Forensic Investigation Kurs in Bern

Die Teilnehmer lernen die Grundlagen der forensichen Untersuchungen anhand eines fiktiven Hacker-Angriffs. Dazu startet das Seminar mit einem Szenario, welches Schritt für Schritt aufgeklärt werden soll. Dabei werden verschiedene Übungen mit unterschiedlichen Technologien und Systemen gemacht. Diesen November führt Compass Security das erste Mal in Bern den Forensic Investigation Kurs durch.

Sind Sie an Computer Forensik interessiert? Dann ist dieser Kurs genau richtig für Sie!

Die Compass Kurse vermitteln Ihnen Theorie mit vielen praktischen Fallbeispielen, welche Sie in der geschützten Labor-Umgebung (Hacking-Lab) üben können. Anmeldungen sind bis Anfang November 2014 möglich.

Weitere Security Trainings bei Compass

Security Advisories for SAP BusinessObjects Explorer and neuroML

Compass Security employees identify and report on a regular basis security vulnerabilities as part of their daily assessments (or just out curiosity).

Stefan Horlacher identified and reported back in June 2013 several flaws in SAP BusinessObjects Explorer. We’re happy to publish today the details as the flaws have been patched and a reasonable grace period given for their deployment:

Note that both the port scan as well as the XML External Entity (XXE) attack can be conducted anonymously without prior insider knowledge.

Philipp Promeuschel on his part identified multiple vulnerabilities in neuroML version 1.8.1 in May this year. The related advisory covers a wide range of vulnerabilities allowing a full compromise of the application:

Disabling Viewstate’s MAC: why you deserve having now a broken ASP.NET web application

Lots of things happened since my first (and unique) blog post about ASP.NET Viewstate and its related weakness. This blog post will not yet disclose all the details or contain tools to exploit applications, but give some ideas why it’s really mandatory to both correct your web applications and install the ASP.NET patch.

Back in September 2012 I reported an issue in the ASP.NET framework which could be used to potentially execute remote code in a typical SharePoint installation. Microsoft patched its flagship products SharePoint and Outlook Web Access. They also released guidance in security advisory 2905247 which contained an optional patch to download, removing the ASP.NET framework’s ability to alter setting “EnableViewStateMac”. It was also made clear that Microsoft will forbid this setting in upcoming ASP.NET versions. ASP.NET version 4.5.2, released in May 2014, was the first version of ASP.NET to have this setting disabled. Microsoft released as part of this month’s Patch Tuesday a patch to remove support for setting EnableViewStateMac for all ASP.NET versions.

While this patch may break ASP.NET applications, remember that without this patch you’re vulnerable to a much bigger threat. Fixing the web application is in the very vast majority of the cases easy from a technical perspective (e.g. set up dedicated machine keys within a given web farm). But as pointed out in the ASP.NET article, the management and distribution of these machine keys must follow a strict process to avoid being disclosed to unwanted parties. Think of machine keys being an essential element of your application. If these keys have ever been disclosed, you have to change them immediately. Ensure software purchased or downloaded from the Internet does not contain pre-defined keys in the application’s web.config.

If you want to know more but missed my Area41 talk about this flaw, come over to the AppSec Forum Western Switzerland on November 4th to 6th in Yverdon-les-Bains . I will be presenting an updated version of my “Why .NET needs MACs and other serial(-ization) tales” talk about the underlying flaws, their history and how to exploit them.

APT Detection Engine based on Splunk

Compass Security is working on an APT Detection Engine based on Splunk within the Hacking-Lab environment. Hacking-Lab is a remote training lab for cyber specialists, used by more then 22’000 users world-wide, run by Security Competence GmbH.

An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data. APT attacks target high-profile individuals, organizations in sectors with incredibly valuable information assets, such as manufacturing, financial industry, national defense and members of critical infrastructures.

Although APT attacks are difficult to identify, the theft of data can never be completely invisible. Detecting anomalies in outbound data is what our prototype of an APT Detection Engine does. Helping your company discovering that your network has been the target of an APT attack.

We will present our efforts and findings at the upcoming Beer-Talk (September 25, 2014) in Rapperswil-Jona. If you are near Switzerland, drop in for a chat on APT and to enjoy some beer and steaks.

  • Where? Rapperswil-Jona Switzerland
  • When? September 25, 2014
  • Time? 18:00 (6pm)
  • Costs? Free (including beer & steak)

Get a glimpse on our Beer-Talk flyer and spread the word. The Compass Crew is looking forward to meeting you.

BurpSentinel on Darknet

Compass Security is developing security tools on regular basis. I for myself created a plugin/extension for Burp Intercepting Proxy called BurpSentinel. It can makes some tedious manual testing more automated, and helps identifying security vulnerabilities in web applications like XSS weaknesses or SQL injections. Compared to fully automated scanners (like the one already integrated into Burp), it has the advantage that the tester is able to see which requests have been performed and what their answer is, and also the difference to the original response. Therefore it is not only possible to know what exactly has been tested and how, but also the side-effect can be more effectively gauged. Also the amount of false negatives and false positives can be better judged. BurpSentinel is under constant development, and is available on Github here.

Darknet Website

BurpSentinel on Darknet

Blackhat and DEF CON USA 2014

Black Hat USbh14A in Las Vegas is one of the biggest IT security conferences in the world. Every year, thousands of security-interested people attend the conference that is held in the infamous Mandala Bay, in the heart of Las Vegas. And as every year, two security analysts of Compass have participated the conference to learn about the latest trends in IT security.

Black Hat easily combines the transfer of the latest top-class security know-how and networking among the attendees with a social frame around the conference.

This paper summarizes some of the most interesting talks we’ve attended during these six days (BSidesLV, Passwords14, Black Hat and DEF CON). We encourage you not only to read this summary but also to go online and take a closer look at the videos or the slides. We aimed at giving you all the relevant links for each talk.

You can download the paper here:  blackhat_2014_paper_v1.0.pdf

Compass Mitarbeiter erneut ausgezeichnet

Nachdem am 25. Mai 2014 bereits Alexandre Herzog, CTO bei Compass Security, mit dem 1337-Award durch die SGRP, einer Alumni-Organisation für MAS Information Security[1] Absolventen der Hochschule Luzern, ausgezeichnet [2] wurde, ist es erneut einem Compass Mitarbeiter gelungen, die Fachjury von seinem ausserordentlichen Wissen und Können zu überzeugen.

Lukas Reschke hat im Rahmen seines Praktikums bei der Compass Security eine Abschlussarbeit zur Analyse von Advanced Persistent Threat (APT) geschrieben. Die Arbeit beschreibt APT generell, gibt Einblicke in forensische Vorgehensweise, zeigt Erkennungsmuster auf und gibt Tips und Tricks für die Analyse von bösartigem Netzwerkverkehr mittels Splunk .

Im Rahmen der Abschlussfeier vom 3. Juli 2014 in der Tonhalle St. Gallen wurde Lukas Reschke in zweierlei Hinsicht für seine Leistungen an der Kantonschule am Brühl in St. Gallen geehrt.

Zum einen wurde er für den Aufbau des Tech-Mentorship geehrt, welches er im Alleingang ins Leben gerufen und aufgebaut hat. Das Tech-Mentorship, hat zum Ziel, dass Schüler mit herausragenden IT-Kenntnissen ihren Kammeraden den Umgang mit der Technik während dem Studium erleichtern und auch als Anlaufstelle für IT Probleme zur Verfügung stehen. Für diese ausserordentliche Leistung wurde er vom Ehemaligenverein der Kantonsschule am Brühl mit einem Preisgeld von 500 Franken ausgezeichnet. Zum anderen wurde Lukas für die beste Abschlussarbeit des Studiengangs WMI mit einer Note von 5,9 gewürdigt.

Lukas, die Compass Crew gratuliert dir auf diesem Weg nochmals ganz herzlich!

Grosse Teile der Erkenntnisse aus seiner Arbeit sind bereits in das neue Hands-on Seminar “Network Analysis & Advanced Persistent Threat” eingeflossen und ist somit den besten Experten im europäischen Raum zugänglich. Unsere Leser dürfen sich zudem auf die Publikation des entstandenen Whitepapers per Anfang September freuen.

Nächste Kurse
– 11. und 12. September 2014 in Bern, iPhone und iPad Security
– 11. und 12. November 2014 in Bern, Network Analysis & Advanced Persistent Threat

Referenzen
[1] HSLU MAS Information Security 
[2] SGRP Auszeichnung Alexandre Herzog für ” Crypto-based security mechanisms in Windows and .NET ” 

 

 

iPhone & iPad Security Kurs in Bern

Mobile Geräte sind ein wesentlicher Teil unseres Lebens, sowohl im Privaten als auch im Unternehmensumfeld. Diesen September führt Compass Security das erste Mal in Bern den iPhone & iPad Security Kurs durch.

  • Was sind die Sicherheitskonzepte bei iOS-Geräten?
  • Wie können iOS-Devices ins Unternehmensumfeld eingebunden werden?
  • Welches sind die gängigen Angriffe und wie kann man sich dagegen schützen?

Sind Sie an den Antworten interessiert? Dann ist dieser Kurs genau richtig für Sie!

Der Kurs bietet u.a. verschiedene Praxisübungen, um die neuen Kenntnisse zu festigen. Diese Praxisübungen stehen Ihnen auch nach der Schulung zur Verfügung. Anmeldungen sind bis Mitte August 2014 möglich.

Weitere Security Trainings bei Compass

Release of Smart Meter Security Controls Whitepaper at Hack in Paris 2014

This article was published when I just flipped through the final slides talking at “Hack in Paris” on smart meter wireless protocol issues. The combo of trainings, conference and the “nuit du hack” is held at the Disney Land Resort Paris for the 4th edition.

hip2014

Yes, Disney Land. When I arrived at the hotel I ran into a crowd of kids gathering around Goofy. Their parents ready to capture to moment of joy. When I entered my room, a Pluto greeting card spread a warm welcome from the small desk. A Bambi painting decorates the wall and the body wash has Mickey Mouse ears at its cap.

Well, as unusual it sounds, isn’t it imagination, creativity and an urge to play what the venue and hackers share? We are definitely not the average visitor and this got immediately confirmed when I showed up at breakfast where the waiter somewhat puzzled asked me: “Combien ?”. Still watching at the corner, expecting kids and wife would turn up in a second. “No, je suis tout seul”, I answered with a smile :)

For Comic fans definitely a must see and must stay. The venue’s magic is what really matters in life: fun and family. So do hackers love to have fun and to share knowledge with equal minded.

While we are at sharing stuff. For those who have ever looked for a security checklist for smart meters. Here it is: compass_security_smart_meter_controls_whitepaper_v1.0

That checklist built the foundation of all my research. The full paper features a lengthy introduction and analysis based on the OCTAVE Allegro Risk Assessment method in order to identify suitable controls for smart meters. For the quick reader: Skip to chapter 3.3 for the total list of 43 smart meter controls. Your feedback is highly appreciated!

And here are the links to the HIP 2014 slides, the git repos and other related work

Presentation Slides HIP 2014
Whitepaper Blackhat 2013
Google Go Sniffer & MUC (credits lukas.reschke@csnc.ch)
Python Sniffer „Scambus“
GNU Radio wM-Bus (credits neundorf@kde.org)
– Clipart credits go to http://openclipart.org

For those interested in solving puzzles and hands-on security training sign-up for a free remote hacking-lab.com account and get knee deep into our virtual pwnable lab. Hacking-lab features a wide variety of information security, penetration testing, security assessment and forensics hands-on training exercises to educate students and information security professionals. Give it a try.

 

Compass Area 41 attendance

Area41 (@a41con) is a security conference held in Switzerland. Its the successor of the highly successful Hashdays. Several Compass Security Switzerland employees volunteered to help organizing this event. Some say, we completely infiltrated Area41!

The compound of Komplex 457 was pretty awesome. There was enough space in the main hall for to accommodate all viewers, and an additional second floor (balcony) with great view of the main stage (and also was close to several couches, the bar, the catering and most importantly the coffee machine). The second room was located underground in a former strip club, featuring red walls, which made the talks a lot more dirty ;-). A big outside terrace completed the temporary hacker epicenter.
Banashide (@banasidhe) organized the still tired group of volunteers, as we arrived on Monday morning. Biggest problem was the complete lack of coffee (Rumor had it that the four coffee machines were involved in an accident on the motorway). Fortunately, a big stash of Club Mate helped bridging this rough patch.

Between my shifts, I had the chance to attend several interesting talks.

In the Keynote (Slides), Halvar Flake (@halvarflake) showed that we are not able to check the integrity of software on our computer systems on any level (Userspace, Kernelspace, BIOS, …). So the only valid option after a compromise of a machine is to re-install it from a trusted medium. But there’s anyway little hope, as with Intel ME, we have component on our mainboard with full network- and memory access. Also we can’t check for BIOS backdoors, for example issued by the NSA. Additionally, the process of deploying and managing signatures creates a big amount of problems by itself.
For me, the request for integrity checks for the complete machine is bold, but necessary. I hope in maybe 30 or 50 years, we will be able to do so.

Rob Fuller (@mubix) gave an entertaining talk about free defenses (slides, from shmoocon), with many practical examples and penetration testing stories. For example, he told us about honeypots with port 23 open, or domain admin user with the password in the user comments, both immediately triggering an alarm if accessed.
In my opinion, those simple honeypots and triggers are immensely useful for any company to deploy, as they are cheap and with nearly no false positives.

Marc Ruef (@mruef) talked about his “baby”, the SCIP VulDB (slides). He showed us the weaknesses and faults of other vulnerability databases. Seemingly simple things like disclosure dates and version information (e.g. does “version up to 11″ include 11, or not? What does 2.x mean?) are handled differently and sometimes inconsistently by the various vulnerability DB’s.
As penetration tester, I depend on accurate information of vulnerabilities in vulnerability databases. It is necessary to correctly assert risks of installed software versions. The talk opened my eyes to the massive deficiencies currently prevalent in the reporting and management of security advisories.

Overall it has been an interesting and successful day. I intend to attend again next year!