References

Company: References

In the following we list a few select references of some of our previous projects. We value information security and therefore refrain from identifying companies explicitly. Upon request, we provide company names and a contact person only after obtaining consent from our customers.

Selection of Projects

Backdoor test HTC with Windows Mobile

A nationwide ensurance company wanted to implement a uniform platform for mobile devices, whereby several products come into consideration. In order to examine the vulnerabilities of the possible products, currently possible and future attacking techniques were to be demonstrated. The actual risk was illustrated through a custom-made Trojan horse for HTC’s Windows Mobile devices. The customized malware was able to access sensitive information on the device (e.g. contacts, SMS, emails) and send it to the attacker. (permalink)

Backdoor Testing of Email Control

A Swiss private bank strives for maximum security. Email access on workstations is only possible through a proxy via Outlook/Exchange. Other forms of internet communication are not possible (e.g. no HTTP, no DNS). However, we showed that it is possible to remotely control the system by email (using MAPI/RPC) through a custom-made Trojan horse. This exotic proof-of-concept (POC) showed the amount of effort necessary for highly professional attackers (e.g. secret service) in order to achieve their goals. (permalink)

Backdoor Test Phishing

An international telecommunication company required an extensive test of its costly security measures – several million Swiss Franks per year. This was accomplished through a custom-made remote-controlled Trojan horse. 1500 workstations were infected and remotely controlled within a few hours through phishing/pharming. As proof, we took a screenshot of the running instance of SAP and sent it to us through an encrypted channel. This way, the limitations regarding user awareness, email filters, firewall systems, antivirus programs and of the monitoring team were illustrated and improved. (permalink)

Backdoor Test Web 2.0 Trojan

Web 2.0 refers to a combination of dynamic techniques to expand static webpages. Ajax (Asynchronous Javascript and XML) is first and foremost used for dynamic data exchange. It had been suspected for a long time that Ajax can be used to develop Trojan horses for the attack and remote control of systems through the web. We created Xdoor™ (formerly Swarm) to demonstrate – for the first time in a test for an international financial institution – the effective risks of such attacks. The target system was successfully infiltrated by accessing an Xdoor page. (permalink)

Concept Development Hardening Guide

A well-known financial institution wanted to ensure and enhance the security of its systems. For this reason, a hardening was scheduled. We developed and employed hardening guides for the configuration and maintenance of the various systems in order to secure these platforms against attacks (Microsoft Windows, Linux, IBM AIX, and Sun Solaris). (permalink)

Concept Development Single Sign On

A financial institution from a nearby country wanted to implement Single Sign On (SSO) in order to unify its authentication mechanisms and facilitate access for its staff. Our SSO-concept supported the successful company-wide introduction and realization of the project, whereby we leveraged our extensive experience in related projects (e.g. penetration tests). (permalink)

Concept Development Software Virtualization

A financial institution operating in a neighboring country wanted to virtualize a large fraction of its server systems through VMware (VM). However, security was not to be neglected despite the advantage of reduced costs through virtualization. Our concept enabled us to systematically achieve the same level of security of physical separation or at least to calculate and address the risks. (permalink)

Concept Development VPN

A Swiss federal agency operating mainly abroad wanted to provide its employees with secure access to its central systems in Switzerland through VPN (Virtual Private Network). Our company was tasked with the development of a secure strategy, the evaluation of the best product, and the design of a comprehensive security concept. Furthermore, we supported the client and the selected partners in the integration of the concept. (permalink)

Concept Review Active Directory Restructuring

A financial institution from a neighboring country requested the restructuring of its active directory integration. We discussed the new AD/ADDS-concept with the customer and examined it in detail in order to assess the transferred, newly introduced, and eliminated risks. This enabled a maximally secure restructuring, which was examined with a penetration test after its successful implementation. (permalink)

Concept Review Backup Concept

A Swiss private bank provided us with its newly developed backup concept for review. The concept addressed the backup process for all internal systems (Online banking system, OLYMPIC Banking System, Exchange/email server, MS IIS web server, etc.). Thanks to our expertise we were able to extend the concept in several key points and point out potential vulnerabilities. (permalink)

Concept Review High Security Solution

A Swiss private bank wanted to protect its employees from kidnapping or blackmail while traveling to high risk countries. When access via VPN is forced through violence only fictitious data are to be displayed through predefined actions and real transactions are to be disabled. We examined the proposed concept for this high security solution to assess whether the desired risk reduction was indeed achieved. (permalink)

Concept Review VLAN Architecture

A foreign bank migrated its entire network and implemented a VLAN architecture with both static and dynamic VLANs. We thoroughly examined the concept proposed by the company’s networking department in order to discover potential sources of architectural, topological, and logical errors as early as possible. (permalink)

Configuration Review Oracle Database

An international shipping company uses a clustered Oracle database to manage trips and freight. We performed a configuration review on this installation (IBM AIX operating system and Oracle database) to discover potential vulnerabilities (e.g. inconsistent user accounts, incorrect access privileges, missing hardening). By using automated approaches we were able to make an accurate assessment despite the unusually large volume of data. (permalink)

Configuration Review Reverse Proxy

A large Swiss financial institution secures exposed services (almost 1000 items) through a granularly configured reverse proxy. We were able to read this huge data volume through custom-made parsing modules. Thanks to this database-driven approach we were able to make a subsequent assessment of the configuration settings. In addition, simulations could be implemented to directly illustrate changes and their consequences. Just like the aforementioned financial institution, many customers request a periodic vertical redundancy check of their current configuration settings. Delta and trend analyses pose no problem for us. (permalink)

Configuration Review SELinux

An international company wanted to use the highly secure SELinux operating system developed by the NSA. However, this system is extremely complex. We performed a configuration review of the applied configuration in order to discover incorrect and insecure settings. This enabled further hardening of individual components. (permalink)

Configuration Skype Clients

An international company wanted to reduce costs by using Skype for internal phone meetings. The configuration of each terminal needed to be implemented in a maximally secure fashion. The development of a custom tool enabled a centralized examination and configuration of the settings (in XML format). This efficient tool enables the customer to meet current and future demands. (permalink)

Data Recovery Hard Disk

An individual had lost a large portion of personal data on a hard disk (SATA) after a power failure. A data recovery was requested to recover invaluable family pictures. Through the successful realization of the data recovery process a large fraction of the seemingly lost pictures could be reconstructed via carving and transferred onto an external storage medium. (permalink)

Data Recovery Copy Machine

A financial institution accidentally discovered a possible case of fraud by one of its employees. During a forensic analysis a copy machine was confiscated. A post-mortem examination of the device was performed to collect evidence to confirm/disprove the suspicion. The reconstruction of the data that was cached on the hard drive was successfully completed after initial reverse engineering of the file structure, and the recovered data was subsequently transferred to the authorities to facilitate legal action. (permalink)

Data Recovery Cell Phone

A nationwide insurance company suspected that one of their former employees convinced a large portion of its customer base to follow him after leaving the company. The company requested a data recovery of the devices he previously used, including a Nokia cell phone, in order to confirm the suspicion and to enable appropriate countermeasures. This required reverse engineering of the device due to proprietary mechanisms and data structures. (permalink)

Evidence Collection Fraud Case

An insurance company suspected that one of its customers drew illegal benefits. The claims department wanted to investigate this potential fraud case. Therefore we extensively investigated the technical devices used by the suspect. The evidence we collected was used to press charges and utilized in the ensuing court case. (permalink)

Evidence Collection Cybercrime

An international large business was victimized by a large-scale case of cyber criminality. We supported said business and the involved authorities with information gathering, analysis and evaluation of the complex circumstances. We functioned as the direct advisory body for the board of directors, whose members had to make strategic decisions on a large scale considering the situation. (permalink)

Evidence Collection Insider Trading

A private bank approached us because they had suspicions about insider trading by one of their employees. The confiscated devices – including his desktop PC (Windows Vista) and the fax machine he supposedly used – were examined. The evidence collection was to be used to confirm the suspicion and if applicable to facilitate legal action against the employee. Therefore, the evidence needed to be collected under stringent conditions so that it would remain valid in court. (permalink)

Firewall Rule Review of a Complex Environment

A financial institution from a neighboring country strives for a highly secure environment. Each branch office is protected by a multi-level and clustered firewall. We extensively analyzed the extremely complex set of rules of CheckPoint firewalls, which are applied in cascade. In this project we applied a formal model that is described in our book Die Kunst des Penetration Testing (The art of penetration testing). (permalink)

Firewall Rule Review of Various Products

Firewall systems provide basic network security. We examine the entire set of security rules for potential errors and vulnerabilities during a firewall rule analysis for our customers. An automatic normalization through parsing enables us to perform a computerized analysis. This preparation renders the analysis product-independent – whether CheckPoint Firewall-1, Cisco PIX/ASA, or Astaro Security Gateway. Firewall rule reviews are employed in many projects that investigate network security. (permalink)

Firewall Rule Review VPN-Limitations

A financial institution located in a neighboring country wanted to ensure the security of its laptops. A VPN allows access to internal systems and data. When the VPN client is active, access should be restricted through a firewall so that the system cannot be misused for hopping, for example. Our analysis enabled us to assess technical defects and remaining risks of the corresponding set of firewall rules. (permalink)

Forensic Analysis of Digital Images

Computer systems had been seized during a criminal investigation. We were assigned the task of analyzing the digital photographs on these systems to facilitate the collection of further information. Through a forensic image analysis we were able to reconstruct the geographical locations where and the camera with which the pictures were taken, as well as cropped portions of the images. These findings significantly influenced the court case. (permalink)

Forensic Analysis Blackmail

An international telecommunication company was blackmailed by a former IT employee for several million Swiss Franks. Because the perpetrator’s demands were not met he deliberately destroyed productive data through backdoors (customer and billing information) and rendered certain services (telephone and internet) inaccessible through distributed denial of service attacks. We collected data together with the authorities and used forensic analyses to gather evidence against the suspect. Our work was the basis for the initial charges for various crimes, the international prosecution (Germany, Italy, USA) and the subsequent legal proceedings. (permalink)

Forensic Analysis Attack

A hosting service provider noticed suspicious activity and suspected a successful attack on his systems. We had to confirm the attack through a forensic analysis and immediately implemented a disinfection and subsequent hardening in order to enable continued operation. In a second step we recommended a complete reinstallation of the affected system. (permalink)

Intrusion Detection Denial of Service

A hosting service provider noticed periodic failures of his exposed web servers. It was unclear how these failures could arise despite the use of a proxy server. We identified the source of the failures as well as their exact consequences through an electronic attack detection process. This enabled countermeasures to secure the environment. (permalink)

Intrusion Detection Credit Card Theft

A leading enterprise witnessed the defacement of its online shop. We were tasked with determining through an electronic investigation how the attack was carried out and which items were accessed. Our investigation established that aside from the defacement also the theft of all credit card information in the database occurred. This work provided the basis for a criminal investigation against unknown suspects (Although the geographical origin of the crime could be narrowed down, this information was intentionally omitted from the charges). (permalink)

Intrusion Detection Website Defacement

A company fell victim to website defacement (unauthorized change of website appearance). The administrators were not able to determine how the intrusion was carried out and how to prevent future intrusions. With a technical analysis we were able to pinpoint the exact methods that were used in the attack. The subsequently implemented security measures were able to prevent further intrusions. (permalink)

Log Management Citrix-Environment

A financial services provider is operating an extensive Citrix farm. Here, the logging of events is highly complex. For this reason our open source solution SELORSY (Security Log Reporting System™) is employed. Our solution allows the correlation and consolidation of event logs of diverse systems, which enables a centralized data analysis and storage. This way, technical problems and potential attacks can be discovered quickly and efficiently. (permalink)

Log Management Security Systems

An international financial institution wants to centralize and simplify the logging of various different security systems. Our open source solution SELORSY (Security Log Reporting System™) allows to consolidate the data and manage them in a central location. This way, attacks and intrusions can be detected through a multi-level examination. Upon request, we support the products used by the customer through custom-made parsers. (permalink)

Log Management Windows Event Log

A Swiss bank wanted to log user access to the network with a custom-made solution. As a first step, a concept was developed in consultation with us about which of the events that are logged by Windows should be considered. In a second phase we supported the technicians in the implementation and tested the various logging mechanisms. The characteristics of the environment as well as the specific customer requirements could be met through our customized solution. (permalink)

Logical Flow Analysis Banking System

A Swiss financial institution had completely revised its banking system. We performed a logical flow analysis of the organizational and technical processes in order to discover potential vulnerabilities and weaknesses. We developed and employed a transition analysis, which was designed to avoid hidden transactions and discover problems with escalation mechanisms. (permalink)

Logical Flow Analysis PKI

A Swiss financial institution desired the commercial introduction of a PKI (Private Key Infrastructure) controlled by the bank. We analyzed the organizational and technical process of issuing, delivering, and revoking a certificate within a flow analysis. Within this analysis we were able to discover errors in the logical flow which allowed an intruder to temporarily assume the identity of another user (spoofing) or to disrupt legitimate transactions (denial of service). (permalink)

Penetration Test Citrix

SMBs and larger companies have discovered the advantages of Citrix. We examine central Citrix systems for their security. First we determine the general target area for external attackers through a simple network scan. Then the customers provide us with legitimate user accounts to perform a penetration test within Citrix. In this step we determine whether extended processes can be started, whether own code can be executed, and whether local access privileges can be extended on the system. We were among the very first security companies worldwide to point out the concrete risks of Citrix installations in our publication Citrix under Attack, which was translated into several languages. (permalink)

Penetration Test Online Banking

Online banking has become increasingly important in today’s digital age, whereby communication with the customer is very important from a security point of view in order to preserve the mutual trust. We perform web application penetration tests in order to be able to guarantee the security of an online banking system (OBS). Here, we sometimes follow OWASP, an open standard for web security. This allows the detection of typical errors such as SQL injection and cross site scripting vulnerabilities (XSS). In a complementary approach we examine architectural and internal mechanisms (e.g. SOAP/SAML) as well. (permalink)

Penetration Test VoIP Environment

A nationwide insurance company recently replaced its classic telephone system by VoIP (Voice over IP). Because the system was integrated into the existing network, a penetration test was requested in order to determine the concrete risk of attacks from and through the VoIP components (e.g. call hijacking, spoofing, eavesdropping, denial of service, etc.). Attack vectors were determined and the vulnerabilities were demonstrated in a video recording for the executive management. (permalink)

Penetration Test Web Application

An industrial enterprise offers an extensive website with dynamic content. An examination of the web application is performed to discover and eliminate vulnerabilities. Here, classic and modern attack methods (e.g. cross site scripting, SQL injection, directory traversal, etc.) are used, where we employ a customized and extended version of the approach standardization via OWASP. (permalink)

Penetration Test WLAN

A financial institution is using a WLAN for its employees and for its guests in order to provide a maximum level of security for the users and the company. We identified vulnerabilities through a penetration test via wardriving and attempted to expand our access privileges through subsequent attacks (e.g. read transferred data by sniffing or gain extended access privileges by breaking the encryption code). (permalink)

Process Review Banking

A Swiss regional bank revised its processes regarding customer relations and communication and defined who needs to communicate in what form. For example, the course of action for opening an account at the counter or for the activation of online banking was defined. We discovered vulnerabilities within our process review from a logical perspective (logical flow analysis) which could be exploited for identity theft or money laundering purposes. These vulnerabilities were eliminated through adaptation of the processes. (permalink)

Process Review Money Laundering

An international financial institution wanted to adhere to the legislation and regulations of the EBK/FINMA regarding money laundering. We examined the developed concept and its technical implementation with kdmatch/kdprevent in order to uncover vulnerabilities in the processes – that is, the execution of hidden money laundering. We discussed the discovered vulnerabilities with the customer who then implemented appropriate countermeasures. This guaranteed adherence to the aforementioned regulations. (permalink)

Process Review Email Archiving

An international insurance company wanted to archive all sent and received emails for organizational and legal reasons. We investigated both the organizational approach as well as the technical implementation of this process. Our task was to uncover errors that restrict the possibilities of the solution under consideration or render it vulnerable to attacks (e.g. preventing the archiving of messages). (permalink)

Reverse Engineering Chip Cards

An international enterprise wants to connect its own products with components manufactured by its competitors. For this reason, the proprietary and non-open interfaces of the competitors’ chip cards must be supported. We were able to support the independent in-house development through a comprehensive reverse engineering of these components (reconstruction of the data transfer and cryptanalysis of the proprietary encryption). (permalink)

Reverse Engineering iPhone

A national insurance company wanted to support Apple products as an alternative to Blackberry. An extensive technical reverse engineering of iPhone devices was requested to determine their concrete technical and organizational risks. We were able to point out vulnerabilities in the operating system and to successfully infect the devices with a custom-made Trojan horse and thus demonstrate the conceptional weaknesses of the products to the management. (permalink)

Reverse Engineering Password Manager

A large Swiss financial institution wanted to employ a commercial, proprietary, non-open product on its desktops and laptops in order to be able to securely store the large number of access data. In order to be able to assess the effectiveness and security of the selected solution we reverse engineered it because the code was not open source. Aside from a software-oriented reversing (e.g. deadlisting) we also investigated the functionality of the employed cryptographic algorithms through a cryptanalysis (e.g. chosen-plaintext attacks). (permalink)

Reverse Engineering Trojan Horse

A current client noticed a successful infection with a Trojan horse unknown to anti-virus vendors. We were tasked with gaining an understanding of the Trojan horse in order to be able to draw conclusions about the attackers and their motives. We were able to determine all technical details of this new virus program through an extensive reverse engineering of the Trojan in our labs (e.g. sniffing, API call interception and deadlisting). (permalink)

Risk Analysis Authentication Mechanisms

A nationwide insurance company wanted to provide its employees with remote terminals. The operating and the security departments disagreed about the authentication mechanism (e.g. username/password, access card, chip card, SecurID token). We were able to support the company’s choice of an efficient, effective solution for the future through an assessment of the respective operational and technical risks. (permalink)

Risk Analysis iPhone App

A financial company wants to provide customer access to account information and transaction capabilities via a dedicated iPhone App. During the development of this App by an external company a deep security analysis has been approached to determine potential attack vectors and weaknesses which shall be eliminated as soon as possible. (permalink)

Risk Analysis Voice over IP

An insurance company wanted to revise its entire telephone infrastructure and to switch from ISDN to VoIP. We were tasked with a risk analysis in order to determine which risks would hereby be eliminated, transferred, and newly introduced. Accurate calculations of probability and impact provided the basis for the discussion. Unfortunately, the cost-benefit analysis indicated that a secure operation would not result in financial advantages. (permalink)

Risk Analysis VPN Variants

An international enterprise wanted to revise its current VPN infrastructure and to implement new and extended VPN mechanisms (e.g. stringent authentication, remote access to the file server, etc.). Our risk analysis compared the possible options and indicated which alternatives were actually possible and which solution was recommended given the requirements. (permalink)

Risk Analysis Random Number Generator

A Swiss financial institution is using an in-house developed random number generator for various tasks – e.g. for the generation of matrix lists or session IDs. We assessed its randomness through a random number analysis and determined the risk for an attack (prediction of a random number). (permalink)

Second Opinion Data Theft

A well-known financial institution discovers data theft by a former employee. We consult with the client about possible attack methods by the suspect (technical and organizational approaches), his subsequent actions (e.g. sale of the data abroad), as well as the options for the client (e.g. repurchase from the suspect or filing of charges). This sensitive issue is treated with utmost sensitivity in order to avoid a public release of details about the case. (permalink)

Second Opinion Network Zoning

A financial institution in a neighboring country was forced – because of the increasing complexity of its services – to completely revise the zoning concept of its internal network. We examined the newly developed solution for the redesign in order to determine the remaining and hidden risks. This fine-tuning enabled the implementation of a maximally secure and operationally optimal solution. (permalink)

Second Opinion Virtualization

A large international financial institution wanted to be among the first to virtualize a large portion of its server systems through VMware. The risks of this new approach had not been extensively discussed at the time; for this reason we performed a novel concept study. This way, we were able to point out the transferred, newly introduced, and eliminated risks. The study provided a justification for the virtualization to the management. (permalink)

Second Opinion Vulnerability Assessment

The in-house audit team of a financial institution routinely performs technical security tests. In order to adhere to the desired four-eyes principle also in this case, we were provided with extensive results of these tests and tasked to provide a second opinion. Through an examination of the findings we determined the presumable correctness of the test procedure, the collected data, their interpretation, and the resulting assessment. (permalink)

Security Coaching Monetary Authorities

A Swiss bank plans to open up the financial markets in Asia (Hong Kong and Singapore). In order to receive the corresponding authorization, the compliancy requirements of the respective monetary authority must be met. We have been continuously supporting this process in terms of testing, implementation, and enhancement of the security requirements. (permalink)

Security Coaching Reorganization

The security mechanisms implemented by a Swiss company had only been rudimentary for many years (only a simple packet filter as firewall as well as sporadic antivirus installations). The management realized the new dimensions of these security risks and requested a reorganization of the company’s IT security. We were successfully supporting the departments in charge with the development of the various concepts, the evaluation of the various products, and the integration of the selected solutions for three years. (permalink)

Security Coaching Security Testing

A Swiss insurance company wanted to build an internal team for security testing (vulnerability scans and penetration tests), in order to reduce costs in the long run through internal acquisition of know-how. We were able to help with the development and the establishment of the audit team by sharing our extensive experience, by developing a basic concept, and by providing training/workshops (e.g. systematic attack methods). (permalink)

Security Coaching Security Implementation

After a serious incident, a large car manufacturer decided to completely revise the IT security structures and processes. We provided consultations and coaching from the initial concept phase to the implementation phase. For example, during the patch/hardening management process we developed our own model to assess objects and the resulting security measures (USO: Unified Security Object™) together with the client. (permalink)

Security Scan Backdoors

A private bank suspected that its employees involuntarily or carelessly introduced Trojan horses into the internal network. We were asked to identify those backdoors that could not be detected by the installed antivirus software through a special form of security scan. We were able to discover unauthorized services through extensive port scans and determine the used product through an extended application fingerprinting. A repeated test allows to counter vulnerabilities of established firewall and antivirus mechanisms. (A similar approach is used for the discovery of unauthorized P2P applications.) (permalink)

Security Scan Internet Systems

An international insurance company analyses its internet accessible systems twice a year. We based our semi-automated tests on the latest results of the periodic scans performed by the company-internal IT security team with the commercial solution Qualys. This saved the customer money and us time, because our experts were able to focus their expertise immediately on concrete vulnerabilities. We are able to perform large scans very quickly, efficiently, reliably, and free of errors thanks to our semi-automated and database-oriented approach. This way, a complex project of over 500 hosts with over 2500 discovered exposures and vulnerabilities remains manageable. (permalink)

Security Scan LAN

For historical reasons, an international telecommunication company has a very flat LAN topology (Local Area Network). The missing segmentation and the absence of firewall systems as a common point of trust poses a significant risk for a widespread attack, both through internal attackers as well as through viruses/worms. Periodic security scans of the workstations (approx. 3500 target systems) are requested to eliminate targets and minimize the risk of a birthday attack. (permalink)

Source Code Analysis CMS

A Swiss SMB wanted to use an open-source CMS (Content Management System) for its public website. We performed a source code analysis of the product prior to the integration. We immediately informed the developer team about previously unknown errors as 0-day vulnerabilities and published them in a coordinated advisory (including patches). This way, we were able to determine the quality of the product and improve it prior to the implementation in our client’s system. (permalink)

Source Code Analysis Online Banking

Especially financial institutions request extended source code analyses (SCA) of their critical and exposed applications. Therefore we regularly examine electronic banking systems. Through a direct examination of the source code, we are able to determine conceptional and technical weaknesses, which could not or could only be detected with considerable effort in blackbox tests (e.g. network scans and application penetration tests). (permalink)

Source Code Analysis Online Shop

A large Swiss company planned to sell some of its products online. A source code analysis of the project was requested due to the enormous complexity of the e-commerce solution. During this analysis we examined the central technologies such as Java, JBoss, and JSP. We were able to discover architectural problems (e.g. inefficient application structure and incorrect session handling) as well as severe vulnerabilities (e.g. SQL injection and cross site scripting). (permalink)

Selection of Technologies

Within the years of our expertise we have had contact with several complex and current technologies. The following list displays a selection of mechanisms known to us:

Selection of Products

During different analysis tasks we have had also contact with modern, established and exotic products. The following list displays some of those products:

Show Selected Only

scip AG

Company: References

Selection of Projects

Selection of Technologies

Selection of Products