Newsletter Archive

This newsletter evaluates configuration options, reflecting security and possible usability impact, incorporating typical large scale enterprise usage of browser based content. The evaluation was done for a globally operating enterprise.

This newsletter displays results of on-going research regarding Cisco Enterprise Wireless LAN solutions.

This newsletter illustrates the new technology Data Leakage Prevention (DLP). After some basic definitions and theoretical explanations, the evaluation of two exemplary DLP suites is described in detail. This examination is based on several requirements and derived test cases, which cover most aspects of DLP and can also serve as a framework for further examinations.

This document analyzes security-relevant implications of using the privilege "Trusted for delegation" in Active Directory. This newsletter will also give you recommendations towards a safe implementation of this privilege.

This newsletter analyzes and evaluates the safe generation of master encryption keys for the initial setup of BlackBerry devices and the automatic update of these keys between BlackBerry devices and the BlackBerry Enterprise Server. The technical analysis comes along with recommendations of measures towards a safe operation.

This newsletter tells the story of a company that built a VoIP trunk to a remote site over the internet and doing so, it opened a security hole. The vulnerability was presumably exploited, which led to the loss of money for the victim. It is a true story, but it will be presented in a generic way, mainly giving a technical description of the incident and pointing out what could have been done to avoid it.

This newsletter will introduce different approaches how malware can be analyzed and discuss their respective pros and cons. It will cover online sandboxes, individually built sandbox systems with a dedicated tool set and also a reverse engineering approach. Obfuscation techniques that are used by attackers to prevent malware analysis are discussed and possible solutions to defeat them are presented. Finally we will give some recommendations which approach works best in different corporations from our point of view.

An introduction to TrueCrypt

TrueCrypt is a free software application used for transparent real-time encryption and decryption. Its Version 6.0a has just been launched and offers many features and a wide range of functionalities.
This newsletter will give you an overlook and introduce you to user-friendly data encryption.

On the 27th of March the last results of the hacker scene were presented during two days at the Blackhat Europe in Amsterdam. ERNW was also there with the „Hacking SecondLife“ talk. It was also a good opportunity to get newest information from another experts and to discuss about the actual trends in the scene. In this newsletter we circulate the information and therefore summed up for you the most important and interesting talks.

This Newsletter describes the questions the IT security management should ask when using USB devices. Technical and organisational measures for solutions under Windows Vista as well as risk assessment will be discussed.

This newsletter deals with the risk assessment, one of the most important subprocesses. After a short introduction, a customer project is presented as an example.

The "Simple Network Management Protocol" version 3 is neglected by the network administrators despite its conveniences over its predecessors. This newsletter tries to explain the advantages and the reasons of this negligence and shows by means of a pratical example that SNMPv3 may be interesting for the enterprise.

by Dror-John Röcher

Introduction:
This newsletter describes a methodology for analysing vulnerabilities, which are based on the metrics of the Common Vulnerability Scoring Systems (CVSS) and demonstrates how the analysis can be integrated in the patch management process.
This document is available in German.

"Compliance with Sophos NAC 3.0 from CISOs point of view - Questions and answers

by Friedwart Kuhn, Dror-John Röcher and Michael Thumann

Introduction :
This newsletter deals with the compliance from CISOs point of view (Chief Information Security Officers) and analyses the way Sophos NAC 3.0 may be a useful tool.

This Document is available in German.

This Document is available in German.

Abstract:
The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. As the market is still evolving and one framework has been quite successful on the market: "Cisco Network Admission Control". NAC is a pivotal part of Cisco’s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. We are able to hack the Cisco NAC-solution by exploiting a fundamental design flaw.
This Document ist available in German language.

"PCI-Compliance" by Enno Rey (erey@ernw.de)

The Payment Card Industry Data Security Standard (PCI DSS), originally iniiated by Mastercard and Visa, describes measures and tools to ensure safe handling and proccessing of credit card data.
Online Merchants (and softewaredevelopers in this field) are - depending on the amount of transactions p.a. - obliged to prove their "compliance" to PCI DSS and will be fined in case they fail to do so.
This document is available in German.

This paper shows tries to give you a brief snapshot of the current standards in WLAN-Security.
This document is available in German.

With Windows Vista Microsoft introduces a complete new security architecture. Central components are here the technologies "user Access Control" (UAC) and "Mandatory Integrity Control" (MIC). Protecting UAC meanwhile is well documented, is MIC up to a Blog of the Microsoft employee Steve Riley [1) widely undocumented.

Our employee Enno Rey has closed some tests which carried out some surprised results and post his result as a comment in Steve Rileys Blog.

Here because of the obviously big interest in Vista and his security model the text is published again.

The Newsletter contain a summary of the aktual Security Diskussion around BlackBerry devices and RIM-Email-Push-Services. Beside the technical aspects organizational aspects and the user are also taken into consideration

The described bug
"Buffer Overflow in Algorithmic Researchs PrivateWire Online Registration Facility"
was uncovered by the IT-Security Research-Team under direction of Michael Thumann. The assignment of the ERNW IT-Security Research-Team is to sign up unknown security problems. That can be on conceptual as well as at technical level (e.g. bug search in Software). When a bug found we communicate with the maufacturer and usually we debug in cooperation. As soon as possible we puplish a fix (e.g a Patch) in form of a White-Paper or a ERNW Security-Advisory.

The Research-Team operate with different techniques (e.g. reverse engineering, code audits, protokoll network communication, fault-injection) to search for bugs.

The work of the ERNW IT-Security Research-Team serves the internal continuing education as well as our customer, because they can make the IT safer.

"Smartcard-based SSO using STARCOS/AET Safesign in Active Directory-Umgebungen with Citrix and 3rd-Party Certificates" (by Enno Rey and Friedwart Kuhn).

The foundation of ERNW.PT and our cooperation with the Portugese Chamber of Commerce and Industry.

"New Attacks on Layer 2 in Cisco Networks / Neue Angriffe auf Layer 2 in Cisco Netzen" by Enno Rey.

"Active Directory und Domänencontroller Disaster Protection und -Recovery" by Friedwart Kuhn.

"Working with Windows as a Non-Admin" by Enno Rey.

"Methods of fighting Spam" by Enno Rey.

"Trust is good, correct configurated systems are better" by Enno Rey.

Host-Security using sendmail by Enno Rey.