse public scrutiny and a concomitant decrease in customer confidence.
Whitepaper Security Best Practice - Host Naming and URL Conventions Security
Considerations for Web-based Applications
From an attacker’s perspective, the method by which an organisation names their Internet visible hosts or references web-application URL’s can often be abused to make for a more successful attack. Due to a lack of insight or understanding of current attack vectors, many organisations are failing to follow best security practices in their host naming and linking conventions – thereby unwittingly aiding their attackers.
In the last 5 years, organisations have seen a phenomenal year-on-year increase in the number and sophistication of the vectors used by malicious attackers to target their customers or clients. Ranging from social engineering through to URL obfuscation and domain hijacking, attackers are abusing poorly thought out and implemented host naming and URL referencing conventions. For example, attacks such as Phishing often make use of confusing host names to dupe customers by directing them to web applications designed to impersonate a legitimate site – once the customer hits the fake site their authentication credentials are recorded for later use in financial fraud or identity theft.
By following a few simple best practices, organisations can easily strengthen the security of their environments against many of these attacks and make it much more difficult for an attacker to confuse customers or clients.
Second-order Code Injection
Advanced Code Injection Techniques and Testing Procedures
Many forms of code injection (for instance cross-site scripting and SQL injection) rely upon the instantaneous execution of the embedded code to carry out the attack (e.g. stealing a user’s current session information or executing a modified SQL query). In some cases it may be possible for an attacker to inject their malicious code into a data storage area that may be executed at a later date or time. Depending upon the nature of the application and the way the malicious data is stored or rendered, the attacker may be able to conduct a second-order code injection attack. A second-order code injection attack can be classified as the process in which malicious code is injected into an application and not immediately executed, but instead is stored by the application (e.g. temporarily cached, logged, stored in a database) and then later retrieved, rendered and executed by the victim.
Whitepaper3 Mail Non-delivery Notice Attacks
Analysis of e-mail non-delivery receipt handling by live Internet bound e-mail servers has revealed a common implementation fault that could form the basis of a new range of DoS attacks. Our research in the field of email delivery revealed that mail servers may respond to mail delivery failure with as many non-delivery reports as there are undeliverable Cc: and Bcc: addresses contained in the original e-mail. Non-delivery notification e-mails generated by these systems often include a full copy of the original e-mail sent in addition to any original file attachments. This behaviour allows malicious users to leverage these mail server implementations as force multipliers and flood any target e-mail system or account.
Instant Messenger Security
Securing against the "threat" of instant messengers
Digital communications within business are currently undergoing a change similar to those of the early 1990’s as organisations moved en-masse to relying upon email services as the primary communications medium. Just a decade later, organisations are now facing the necessity of implementing and managing real-time digital communication between both their staff and their customers. Business now demands the ability to communicate through brief messages to people who are online at the same time. Instant Messenger (IM) services fill the niche between a phone call and an email. While email is ideal for non-synchronised communications, IM offers the ability to identify people who are online at the same time and exchange information in near real-time.
Whitepaper6 Passive Information Gathering
The Analysis of Leaked Network Security Information
Most organisations are familiar with Penetration Testing (often abbreviated to, “pentesting”) and other ethical hacking techniques as a means to understanding the current security status of their information system assets. Consequently, much of the focus of research, discussion, and practice, has traditionally been placed upon active probing and exploitation of security vulnerabilities. Since this type of active probing involves interacting with the target, it is often easily identifiable with the analysis of firewall and intrusion detection/prevention device (IDS or IPS) log files.
Very little information has been publicly discussed about arguably one of the least understood, and most significant stages of penetration testing – the process of Passive Information Gathering. This technical paper reviews the processes and techniques related to the discovery of leaked information. It also includes details on both the significance of the leaked information, and steps organisations should take to halt or limit their exposure to this threat.
Application Assessment Questioning
What should a consultant be looking for when conducting an application assessment?
Custom Application Assessment Application security assessment is a unique area of assessment and penetration testing.  Unlike infrastructure based assessments, the methodology utilised by a security professional for identifying security vulnerabilities and significant issues is highly dependant upon the type of application being assessed. Although several high-level methodologies do exist (and some guides can indeed be quite comprehensive), they are often not generic or versatile enough to cope with the wide variety of custom applications commonly encountered.  Many methodologies used by professional security assessment organisations are in fact highly guarded.
Whitepaper Web Based Session Management
Best practices in managing HTTP-based client sessions
The stateless nature of HTTP requires organisations and solution developers to find other methods of uniquely tracking a visitor through a web-base application. Various methods of managing a visitor’s session have been proposed and used, but the most popular method is through the use of unique session IDs. Unfortunately, in too many cases organisations have incorrectly applied session ID management techniques that have left their “secure” application open to abuse and possible hijacking. This document reviews the common assumptions and flaws organisations have made and proposes methods to make their session management more secure and robust.
HTML Code Injection and Cross-site Scripting
Understanding the cause and effect of CSS (XSS) Vulnerabilities
As web-based applications have become more sophisticated, the types of vulnerabilities are capable of exploiting has rapidly increased. A particular class of attacks commonly referred to as “code insertion” and often “Cross-Site Scripting” has become increasingly popular. Unfortunately, the number of applications vulnerable to these attacks is staggering, and the varieties of ways attackers are finding to successfully exploit them is on the increase. Analysis of many sites has indicated that not only are the majority of sites vulnerable, but they are vulnerable to many different methods and much of their content is affected.
Whitepaper3 Securing WLAN Technologies
Secure Configuration Advice on Wireless Network Setup
In recent years, there have been a number of substantial developments in the acceptance and functionality of wireless networks. Contemporary organisations are finding their workforce increasingly more mobile, often equipped with notebook computers and spend more of their productive time working away from the standard office-desk or personal-computer environment. Wireless networks support mobile workers by providing the required freedom in their network access. Workers can thus access networked resources from any point within range of a wireless access point. For IT managers, the combination of lowering wireless hardware costs and the ease of implementation in to diverse office environments means that wireless deployment is actively promoted, for it provides the combination of wired network throughput with mobile access and configuration flexibility.
Custom HTML Authentication
Best Practices on Securing Custom HTML Authentication Procedures
Interactive web-based applications now form an important part of the e-business world. There is great pressure on organisations to make available many of their services through the Internet to their end clients, business partners, and own employees. Many of these new online services require end users to positively identify themselves to the application and actively work to ensure the information and level of access is appropriate for the authenticated user. While many methods are available to an organisation seeking to implement an authentication method for their Internet service, the majority have chosen to do so through HTML form submission over HTTP. Although they tend to understand the threats to their hosting environment from attackers, and actively test and patch the hosts against publicly disclosed vulnerabilities, very often the security fails at the implementation of their custom authentication procedure. Organisations must now ensure that adequate secure procedures are implemented within the custom application, particularly the authentication process and the associated management of session state.
Whitepaper6 Assessing Your Security
Advice on Assessing your IT Security Posture
Most people will agree that Information Technology (IT) is changing or altering business processes and work environments at a dizzying pace. Unfortunately for those responsible for maintaining the security posture of these processes and environments, security changes faster. Organisations often fail to realise that even if the technologies, operating systems and environments were to remain static, the mechanisms required to secure those systems against the latest threats would continue adapt and force change. It doesn’t take too much effort to find news articles of the latest computer virus to circulate the world, the number of new vulnerabilities discovered last month, or the critical fixes for your operating systems that need applying today. However, it does take a substantial amount of time for an organisation to develop the security mechanisms to help protect against both last month’s and next month’s threat.
Application Security Assessments
Advice on Assessing your Custom Application
For many organisations, their internal security professionals are adept at finding and responding to information about the latest vulnerabilities and threats to the software employed within business critical systems under their supervision. There are a great many security resources available, online and printed, ready to help explain and address potential vulnerabilities with the most common commercial software products. However, there exist two problems for those responsible for the security and integrity of your systems. Firstly, the “hit or miss” disclosure of vulnerabilities in commercial software, and secondly, how do you identify or address potential vulnerabilities in the custom (in-house developed) application that connects and runs atop the commercial software?
Whitepaper URL Embedded Attacks
Attacks Using the common web browser
A popular misconception is that web hacking and defacement is difficult, often requiring detailed technical knowledge and specialist tools. Unfortunately, one of the best tools in a hacker’s arsenal is the common web browser. Using Microsoft’s Internet Explorer or Netscape’s Communicator, it is possible to identify and exploit many common vulnerability’s in both the remote web server’s hosting software and the site content, through simple URL editing. Over the last few years, the numbers of vulnerabilities and security flaws directly exploitable through this type of attack have increased phenomenally, primarily due to application developers failing to adequately check and decode the received client data.
RSS Feed
Add a RSS Feed today!
    Copyright 2001-2009 © Gunter Ollmann