Misc

ERNW Whitepaper 71 – Analysis of Anti-Virus Software Quarantine Files

I am glad to announce the release of the ERNW whitepaper 71 containing information about quarantine file formats of different AV software vendors. It is available here.

Anti-Virus Software

I took quarantine files from real-life incidents and created some in a lab environment. Afterwards I tried to identify metadata, like timestamps, path names, malware names, and the actual malicious file in the quarantine files. One goal was to use this information to support our incident analyses: Using the results, we can now easily create timelines showing information about quarantined files, extract the detected malware, and sometimes even find information about processes that created the malicious files. Continue reading “ERNW Whitepaper 71 – Analysis of Anti-Virus Software Quarantine Files”

Continue reading
Building

ERNW White Paper 70 – HL7 FHIR: Preserving Distributed Resource Integrity

With this blog post I am pleased to announce the publication of a new ERNW White Paper about the HL7 FHIR communication standard.

Introduction

Digital networking is already widespread in many areas of life. More and more medical devices are also being networked in the healthcare industry. This growth makes the development and use of new medical communication standards necessary since existing solutions can only meet the changing requirements with great effort. The HL7 FHIR standard is an example of such a medical communication standard. FHIR is said to have increased the interoperability between different medical contexts,e.g., administration, billing, and clinical care, to enable data exchange of various systems. The FHIR standard addresses the security risks associated with strongly networked communication from a large number of systems across the trust and organizational boundaries only indirectly because FHIR does not define mandatory security controls or requirements.

Continue reading “ERNW White Paper 70 – HL7 FHIR: Preserving Distributed Resource Integrity”

Continue reading
Breaking

ERNW White Paper 69 – Safety Impact of Vulnerabilities in Insulin Pumps

With this blog post I am pleased to announce the publication of a new ERNW White Paper [1]. The paper is about severe vulnerabilities in an insulin pump we assessed during project ManiMed and we are proud to publish this subset of the results today.

Continue reading “ERNW White Paper 69 – Safety Impact of Vulnerabilities in Insulin Pumps”

Continue reading
Misc

ERNW Whitepaper 67: Active Directory Trust Considerations

Last week Will “harmj0y” Schroeder published an excellent technical article titled “Not A Security Boundary: Breaking Forest Trusts” in which he lays out how a highly critical security compromise can be achieved across a forest boundary, resulting from a combination of default AD (security) settings and a novel attack method. His post is a follow-up to the DerbyCon talk “The Unintended Risks of Trusting Active Directory” which he had given together with Lee Christensen and Matt Nelson at DerbyCon (video here). They will also discuss this at the upcoming Troopers Active Directory Security Track (details on some more talks, including Sean Metcalf’s one, can be found in this post or this one).

Continue reading “ERNW Whitepaper 67: Active Directory Trust Considerations”

Continue reading
Misc

White Paper on Incident Analysis and Forensics in Docker Environments

In this article, we describe the impact of the increased use of Docker in corporate environments on forensic investigations and incident analysis. Even though Docker is being used more and more (Portworx, Inc., 2017), the implications of the changed runtime environment for forensic processes and tools have barely been considered. We describe the technological basics of Docker and, based on them, outline the differences that occur with respect to digital evidence and previously used methods for evidence acquisition. Specifically, we look at digital evidence within a Docker container which are lost or need to be acquired in different ways compared to a classical virtual machine, and what new traces and opportunities arise from Docker itself.

Continue reading “White Paper on Incident Analysis and Forensics in Docker Environments”

Continue reading
Misc

White Paper on Incident Handling First Steps, Preparation Plans, and Process Models

We just published my Whitepaper about First Steps, Preparation Plans, and Process Models for Incident Handling, that I wrote to pass the time between Christmas and New Year. The whitepaper sums up information that I consider to be useful to prepare for IT security incidents as a conclusion from the incidents in which we supported over the past year. Continue reading “White Paper on Incident Handling First Steps, Preparation Plans, and Process Models”

Continue reading
Building

An MLD Testing Methodology

Based on recent research in the ERNW IPv6 lab and with our MLD talk looming we’ve put together a (as we think) comprehensive document discussing how to thoroughly test MLD implementations in various components (network devices or servers/clients). We hope it can contribute to a better understanding of the protocol and that it can serve as either a checklist for your own environment or as a source of inspiration for researchers looking at MLD themselves.

Continue reading “An MLD Testing Methodology”

Continue reading
Building

Evaluation of IPv6 Capabilities of Commercial IPAM Solutions

Originating from a customer IPv6 deployment project, in early 2014 we defined a number of requirements as for the IPv6 capabilities of IPAM solutions, with a certain focus on security-related requirements (due to the specific environment of the project). We subsequently performed a practical evaluation of several commercial solutions, based on documentation, lab implementation and vendor communication.

Continue reading “Evaluation of IPv6 Capabilities of Commercial IPAM Solutions”

Continue reading
Building

Dynamics of IPv6 Prefixes within the LIR Scope in the RIPE NCC Region

To contribute to the current debate on IPv6 route deaggregation & “strict-filtering” performed by certain ISPs we just released a white paper on “Dynamics of IPv6 Prefixes within the LIR Scope in the RIPE NCC Region“. I will give a talk on the overall topic later today at the Routing Working Group. We sincerely hope that the IPv6 community becomes aware of the inherent issues, and that practical solutions can be found which consider & meet the needs of the different parties involved.

Best

Enno

Continue reading