I am glad to announce the release of the ERNW whitepaper 71 containing information about quarantine file formats of different AV software vendors. It is available here.
I took quarantine files from real-life incidents and created some in a lab environment. Afterwards I tried to identify metadata, like timestamps, path names, malware names, and the actual malicious file in the quarantine files. One goal was to use this information to support our incident analyses: Using the results, we can now easily create timelines showing information about quarantined files, extract the detected malware, and sometimes even find information about processes that created the malicious files. Continue reading “ERNW Whitepaper 71 – Analysis of Anti-Virus Software Quarantine Files”
With this blog post I am pleased to announce the publication of a new ERNW White Paper about the HL7 FHIR communication standard.
Digital networking is already widespread in many areas of life. More and more medical devices are also being networked in the healthcare industry. This growth makes the development and use of new medical communication standards necessary since existing solutions can only meet the changing requirements with great effort. The HL7 FHIR standard is an example of such a medical communication standard. FHIR is said to have increased the interoperability between different medical contexts,e.g., administration, billing, and clinical care, to enable data exchange of various systems. The FHIR standard addresses the security risks associated with strongly networked communication from a large number of systems across the trust and organizational boundaries only indirectly because FHIR does not define mandatory security controls or requirements.
With this blog post I am pleased to announce the publication of a new ERNW White Paper . The paper is about severe vulnerabilities in an insulin pump we assessed during project ManiMed and we are proud to publish this subset of the results today.
In this article, we describe the impact of the increased use of Docker in corporate environments on forensic investigations and incident analysis. Even though Docker is being used more and more (Portworx, Inc., 2017), the implications of the changed runtime environment for forensic processes and tools have barely been considered. We describe the technological basics of Docker and, based on them, outline the differences that occur with respect to digital evidence and previously used methods for evidence acquisition. Specifically, we look at digital evidence within a Docker container which are lost or need to be acquired in different ways compared to a classical virtual machine, and what new traces and opportunities arise from Docker itself.
Based on recent research in the ERNW IPv6 lab and with our MLD talk looming we’ve put together a (as we think) comprehensive document discussing how to thoroughly test MLD implementations in various components (network devices or servers/clients). We hope it can contribute to a better understanding of the protocol and that it can serve as either a checklist for your own environment or as a source of inspiration for researchers looking at MLD themselves.
Originating from a customer IPv6 deployment project, in early 2014 we defined a number of requirements as for the IPv6 capabilities of IPAM solutions, with a certain focus on security-related requirements (due to the specific environment of the project). We subsequently performed a practical evaluation of several commercial solutions, based on documentation, lab implementation and vendor communication.
To contribute to the current debate on IPv6 route deaggregation & “strict-filtering” performed by certain ISPs we just released a white paper on “Dynamics of IPv6 Prefixes within the LIR Scope in the RIPE NCC Region“. I will give a talk on the overall topic later today at the Routing Working Group. We sincerely hope that the IPv6 community becomes aware of the inherent issues, and that practical solutions can be found which consider & meet the needs of the different parties involved.