Latest Publications

All presentations are Copyright Aura Software Security Ltd 2010, All Rights Reserved. You may download these presentations for research purposes only. Any re-use or reproduction of these presentation may only be peformed with express permission from Aura Software Security Ltd.

Tales from the Crypt0

Graeme Neilson presented with Kirk Jackson from Xero on cryptography at the OWASP Day New Zealand 15th July 2010.
Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?
Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users.
Download "Tales of the Crypt0"

Netscreen of the Dead

Graeme Neilson presented at RuxCon in Sydney Australia (2008) and BlackHat, Las Vegas USA (2009).
The presentation covered Graeme's research on how he's developed a trojan ScreenOS operating system that when loaded onto any Juniper Firewall turns it into a ZOMBIE, giving Graeme full access to the underlying firewall, bypassing all rules and passwords.
We must of cause mention Juniper at this point - "we express our appreciation for your pragmatic and careful handling of this case" (Juniper, 28 Nov 08). They also released a tech bulletin: PSN-2008-11-111, "ScreenOS Firmware Image Authenticity Notification" which states: "All Juniper ScreenOS Firewall Platforms are susceptible to circumstances in which a maliciously modified ScreenOS image can be installed."
Listen in to Graeme's interview on IT Radio download (18MB mp3 file)
Download "Netscreen of the Dead"

Proactive Software Assurance

Andy Prow presented at the ISACA Computer Security Day on the 2nd Dec 2008 in Wellington. Andy's presentation focussed on the "SANS Defensive Wall 1 - Proactive Software Assurance", covering the steps you should take as an organisation to proactively protect your systems against attack.
Download "Proactive Software Assurance"

Better than the regular script kiddie: w3af

The w3af framework project is the up-and-coming MetaSploit of Web application security. It's flexible design allows new attack vectors to be easily written and includes many features which are only available in the grossly expensive commercial tools. Mark's presentation will discuss why we need webapp scanners and demo the w3af framework and how to automate the Discovery, Audit and Attack of web applications.

The presentation can be downloaded here

Scanberry: Advanced Attacks via a trojaned Blackberry

Building on the Blackjacking tools presented at DefCon, Graeme will present some advanced tools for attacking internal networks via Blackberrys. For example how to use TicTactrojan on a Blackberry to port scan an internal network from the comfort of your external host.

The presentation can be downloaded here

Quality Software - Designed to be Hacked

Andy will focus on how software quality MUST include security considerations during the requirements, design, implementation, testing, roll-out and maintenance phases. He will also include some examples of real-world security issues that "make you think..."

The presentation can be downloaded here

It only takes a Pin Prick to burst your Enterprise Security bubble

The presentation highlights the need for an organisation to have there own "trusted in-house hacker" who thinks like a hacker would.
Some of the other topics covered are:
Some of the latest tools hackers use.
A sample of common vulnerabilities and how they can be exploited.
How to protect your network against these exploits.
Please feel free to contact Aura Software for more detailed information and to request a security assessment.

The presentation can be downloaded here