A lot of time is invested into defining and describing OT Security or Operational Technology Security, especially in contrast to IT Security. It’s very often hard to draw a proper line between both and complicated to keep it strict. Here is a little insight into why the line helps, where it makes things worse and a few recommendations on dealing with the resulting challenges.
[Read More]Eine sichere Arztpraxis - Teil 1/2: Architektur
A while back Germany decided it would be a good idea to regulate the IT infrastructure in doctor’s practices. While obviously a smart move, it resulted in strange interpretations and even stranger architectures being implemented. This post shows a secure reference architecture with explanations. But, er ist auf deutsch (it’s in German).
[Read More]Basics
Working on trainings to teach basics can be very frustrating due to the word basic. The big question is: What is basic and what are basics?
[Read More]Data Modems and SIM Card Communication
Yet another PoC from my to do list: Which data passes through the SIM card on a data modem? The specific question was, whether the APN credentials where passed to the SIM and could be intercepted with a SIMTrace. This post gives a quick overview on how to use a SIMTrace2 to create a PCAP trace.
[Read More]Successfully failing at creating a USB stick with integrated AV
After a long time discussing the concept of USB sticks with internal AV engines, I’ve decided to create a quick and dirty PoC. Thus, this post shows how to utilize a USB Armory MK II and ClamAV as a self-scanning USB stick. The Summary: It failed successfully!
[Read More]Gameboy? Gameboy!
I recently got to make a new, fun badge for H2HC , which turned out to be a custom GameBoy game. This post gives a quick and easy insight into the how! If you just want to play, go here .
[Read More]Kuchen und Security
Sorry, only in German this time. Der verzweifelte Versuch Leuten zu erklären wieso “Wir kaufen da eine Security Schulung und dann ist fertig” eigentlich nicht so wirklich der Fall ist. Zusätzlich der Unterschied zwischen “Wir machen da mal eine Schulung” und “danach ist die Person Experte”.
[Read More]The Correct Format for Documenting Risks?
Working with risks is a task various departments and roles have to perform throughout a large company or cooperations. Every single one of these as a different, valid, and important perspective on the same thing and thus has different requirements and wishes. This can easily result in overly complex situations and a lot of conflicts. Here a little insight into potential issues and risks when working with risks.
[Read More]Cooking with CyberChef
CyberChef is a quick and easy tool for playing with encodings, data and information. Using it regularly in presentations, trainings and examples I was recently asked for a super quick “HowTo”, so here it is.
[Read More]The H2HC 2022 CTF
I recently ran a hardware based CTF at H2HC in Brazil. As the CTF was to run for two days, it was setup in two phases, where each of them had tasks that could be solved independently and others that need hints from other challenges. Sadly, the challenges were seemingly far to hard for most of the attendees and the winning team only managed to extract 5 flags. Here is the complete writeup and guide for the CTF.
[Read More]