|
|
Newsletter 04.08Topics:
|
|
|
Codenomicon JOLTs the IndustryAs long-time Dr. Dobb's Journal readers, we at Codenomicon are extremely proud to receive the Jolt Productivity Award. It clearly shows we have been building the right product, one that is needed by the industry. The award is especially fitting for us, as our products literally jolt the systems under test. For more than ten years our tests have helped software developers constantly raise the bar in security and implementation quality. Here's to another successful ten years of robustness testing!, said Ari Takanen, CTO, Codenomicon.
For details, see: |
|
|
|
Customer Perspective to FuzzingFuzzing is the new way of ensuring security of software by black-box test automation techniques, without any false positives. Although the very same techniques have been in use since early 90s by the security community, new commercial tools bring them to the hands of any test engineer. Jon Oltsik of Enterprise Strategy Group has interviewed the users of commercial fuzzers for a real insight in the selection of fuzzing tools. As the trend today is in all areas of Test and Measurement market, this paper also gives insight on why today software based solutions are preferred over appliance-based solutions.
For details, see: |
|
|
|
Defensics 3.0 LaunchCodenomicon launched and demonstrated the new product platform at RSA 2008 in San Francisco. The new platform is a major upgrade to all existing tools. It enables anyone to fuzz basically any communication device or network service. The "D3", as it is also called, is a software based platform that integrates into any testing environment.
For details, see: |
|
|
|
Upcoming EventsMeet us at upcoming events! April:
May:
June:
For details, see: |
|
|
|
Wireless FuzzingThe recent Codenomicon white paper draws from the past and current state of existing wireless technologies and reflects experiences with emerging technologies. It describes how robustness-testing techniques can be used to assess the security of the available implementations and give statistics about the current state of affairs of Bluetooth and Wi-Fi. Quality and reliability improvements in these implementations will lead directly to decreased development and deployment costs, as well as increased public acceptance and faster adoption.
For details, see: |
|
|
|
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
For details, see: |
|
|
|
Is the only way to secure a mobile device to power it off?While smartphones are becoming more and more like computers, hacking them is getting even more lucrative. The data carried within handsets is increasingly critical, and they can travel freely through the perimeter security of most organizations. Already we've seen examples of hacks where data has been emptied from a handset or the whole device has been taken over and turned into an eavesdropping device. Modern smartphones and PDAs offer an ever-expanding set of attack vectors for a hacker intending to break the security of the device. One stereotypical first step in an attack is to craft and send malformed data packets to the device in order to gain illegitimate access. Today's mobile devices provide a rich set of targets for this. There are VoIP capabilities, web browsers, audio and video players, business cards (vCard), underlying IP infrastructure and much more. These attack vectors are made easily accessible with the integration of wireless technologies such as Bluetooth and Wi-Fi. Indeed, the wireless technologies can be used for carrying the upper layer attack, or they can be attacked themselves. Wireless layer attacks pose a special challenge because of the lower layers of the wireless stacks, such as Bluetooth L2CAP and SDP, or the Wi-Fi MAC layer. These layers can be attacked without the user noticing anything amiss. As a result of an attack, the attacker can gain access to the device, or as we've seen in our laboratory tests, the device can be rendered totally unusable. The potential for problems does exist, but how vulnerable modern smartphones actually are? This is an interesting question, which we at the Codenomicon laboratories wanted to take a closer look at with Codenomicon DEFENSICS tests. The DEFENSICS product family is ideal for this task, as it is the only fuzzing product in the market that offers a full suite of solutions for client side testing, for testing wireless interfaces, and testing digital media formats. In our laboratory study made during early 2008, we put DEFENSICS suites to full throttle and tested 8 top-of-the-line smartphones from different vendors, covering most of the big players in the market. Depending on the services available on any given phone, our security team tested how well phones can handle broken audio, video, and image data as well as malicious IP, Bluetooth, and Wi-Fi protocol data, including also applications protocols running on top of the network layer. Quite alarmingly, none of the phones survived all of our tests, and some devices failed on all of the different test sets run against them. Overall, the failure rate varied between 40% to 100%, when counting how many different test sets made the device fail. During Q2, we'll be releasing a whitepaper detailing the setup used in the study, full results from the tests, and valuable insight on how preemptive security testing can help eliminate critical flaws before a device even hits the market. Stay tuned! |
At Spring VON, Ari Takanen and Peter Thermos gave a one hour session
on the contents of their book "Securing VoIP Networks: Threats,
Vulnerabilities, and Countermeasures". The book was published by
Addison-Wesley last summer. When writing the book, Ari and Peter
wanted to address the security issues from both engineering
perspective, and also from the academic perspective. Although the book
itself tells very little about fuzzing and robustness testing, VoIP
security as a whole has always been a special topic for
Codenomicon. We released our VoIP test tools in early 2002, and almost
all the vendors and service providers in the IMS industry is using our
tools today.
