APT Detection Engine based on Splunk

Compass Security is working on an APT Detection Engine based on Splunk within the Hacking-Lab environment. Hacking-Lab is a remote training lab for cyber specialists, used by more then 22’000 users world-wide, run by Security Competence GmbH.

An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data. APT attacks target high-profile individuals, organizations in sectors with incredibly valuable information assets, such as manufacturing, financial industry, national defense and members of critical infrastructures.

Although APT attacks are difficult to identify, the theft of data can never be completely invisible. Detecting anomalies in outbound data is what our prototype of an APT Detection Engine does. Helping your company discovering that your network has been the target of an APT attack.

We will present our efforts and findings at the upcoming Beer-Talk (September 25, 2014) in Rapperswil-Jona. If you are near Switzerland, drop in for a chat on APT and to enjoy some beer and steaks.

  • Where? Rapperswil-Jona Switzerland
  • When? September 25, 2014
  • Time? 18:00 (6pm)
  • Costs? Free (including beer & steak)

Get a glimpse on our Beer-Talk flyer and spread the word. The Compass Crew is looking forward to meeting you.

BurpSentinel on Darknet

Compass Security is developing security tools on regular basis. I for myself created a plugin/extension for Burp Intercepting Proxy called BurpSentinel. It can makes some tedious manual testing more automated, and helps identifying security vulnerabilities in web applications like XSS weaknesses or SQL injections. Compared to fully automated scanners (like the one already integrated into Burp), it has the advantage that the tester is able to see which requests have been performed and what their answer is, and also the difference to the original response. Therefore it is not only possible to know what exactly has been tested and how, but also the side-effect can be more effectively gauged. Also the amount of false negatives and false positives can be better judged. BurpSentinel is under constant development, and is available on Github here.

Darknet Website

BurpSentinel on Darknet

Blackhat and DEF CON USA 2014

Black Hat USbh14A in Las Vegas is one of the biggest IT security conferences in the world. Every year, thousands of security-interested people attend the conference that is held in the infamous Mandala Bay, in the heart of Las Vegas. And as every year, two security analysts of Compass have participated the conference to learn about the latest trends in IT security.

Black Hat easily combines the transfer of the latest top-class security know-how and networking among the attendees with a social frame around the conference.

This paper summarizes some of the most interesting talks we’ve attended during these six days (BSidesLV, Passwords14, Black Hat and DEF CON). We encourage you not only to read this summary but also to go online and take a closer look at the videos or the slides. We aimed at giving you all the relevant links for each talk.

You can download the paper here:  blackhat_2014_paper_v1.0.pdf

Compass Mitarbeiter erneut ausgezeichnet

Nachdem am 25. Mai 2014 bereits Alexandre Herzog, CTO bei Compass Security, mit dem 1337-Award durch die SGRP, einer Alumni-Organisation für MAS Information Security[1] Absolventen der Hochschule Luzern, ausgezeichnet [2] wurde, ist es erneut einem Compass Mitarbeiter gelungen, die Fachjury von seinem ausserordentlichen Wissen und Können zu überzeugen.

Lukas Reschke hat im Rahmen seines Praktikums bei der Compass Security eine Abschlussarbeit zur Analyse von Advanced Persistent Threat (APT) geschrieben. Die Arbeit beschreibt APT generell, gibt Einblicke in forensische Vorgehensweise, zeigt Erkennungsmuster auf und gibt Tips und Tricks für die Analyse von bösartigem Netzwerkverkehr mittels Splunk .

Im Rahmen der Abschlussfeier vom 3. Juli 2014 in der Tonhalle St. Gallen wurde Lukas Reschke in zweierlei Hinsicht für seine Leistungen an der Kantonschule am Brühl in St. Gallen geehrt.

Zum einen wurde er für den Aufbau des Tech-Mentorship geehrt, welches er im Alleingang ins Leben gerufen und aufgebaut hat. Das Tech-Mentorship, hat zum Ziel, dass Schüler mit herausragenden IT-Kenntnissen ihren Kammeraden den Umgang mit der Technik während dem Studium erleichtern und auch als Anlaufstelle für IT Probleme zur Verfügung stehen. Für diese ausserordentliche Leistung wurde er vom Ehemaligenverein der Kantonsschule am Brühl mit einem Preisgeld von 500 Franken ausgezeichnet. Zum anderen wurde Lukas für die beste Abschlussarbeit des Studiengangs WMI mit einer Note von 5,9 gewürdigt.

Lukas, die Compass Crew gratuliert dir auf diesem Weg nochmals ganz herzlich!

Grosse Teile der Erkenntnisse aus seiner Arbeit sind bereits in das neue Hands-on Seminar “Network Analysis & Advanced Persistent Threat” eingeflossen und ist somit den besten Experten im europäischen Raum zugänglich. Unsere Leser dürfen sich zudem auf die Publikation des entstandenen Whitepapers per Anfang September freuen.

Nächste Kurse
– 11. und 12. September 2014 in Bern, iPhone und iPad Security
– 11. und 12. November 2014 in Bern, Network Analysis & Advanced Persistent Threat

[1] HSLU MAS Information Security 
[2] SGRP Auszeichnung Alexandre Herzog für ” Crypto-based security mechanisms in Windows and .NET ” 



iPhone & iPad Security Kurs in Bern

Mobile Geräte sind ein wesentlicher Teil unseres Lebens, sowohl im Privaten als auch im Unternehmensumfeld. Diesen September führt Compass Security das erste Mal in Bern den iPhone & iPad Security Kurs durch.

  • Was sind die Sicherheitskonzepte bei iOS-Geräten?
  • Wie können iOS-Devices ins Unternehmensumfeld eingebunden werden?
  • Welches sind die gängigen Angriffe und wie kann man sich dagegen schützen?

Sind Sie an den Antworten interessiert? Dann ist dieser Kurs genau richtig für Sie!

Der Kurs bietet u.a. verschiedene Praxisübungen, um die neuen Kenntnisse zu festigen. Diese Praxisübungen stehen Ihnen auch nach der Schulung zur Verfügung. Anmeldungen sind bis Mitte August 2014 möglich.

Weitere Security Trainings bei Compass

Release of Smart Meter Security Controls Whitepaper at Hack in Paris 2014

This article was published when I just flipped through the final slides talking at “Hack in Paris” on smart meter wireless protocol issues. The combo of trainings, conference and the “nuit du hack” is held at the Disney Land Resort Paris for the 4th edition.


Yes, Disney Land. When I arrived at the hotel I ran into a crowd of kids gathering around Goofy. Their parents ready to capture to moment of joy. When I entered my room, a Pluto greeting card spread a warm welcome from the small desk. A Bambi painting decorates the wall and the body wash has Mickey Mouse ears at its cap.

Well, as unusual it sounds, isn’t it imagination, creativity and an urge to play what the venue and hackers share? We are definitely not the average visitor and this got immediately confirmed when I showed up at breakfast where the waiter somewhat puzzled asked me: “Combien ?”. Still watching at the corner, expecting kids and wife would turn up in a second. “No, je suis tout seul”, I answered with a smile :)

For Comic fans definitely a must see and must stay. The venue’s magic is what really matters in life: fun and family. So do hackers love to have fun and to share knowledge with equal minded.

While we are at sharing stuff. For those who have ever looked for a security checklist for smart meters. Here it is: compass_security_smart_meter_controls_whitepaper_v1.0

That checklist built the foundation of all my research. The full paper features a lengthy introduction and analysis based on the OCTAVE Allegro Risk Assessment method in order to identify suitable controls for smart meters. For the quick reader: Skip to chapter 3.3 for the total list of 43 smart meter controls. Your feedback is highly appreciated!

And here are the links to the HIP 2014 slides, the git repos and other related work

- Presentation Slides HIP 2014
- Whitepaper Blackhat 2013
- Google Go Sniffer & MUC (credits lukas.reschke@csnc.ch)
- Python Sniffer „Scambus“
- GNU Radio wM-Bus (credits neundorf@kde.org)
- Clipart credits go to http://openclipart.org

For those interested in solving puzzles and hands-on security training sign-up for a free remote hacking-lab.com account and get knee deep into our virtual pwnable lab. Hacking-lab features a wide variety of information security, penetration testing, security assessment and forensics hands-on training exercises to educate students and information security professionals. Give it a try.


Compass Area 41 attendance

Area41 (@a41con) is a security conference held in Switzerland. Its the successor of the highly successful Hashdays. Several Compass Security Switzerland employees volunteered to help organizing this event. Some say, we completely infiltrated Area41!

The compound of Komplex 457 was pretty awesome. There was enough space in the main hall for to accommodate all viewers, and an additional second floor (balcony) with great view of the main stage (and also was close to several couches, the bar, the catering and most importantly the coffee machine). The second room was located underground in a former strip club, featuring red walls, which made the talks a lot more dirty ;-). A big outside terrace completed the temporary hacker epicenter.
Banashide (@banasidhe) organized the still tired group of volunteers, as we arrived on Monday morning. Biggest problem was the complete lack of coffee (Rumor had it that the four coffee machines were involved in an accident on the motorway). Fortunately, a big stash of Club Mate helped bridging this rough patch.

Between my shifts, I had the chance to attend several interesting talks.

In the Keynote (Slides), Halvar Flake (@halvarflake) showed that we are not able to check the integrity of software on our computer systems on any level (Userspace, Kernelspace, BIOS, …). So the only valid option after a compromise of a machine is to re-install it from a trusted medium. But there’s anyway little hope, as with Intel ME, we have component on our mainboard with full network- and memory access. Also we can’t check for BIOS backdoors, for example issued by the NSA. Additionally, the process of deploying and managing signatures creates a big amount of problems by itself.
For me, the request for integrity checks for the complete machine is bold, but necessary. I hope in maybe 30 or 50 years, we will be able to do so.

Rob Fuller (@mubix) gave an entertaining talk about free defenses (slides, from shmoocon), with many practical examples and penetration testing stories. For example, he told us about honeypots with port 23 open, or domain admin user with the password in the user comments, both immediately triggering an alarm if accessed.
In my opinion, those simple honeypots and triggers are immensely useful for any company to deploy, as they are cheap and with nearly no false positives.

Marc Ruef (@mruef) talked about his “baby”, the SCIP VulDB (slides). He showed us the weaknesses and faults of other vulnerability databases. Seemingly simple things like disclosure dates and version information (e.g. does “version up to 11″ include 11, or not? What does 2.x mean?) are handled differently and sometimes inconsistently by the various vulnerability DB’s.
As penetration tester, I depend on accurate information of vulnerabilities in vulnerability databases. It is necessary to correctly assert risks of installed software versions. The talk opened my eyes to the massive deficiencies currently prevalent in the reporting and management of security advisories.

Overall it has been an interesting and successful day. I intend to attend again next year!

OWASP Switzerland – SSL/TLS Talk

On this Wednesday (09.04.2014) I gave a presentation at OWASP Switzerland chapter. Initially I choose to present an overview of SSL/TLS, which is based on our previous blog article Compass SSL/TLS recommandations. Accidently, the timing with the OpenSSL heartbleed bug was perfect, so the presentation was updated in time with several slides about this current vulnerability.

I want to thank Sven Vetsch for the awesome organization of this event, and all attendees for their attention and interesting discussions. With 30+ people the room was fully booked, which is quite impressive :-)

Presentation download link:

Calculating RSA private keys from its public counterpart

Compass crew members just got back to work from a fun weekend/night at Insomni’hack (Geneva) where hackers met [0] to solve puzzles and enjoying the hacker community. On the way back home was sufficient time to clean-up systems and to reflect on some of the challenges.

There was a variety of brain teasing puzzles relating to application, network and computer security, digital forensics, reversing or steganography. During the contest the team gets more challenging puzzles unlocked by the time they hand in solutions. The solutions was always some sort of special formattet string a.k.a. token or nugget.

I decided to write-up one of the puzzles to have it documented of course and to provide you with an idea how such a puzzles looks like. So, let’s dig into it.

Challenge: “An ancient device is sending beacons. Let’s see whether we can derive information from it.”

The beacons received were


Interestingly, the number of beacons matches the number of characters required for submition to the nugget verification application of that hacking challenge and for some reason we also have a copy of a public key.

-----END PUBLIC KEY-----

As we all know, we can’t use that key to get any plaintext from information protected with an asymmetric cryptographic algorithm. However, let’s have a quick look on the parameters of the key:

$ openssl rsa -pubin -in pubkey.txt -modulus -text
Public-Key: (388 bit)
Exponent: 65537 (0x10001)

Usually, for sufficiently large and properly chosen keys, the derivation of the private key from its public coutnerpart is not possible. In this case, the key size is obviously not that large and as we have no other information so far, let’s try to bluntly factorize the modulus N.

You could either try to do so online [1] or use CryptTool [2].rsa_public_key_cracking

The result clearly shows that an unfortunate combination of primes was chosen as the base of the key material.


So let’s see whether we can calculate the RSA private key from the parameters we have already.

The private key d can be calculate from e and phi whereby

e which is the exponent (see public key dump)
phi(N) which is based on the factorized primes and calculates as (p-1)(q-1)

Hint: Depending on your code, you might want to put e in decimal rather than in hex 0×10001 to avoid spending to much time on debugging :)

Finally you will need to compute d = e^-1 mod phi(N) in order to get the private key.

Hint by M. «If you’re already using CrypTool anyway, you could also use it to calculate d from p,q,e without having to code anything on your own: Indiv. Procedures > RSA Cryptosystem > RSA Demonstration.»

If your prefer to solve it in python it’s far more challenging. I have not been very successfull in finding a python RSA library that allows for that specific calculation. Luckily there are lot’s of websites actually providing hints on how to calculate the modular inverse based on the extended euclidean algorithm. Thus I went for a copycat approach [3].

def egcd(a, b):
	x,y, u,v = 0,1, 1,0
	while a != 0:
		q, r = b//a, b%a
		m, n = x-u*q, y-v*q
		b,a, x,y, u,v = a,r, u,v, m,n
	return b, x, y

def modinv(a, m):
	g, x, y = egcd(a, m)
	if g != 1:
		return None
		return x % m

Finally, we will need to try whether the generated private key yields some resonable results on the beacons. The plaintext pt calculates as follows:

pt = beacon^d mod N

In python this is pow(beacon,d,n) rather than (beacon**d) mod n. Mathematically, both python statements should return the same result. However, pow is optimized to handle large factors whereas (beacon**d) mod n will take forever for RSA like calculations.

Finally, we get ASCII characters from each beacon which turned out to be the correct format and plaintext to qualify for a solution (python script – calculation.py).


And it did !!

Thanks to the SCRT team who actually built not only this but also other fun and challenging puzzles and thanks to those who were sufficiently patient to discuss twist and turns while battling!

For those interested in solving puzzles and hands-on security training join us for our awsome courses or sign-up for a free remote hacking-lab.com [4] account and get knee deep into our virtual pwnable lab. Hacking-lab features a wide variety of information security, penetration testing, security assessment and forensics hands-on training exercises to educate students and information security professionals. Give it a try.

[0] European hackers hit Geneva competition http://www.skynews.com.au/tech/article.aspx?id=960593
[1] Online factor DB at http://www.factordb.com/
[2] CryptTool http://www.cryptool.org/en/download-ct1-en
[3] Extended Euclidean Algorithm Snippet http://en.wikibooks.org/wiki/Algorithm_Implementation/Mathematics/Extended_Euclidean_algorithm
[4] Hacking-Lab http://www.hacking-lab.com/

Lync – Missing Security Features

Microsoft has published a list of key security features [1] and also their security framework [2] for the Lync Server 2013. Those documents show how deeply MS integrated their SDL in the Lync products. It also indicates that Lync provides a solid security base out of the box:

  • Encryption enforced for all communication between Lync clients by default
  • RBAC approach for administration
  • Certificate-based authentication
  • Edge Server within DMZ as a first end point from outside and with no need for joining the domain
  • Good integration into the whole Windows infrastructure

However while Compass Security was reviewing and implementing Lync infrastructures, a few issues surfaced which aren’t optimal from a security point of view.

We have summarized some of the missing security features in Lync. As with our previous post about this topic(Lync – Top 5 Security issues, [3]), this list is not a finished catalog. But it may be helpful for others in an evaluation phase, or during implementation, to identify potential pitfalls.

Security Settings

One of the first things we got stuck with is the way security options are set (either with PowerShell or with the Lync Control Panel). All the security-relevant options are spread through different configuration “cmdlets”, or within different pages in the control panel. It’s like “where the hell is this option again?”.

There is no single place for these options, and it’s therefore difficult to setup a secure installation without detailed and in-depth know-how. Exchange 2007 and 2010 administrative interfaces are able to show the corresponding PowerShell script for each configuration setting, which can be immensely helpful for administrators. Sadly the Lync control does not have this useful feature.

We wish to see a dedicated “Security Settings” tab, and a more concise and well-arranged configuration UI. It should also enable the administrator to view the underlying PowerShell cmdlet’s.

File transfer

The transfer of files directly between Lync users can only be allowed or disabled for all Lync users at the same time (CsConferencingPolicy). A more granular file transfer approach cannot be achieved within Lync.

We would like to have the possibility to set these settings for specific user groups. It should also be possible to restrict (or completely deny) file transfer between internal and federated users.

Additionally, there is a blacklist for file extensions of transmitted files (CsFileTransferFilterConfiguration). However, a whitelist approach would be the preferred choice. For example the “.jar” extension is not in the blacklist by default in Lync 2013, a grave security vulnerability within enterprise environments (because of the high amount of Java vulnerabilities). It’s not difficult to find more extensions which should be blocked (especially if a generic archive tool like WinZip is installed on every workstation, which allows the user to open a myriad of different archive files, each with different file extension).

Furthermore, a dangerous setting is the “EnableFileTransfer” in the “conferencing options”. This setting is a per-organizer setting. Therefore, it is possible for a conference organizer to enable file sharing for conferences created by him, even if file sharing for conferences is disabled. The file transfer restrictions mentioned above can therefore be circumvented by every user which is able to create a conference.

An option should exist for Lync, which disables the ability for conference organizer to enable file sharing.

Some third party tools are able to solve some of the problems mentioned above by implementing more sophisticated filtering of file transfer on the Edge server.

Federation policies

The current implementation of federations assumes that the federated companies completely trust each other, or have at least a similar security policy. It is not really possible to restrict or confine external users. Some policy settings are described in a previous post about the privacy configuration [4].

As different companies may want to easily communicate, but not completely trust each other, we wish for much more granular permission/restriction policy for federated users. For example, it should be possible to only allow IM from internal users to federated users, but deny other communication channels.

Identification of mobile phones and external devices

Currently, every user which provides valid credentials is able to login into Lync. It is not possible to restrict access to certain devices. For example, Lync cannot deny access for insecure Android mobile phones, or only allow iPhones. Therefore, users are able to use Lync on insecure devices, and on as many devices as they want.

It should be possible to restrict access based on the operating system (a feature which already exists, but does not seem to work, CsClientVersionPolicy).

We’d also like to see Lync restricting logins to mobile devices which are managed by the company MDM solution.

Front-End server certificates

The certificates for the TLS-DSK authentication is implemented using the Lync PKI on the Front-End server. A company with an existing PKI can’t use their own certificates.

We wish to be able to use an existing PKI. The process of deactivating users would also fit better within existing company procedures, so that no additional “Lync-certificate-deactivation-process” must be implemented.

Two-factor authentication

The default authentication is based on AD credentials (username and password). It is not possible to enforce a two factor authentication. It was added with the Cumulative Update for Lync 2013 back in July 2013 (e.g. use of Smartcards) [5]. Unfortunately, this update only applies to Lync 2013 Desktop clients.

End-to-End encryption

As already noted in “Lync – Top 5 Security issues” [3], a complete end-to-end encryption is not available. In some scenarios a complete encryption between the endpoints in p2p conversations is a requirement. This is currently not possible with Lync 2013.


Despite a solid security baseline implemented in Lync, there are multiple issues regarding the administration and security needed in an enterprise environment. Lync is designed to easily communicate with different parties and integrates many different media feature like voice, video and IM. For high-sensitive environments this could be considered as too open for a sensitive-communication environment. To conclude this post, the following issues have been discussed: there is no single place for all security settings, file transfer cannot be restricted as needed with standard tools, there is no option to use end-to-end encryption between the clients, and it’s not possible to enforce a second factor for authentication for all devices.

So, we can summarize our wish list for an upcoming release (X-Mas is already over, but a major update is coming in 2014. And the next Lync release is coming too. Maybe.):

  • More obvious and centralized places for the security settings
  • A better file transfer restriction approach
  • A way to implement a second-factor authentication or an integration of 3th party second-factor tools
  • Better possibilities to identify and restrict Lync client devices


[1] Key Security Features in Lync Server 2013, http://technet.microsoft.com/en-us/library/dn342829.aspx, last visited 20.02.2014

[2] Security Framework for Lync Server 2013, http://technet.microsoft.com/en-us/library/dn481316.aspx, last visited 20.02.2014

[3] Lync – Top 5 Security Issues, http://blog.csnc.ch/2014/01/lync-top-5-security-issues/, last visited 20.02.2014

[4] Lync – Privacy Configuration, http://blog.csnc.ch/2014/01/lync-privacy-configuration/, last visited 20.02.2014

[5] Planning for and Deploying Two-factor Authentication, http://technet.microsoft.com/en-us/library/dn308563.aspx, last visited 20.02.2014

Thanks to Dobin Rutishauser for research, review and discussions concerning this matter.