Table of Contents
Last week, we decided to take a look onto the EMET library provided by Microsoft. This library is intended to introduce several security features to applications which are not explicitly compiled to use them.
It also adds an additional layer to protect against typical exploiting techniques by filtering library calls, preventing usage of dangerous functions/components and inserting mitigation technologies.
As EMET is already a target for many researchers, we currently only started to get an overview of it’s structure and how the different components are interacting with each other. Today we would like to share some of our results with you.
back from my vacation I’d like to give you some impressions about Defcon 24 and our talk “Attacking BaseStations”. Defcon itself had a couple of great talks but was a very crowded location. Anyhow, we had a couple of great discussions with the people before and after our talk.
Today it is my pleasure to shortly introduce ERNW’s Capture the Flag team, the Kernel Space Invaders. As a long-time CTF enthusiast, I’m really amazed how many of us make the time to tackle IT security challenges also on the weekends or evenings. Even if we cannot participate in all CTFs out there (which would be challenging anyways given the large number of CTF events happening nowadays), we started to compile a repository of some of our write-ups — I hope some of you will enjoy!
Just a short recap from my side regarding this year’s BSide in Las Vegas, NV. It was my first time there and I pretty much enjoyed it. After entering the venue on the first con day (Tuesday) I was a little bit shocked, as the staff sent me to the “end of the line just around the corner” – the end being many corners and many floors away 😉 Speaking to some guys while standing in line, time quickly passed by and before finally hitting the registration desk, there were already some people from the staff giving away the conference badges to the waiting folks. The waiting time was no comparison to last year’s DEF CON, where I (and obviously all the other “humans”, how attendees at DEF CON are called) had to wait nearly _four_ hours to get a badge to enter the con. DEF CON staff already calls this the annual “Line Con”. Enough bashing, back to topic 😉
The opening keynote was held by Lorrie Cranor, who spoke first and Michael Kaiser, who did the second part. I enjoyed Lorrie’s part which was about frequent password changes in environments like companies or universities. She talked about studies that revealed, many people who have to change passwords frequently use patterns by changing their passwords, like shifting letters or iterating numbers. This behavior mostly provides only a little security benefit or could otherwise also decrease security, she said.
During penetration tests, we often find interesting files on web servers. Almost as often, those files enable us to carry out further attacks with much higher impact. Inspired by Chris Gate’s great series From Low to Pwned, we decided to share the following small piece.
Today I had to give the pleasure to give a keynote at the SIGS DC Day on the need to evaluate Cloud Service Providers in a way that looks behind (or at least tries to) security whitepapers and certification reports. The slides can be found here.
I also particularly enjoyed the following two talks:
Sean O’Tool from Swisscom AG covered challenges of an infrastructure to cloud migration. Even though he only briefly touched the topic, I enjoyed his description of their firewalling model: Seeing that centralized firewall operation (or more precisely, rule design and approval) is limited/challenged by the understanding of the application, they transferred control over firewall rule sets (beyond a basic set of infrastructure/ground rules) to the application teams (using of features like OpenStack’s security groups, where he also talked about limitations of those). They compensated the loss of “centralized enforcement by a security group” with rule reviews — an approach that will become way more relevant (and necessary) in the future.
Marc Holitscher from Microsoft covered their “second line of defense”, which is a strong audit framework for controls they implement for their Azure/Office cloud environment. The relevant information (which was new for me too) was that they published a lot of audit information just recently. Details are described here.
Last month the annual USENIX Security Symposium with its co-located workshops (WOOT, CSET, FOCI, ASE, and HotSec) was held in Austin, Texas. The program of the conference together with the published papers can be found here and information on the workshops can be found here.
The research topics were quite diverse and included subjects such as low-level attacks, cryptographic attacks, and vehicle attacks. To give you an impression on the research that has been presented at the conference, let us discuss some of the talks in the following:
Some years ago I discussed the meaning of the term “control” in this post, but at the time I was mainly referring to the noun “control”. Given I’ll extensively use the term “control” as a verb in the next parts of “the DMZ series” and some upcoming talks I reflected a bit on its meaning (as a verb). In the following I’ll lay out the definition/understanding to be employed at those occasions.
Internal workshops are one of the reoccurring events at ERNW, that help us to gain knowledge in areas outside our usual expertise. One of the recent workshops which happened during the week from August 22nd-25th was Hardware Hacking. Held by Brian Butterly (@) and Dominic Spill (@dominicgs), this workshop took place in two parts. Brian kickstarted the introductory session by guiding us through the fundamental steps of Hardware Hacking. Brian did an excellent job of making things simpler by giving a detailed explanation on the basic concepts. For a beginner in hardware hacking, the topic could be rather intimidating if not handled properly.
0 Comments | Posted by Enno Rey
This is the second part of a series with considerations on DMZ networks in 2016 (part 1 can be found here). Beforehand I had planned to cover classification & segmentation approaches in this one, but after my little rant on how “the business” might approach & think about reverse proxies in the first part, I felt tempted to elaborate a bit further on this particular topic. I kindly ask for your patience 😉 and will digress a bit for the moment.