New version of OWASP Application Security Verification Standard (ASVS) available

by Alex Wettstein

The Open Web Application Security Projekt – better known as OWASP, is a manufacturer independent non-profit-Organization with the aim of making (web) applications more secure.

One of their flagship projects is the «Application Security Verification Standard», better known as ASVS. Version 4 of ASVS was released today. This article explains the ASVS and how it can support you as the person responsible for IT Security in your daily duties within your enterprise. [read the German article]

About domain administrators, single sign-on and malware

by Marco Wohler

The danger from domain administrator accounts is often underestimated. This article describes how attackers can compromise an entire domain. In general, authorizations are distributed too loosely and (partly existing) security mechanisms are not used. [read the German article]

PowerShell VI – Defense

by Frank Ully

This is the sixth and final instalment in a multi-part series about Windows PowerShell and how attackers abuse it, how incident responders can detect these attacks – and how IT staff can prevent them in the first place. This article describes which measures IT security managers can implement to protect their organizations against PowerShell attacks. [read the German article]

PowerShell V – Forensic analysis of PowerShell attacks

by Frank Ully

This is the fifth article in a multi-part series about Windows PowerShell and how attackers abuse it, how incident responders can detect these attacks – and how IT security managers can prevent them in the first place. This article introduces methods that incident responders and IT forensic analysts can use to investigate PowerShell attacks, including memory analysis. [read the German article]

PowerShell IV – Memory forensics

by Frank Ully

This is the fourth article in a multi-part series about Windows PowerShell and how attackers abuse it, how incident responders can detect these attacks – and how IT security managers can prevent them in the first place. This article provides a general introduction to memory forensics, a relatively new method of investigation for incident responders and IT forensic experts against modern threats such as PowerShell attacks. [read the German article]

PowerShell III – Script collections for post-exploitation

by Frank Ully

This is the third article in a multi-part series about Windows PowerShell and how attackers abuse it, how incident responders can detect these attacks – and how IT security managers can prevent them in the first place. This article introduces publicly available script collections with offensive PowerShell scripts for post-exploitation. [read the German article]

PowerShell II – Malicious use of PowerShell

by Frank Ully

This is the second article in a multi-part series about Windows PowerShell and how attackers abuse it, how incident responders can detect these attacks – and how IT security managers can prevent them in the first place. This article looks at the features that make PowerShell so popular as an attack tool. [read the German article]

PowerShell I – Introduction

by Frank Ully

This article is the first in a multi-part series about Windows PowerShell and how attackers abuse it, how incident responders can detect these attacks – and how IT security managers can prevent them in the first place. Advanced attackers are regularly using scripts written in PowerShell as part of their attack toolchain. This is because Windows PowerShell, Microsoft’s task automation and configuration management framework, as well as the script language of the same name are now tightly integrated into modern Windows installations. [read the German article]

A short history of Remote Access Trojans (RATs)

by Frank Ully

First, the article introduces the basics of malware and especially remote access trojans (RATs).
Then the history of publicly available RATs is traced by describing some outstanding representatives. The article concludes with an outlook on current developments in publicly available RATs. [read the German article]

Secure passwords for local administrators

In the course of their audit engagements Oneconsult penetration testers are increasingly finding identical passwords used for local administrative users on backend systems and even more often on workstations. Although these passwords are stored as a NTLM hash, an attacker still has ample opportunities to misuse this situation for lateral movement inside a company’s IT infrastructure. This article covers attacks and mitigation opportunities. [read the German article]

BadUSB – Gain access in less than 15 seconds

by Immanuel Willi

Many IT security trade media and blogs focus on popular attack vectors such as phishing or the “OWASP Top 10”. Physical attacks that require direct access to a device are given less attention. Accordingly, many users think they are secure when the notebook hard disk is encrypted and the Windows desktop is locked. But they are wrong! [read the German article]

Cyber Security Incident Response – So bewältigen Sie das Unerwartete

by Damian Gruber & Adrian Schoch

Cyber security incidents may have a significant business impact, especially for unprepared organizations. Read in this article in German how to effectively handle such incidents by a proven process and countermeasures and learn from Oneconsult’s real-life incident response & IT forensics cases. [more]

Falsch gesetzte User-Berechtigungen: Hacker’s Paradise

by Marco Wohler

There are different strategies and means to protect a server or client against attacks from inside or outside. This article in German deals with file and folder rights, since these are often neglected. [more]

Trau schau wem – (Un)Sicherheit von signierter Software unter Windows

by Jan Alsenz & Rafael Scheel

This article in German demonstrates how a design security flaw discovered by Oneconsult can be abused in the Microsoft UAC mechanism to allow any scripts and programs to fake a supposedly genuine Microsoft signature.
[more]

HTTP Referer Header: How web browsers compromise private URLs

by Fabian Gonzalez

The HTTP Referer header was defined to determine the origin of a user’s request on the server side. As such, today’s web browsers use this header to communicate the last visited resource when requesting a new one. Since it is often written to a server’s access log, the header may be evaluated or used for other purposes. This may result in security issues. The author describes the problem and provides simple solutions. The article is available in German. [more]

Breaking the gateways – abusing dual-homed SCADA/ICS systems

by Jan Alsenz

Gateway systems with connections to different network segments are common in SCADA/ICS networks, as found in manufacturing plants or power / water management. [more]

What3(Pass)Words – create passwords from places

by Jan Alsenz

Despite many known weaknesses and problems, passwords are ubiquitous. A new service, normally intended for geo-addressing, can be used to generate (reasonable) secure, easy to remember passwords. This article covers the mathematical basics as well as the pros and cons of this approach. [more]

Web Application Firewall Bypass

by Rafael Scheel

Vendors name Web Application Firewalls (WAF) the ultimate weapon against cyber criminals because WAFs would render unnecessary the security maintenance of the applications behind them. But is this statement true? [more]