PRESENTED TO: GREG ROAKE, CEO.TURNER TECHNOLOGIES LTD - VEILMAIL STEVE BYRNE, DIRECTOR. CYBER RESEARCH
Turner Technologies engaged Cyber Research Limited to conduct a Penetration Test of the VeilMail B2B messaging system. The assessment was conducted on a dedicated test system of which we had unfettered access over an 8 week period from November 2014 to January 2015. The focus of this engagement was to ascertain the security posture of VeilMail and to determine if implemented controls were adequate in protecting the confidentiality and integrity of VeilMail data. VeilMail makes extensive use of Java and multiple layers of encryption. Throughout the extensive security assessment, Cyber Research Limited identified that VeilMail enforces sound security practices around authentication and protection of confidential data from transmission through to storage. VeilMail provides valuable authentication controls and was effective in preventing external attacks. Cyber Research Limited was unable to bypass the authentication control to gain access to the application without valid credentials. It is clear that VeilMail has been built from the ground up to be the most secure messaging platform on the market today. Penetration Test Technical Summary Cyber Research conducted a penetration test that included expert infrastructure, cryptography and web application (Java) ethical hackers. In summary our testing covered the following four components of VeilMail: Black-box Penetration Testing of the VeilMail Server. JAR file reverse engineering Penetration Testing of the Crypto Modules. Memory heap dump analysis. Based on the knowledge we have about the VeilMail System from our research and penetration testing, we believe that its developers have attained an unprecedented level of security. Cyber Research did not perform full source code analysis. 1
Product Comparison Similar competing OTR (off the record) commercial products use encrypted communications across the Internet, but often store customer data in an unencrypted state on their own servers. Customers also share the vendor s private networks and the vendor s own shared servers. It may not be obvious if your data is harvested by NSA s PRISM, other governments agencies, private groups or individuals. Cyber Research Limited prefers the VeilMail architecture over other commercial products because it includes a bespoke secure server that runs on a proprietary developed virtual machine. The server is unique to the customers that need to communicate with each other, and is provided on premise within the customers own enterprise IT, allowing the customer to have complete control over who accesses the system and how. Summary It is clear that VeilMail has been purpose built from the ground up to be the most secure possible executive messaging platform on the market today. Cyber Research Believes that VeilMail can withstand an attack from most sources, but this is entirely dependent on the amount of resources and time an organization is prepared to invest in an attack. During the test Cyber Research s efforts and resources applied were considerable. Hackers/Cyber Criminals may be motivated to attack the VeilMail system for notoriety or for the challenge that is presented by the way it is marketed. Because VeilMail is bespoke and by its nature typically deployed inside corporate networks, it is less likely to become a target. VeilMail have significantly reduced the likelihood of a cyber-incident through its inherent ground-up secure design coupled with 3rd party penetration security testing. By reducing the opportunity for a malicious individual or group to breach the system the likelihood of attack is much less as most will look for easier targets. The VeilMail system will not be easily recognizable (if at all) through advanced network connectivity assessments and enumeration that most hackers might perform. By obscuring the target in the first place from the outside world using Firewalls and IDS, and through the use of non standard or random TCP/UDP Ports the VeilMail system is unlikely to be attacked in the first place. Cyber Research would be happy to discuss and advise any interested parties on the most secure deployment approach (such as compatible firewall implementation) dependent on their specific needs for VeilMail. Anyone requiring independent verification of this report may contact Cyber Research direct through Steve Byrne on (+64) 021 852 933 or steve.byrne@cyberresearch.co.nz 2
About Cyber Research Cyber Research is a specialist Managed Security Service Provider (MSSP). Unlike many large IT companies whose business is integration, implementation, hardware & product sales, where security is a sideline capability, Cyber Research focuses exclusively on penetration testing and security issues every day. Our team of certified ethical hackers are meticulous and relentless when it comes to finding a way into corporate networks, web and mobile apps. Our testing is bespoke, manual and innovative. Success is measured purely on our results and customer satisfaction. Founded: 2007 Status: Privately Held (Cyber Research NZ Ltd and Cyber Research Pty (Australia) Ltd) Office Locations: Auckland, Wellington, Brisbane. Products & Services: o Enterprise Penetration Testing (Ethical Hacking) Dedicated Team of highly experienced hackers. We attend and contribute to global industry events, research, security tool development, and open source projects. Recognised for our very strong skills in Cryptography, Web Application and Mobile apps. Responsible for penetration testing very large e-commerce sites and brands globally. PCI compliance for certification. o Cyber Security Incident Response o Active Threat Protection (MSSP Operations) o Security Consulting and Audit o Cyber Investigation, Fraud Investigation (Criminal & Civil) o Cyber Surveillance, Open Source Intelligence Gathering Business Partners: o Lexel Systems Ltd (NZ) http://www.lexel.co.nz o SMS Management & Technologies (Hong Kong) http://www.smsmt.com o NSPIRE (NZ) http://www.nspire.co.nz Selection of our Customers: o NZ Police 3
o London Buses o McKesson Corporation (Fortune Ranking 15/500) o TradeMe o TradeVine o 2Degrees o imoved.me o Western Mailing o Salmat o Aurion Corporation Pty Ltd o NZI o FreeNet o uforlife 4