ERNW News

This Newsletter is a follow-up on the talk ERNW's experts Michael Schaefer and Matthias Luft gave on this year's TROOPERS11 conference in Heidelberg. They focused on developing a guideline for secure operation and reducing risk of Multifunction Devices (MFD) in a corporate environment. This newsletter describes how Michael and Matthias approached the topic of MFD security, which results they ended up with and what they recommend in order to increase the security level of MFDs within a corporate environment.

Mobile device like iPhones and iPads are used more and more often in corporate environments. Companies not supporting such devices find their users unhappy and doing all kinds of silly stuff like forwarding confidential data to free email accounts to be able to access them on their private iOS devices. The pressure on the IT departments to support these devices in an official way grows from day to day.
To integrate those devices into the corporate environment a lot of use cases require access to internal resources. Those devices basically have two ways to connect to a corporate network: WLAN and VPN connections. WLAN is a wireless technology and a VPN typically can be accessed over the InternetInternetInternet – also a very insecure network.
In order to protect the internal corporate network, strong authentication mechanisms are required. Thus all devices must support these authentication methods.
Using cryptographic authentication methods, such as client certificates, can fulfill the need for a strong authentication mechanism.
This newsletter shows how certificates can be used for device authentication on iOS devices.

This newsletter gives a short introduction to Web Application Firewalls and explains ways and methods to fingerprint and bypass WAFs. In addition, a new tool called tsakwaf will be released and covered in this newsletter which main purpose is to help testing the detection capabilities of a WAF.

This newsletter gives an overview of the relevant threats the iPad introduces into the corporate IT environment. It includes a risk assessment based on ERNW’s Rapid Risk Assessment approach and makes recommendations for secure operation of Apple’s recent gimmick. Also there are some security relevant improvements described, that are introduced in iOS 4 for iPad (should be during the last quarter of 2010)

Because iPad and iPhone use the same operating system family, most of the things shown here apply to both of them.

Head over to our tools section to download presentation, tools and other stuff regarding our latest Blackhat USA talk.

Please visit NetworkWorld.com to read an article about the tool.

This newsletter evaluates configuration options, reflecting security and possible usability impact, incorporating typical large scale enterprise usage of browser based content. The evaluation was done for a globally operating enterprise.

This newsletter displays results of on-going research regarding Cisco Enterprise Wireless LAN solutions.

This newsletter illustrates the new technology Data Leakage Prevention (DLP). After some basic definitions and theoretical explanations, the evaluation of two exemplary DLP suites is described in detail. This examination is based on several requirements and derived test cases, which cover most aspects of DLP and can also serve as a framework for further examinations.

Friedwart Kuhn analyzes security-relevant implications of using the privilege "Trusted for delegation" in Active Directory. This newsletter will also give you recommendations towards a safe implementation of this privilege.

Our excellent coaches provide for an educational and practically oriented experience. With ERNW there's no compromise between profound theoretical knowledge and applicable practical knowhow. Visit our "Workshop Section" to get an overview over all topics and upcoming dates.

Head over to our event archives for new slides on "Virtual Security" and "Targeted Attacks" [in German language].

Friedwart Kuhn analyzes and evaluates the safe generation of master encryption keys for the initial setup of BlackBerry devices and the automatic update of these keys between BlackBerry devices and the BlackBerry Enterprise Server. The technical analysis comes along with recommendations of measures towards a safe operation.

Matthias Luft and Daniel Mende gave a lecture on "Hacking Mobile Devices" at an event of F-Secure on 18th May. It featured a series of practical demos. Download the presentation's slides here - we would be pleased to present the demos to your organization or be supportive with securing your mobile platforms.

We've updated the "upcoming events" section. Have a look where the ERNW guys are transferring their deep knowledge to international audience. Amongst others Enno Rey is contributing to Blackhat USA 2009 together with Chris Hoff - get more information about their talk "Cloudifornication" here.

Following ERNW's Responsible Disclosure policy, Michael Thumann reported a XSS vulnerability affecting Blackberry Enterprise Server.

ERNW Security Advisory 01-2009 is now online. See also: www.blackberry.com

This newsletter tells the story of a company that built a VoIP trunk to a remote site over the internet and doing so, it opened a security hole. The vulnerability was presumably exploited, which led to the loss of money for the victim. It is a true story, but it will be presented in a generic way, mainly giving a technical description of the incident and pointing out what could have been done to avoid it.

Visit our Publications & Talks section to get an overview on past conferences and upcoming events. Among other things, you'll find new slides of our talks from ShmooCon09 and BASTA! 2008.

There's also a new subsection for talks addressed to an Academic Audience.

The continuing merger of data and voice networks brings new security challenges. This 2-day course provides detailled knowledge about securing complex Voice-over-IP implementations. We will cover typical threats and vulnerabilities in VoIP networks and provide a risk-based approach in securing them.

Lots of real world examples and some hands-on experience might help to get a better understanding of the interactions, potential threats and mitigating controls to come across in VoIP networks.

Available dates:
April 7-8, 2009
May 18-19, 2009
June 23-24, 2009

For more information please head over to our 'Knowhow-Transfer' section.

The ERNW hacker team Roger Klose, Daniel Mende, Simon Rich and Grandmaster Michael Thumann, could stand up their many talented North American Ninja Hackers at the PacketWars, during the Day-Con. Congratulation!

This newsletter will introduce different approaches how malware can be analyzed and discuss their respective pros and cons. It will cover online sandboxes, individually built sandbox systems with a dedicated tool set and also a reverse engineering approach. Obfuscation techniques that are used by attackers to prevent malware analysis are discussed and possible solutions to defeat them are presented. Finally we will give some recommendations which approach works best in different corporations from our point of view.

An introduction to TrueCrypt

TrueCrypt is a free software application used for transparent real-time encryption and decryption. Its Version 6.0a has just been launched and offers many features and a wide range of functionalities.
This newsletter will give you an overlook and introduce you to user-friendly data encryption.

Testing IT Security is one of the core competences of ERNW. Many of our customers get their IT infrastructure and (Web-) applications checked on a regular basis. This may either be done on a very technical level in terms of penetration testing or in a more formal way in terms of general security audits, during which we verify the IT Security Compliance of your company compared to best practices according to ISO17799/ISO27001 and/or your enterprise security policies. As a result of our reports you will be able to realistically assess the risks related to the detected security flaws and vulnerabilities. (more)

Research & Technologie-Evaluation Research is the foundation of our knowledge leadership. The intent of this work is to unveil security flaws and vulnerabilities in protocols, technologies and products. Some findings derive from design-flaws, some from poor implementation on a technical level. In these cases we communicate the vulnerabilities to our clients and/or the manufacturer and assist in the development of a solution of the problem (e.g. patches) and as soon as a patch is available we publish advisories (ERNW Newsletter). (more)

New in our Pen-Testing Portfolio: VoIP-Vulnerability check of the participating protocols, gateways, devices and softphones that may lead to:

• Sniffing
• Denial-of-Service
• Redirecting phone calls
• Hacking of hard- and softphones
• Spoofing
• SPIT (VoIP-Spam)

more Pen-Test modules