Since more than 20 years we have been providing IT services to large corporations as well as small businesses. Specialties: IT security (PKI), software development, automation, IT in pharmaceutical manufacturing and logistics.
Also private persons and small businesses are facing increasingly complex IT-related requirements imposed by governmental agencies or large suppliers - to be balanced with opportunities and risks (Cloud services, convergence of building technology and computer networks, cyber security).
Provivding 'coaching to the point' as needed, we support with the pragmatic implementaton of compliance requirements. We test and review of hardware and software, analyzing security, reliability, interoperability - and how features compare to functional requirements.
Blog articles and other ressources:
Public Key Infrastructure and digital certificates.
Review and migration of Windows PKIs - versions NT / 2000 / 2003 / 2008 / 2012 / 2016, and troubleshooting of certificate validation - also for exotic applications. Troubleshooting of the validation of convoluted X.509 certificate paths. openSSL CA.
Pharma IT - Manufacturing Execution Systems (MES).
Analysis of business processes in pharmaceutical manufacturing and mapping of those processes onto the design of IT systems - as an intermediary between production, quality management and software development, based on more than 20 years of experience. A MES supports: Manufacturing control, control of material flow, production planning, master batch records, electronic batch recording, warehouse management, management of quality status, batch and material tracking.
Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin! (2019-06-01)
My writeup of how I owned this box by issuing myself a logon hardware crypto token on behalf of the Administrator – abusing a misconfiguration of certificate templates! I joined a box to the domain, used Kali Linux and Windows in parallel, and ran a fake DNS server with locator records for Active Directory. A software certificate would not have been sufficient – I needed the /smartcard options of net use and runas.
Ethereal @ hackthebox: Certificate-Related Rabbit Holes (2019-03-16)
Ethereal was a box classified as ‘insane’ at hackthebox, a platform for learning to pentest and “playing capture-the-flag”. You got command execution over DNS, and you had to use openssl telnet-style to get a reverse shell. To own system you need to sign an MSI with a CA cert/key file you found on the box.
Certificates and PKI. The Prequel (2019-02-18)
Nostalgic post – how it began, in the late 1990s: Sending faxes to US-based CA companies to prove the legitimate status of a company whose name was one dot over the X.509 common name character limit. Bonus: Accidental Google hacking for discovering webservers running on >20 year old platforms.
Sort of an Away Note – elkement gone hacking: I discovered the pentesting platform hackthebox and spend all my online time there! It’s all new, yet familiar as I feel I have always reverse engineered anything in some sense.
Cloudy Troubleshooting (2) (2018-06-25)
Write-up of a hacking challenge ;-) When some network infrastructure loses packets, but seemingly only for one site / cloud app … so that it takes you a while to realize that it’s not an issue with this cloud app.
Cloudy Troubleshooting (2018-05-13)
Tales from the field – presented as a drama featuring Cloud, Client, Telco and elkement – going down the rabbit hole of debugging, network sniffing, and mind-numbing tests.
Reverse Engineering Fun (2017-12-05)
Recently I read a lot about reverse engineering – in relation to malware research. I for one simply wanted to get ancient and hardly documented engineering software to work. Write-up of an analysis I found very interesting!
The Orphaned Internet Domain Risk (2017-10-21)
If you abandon a domain, malvertizers may re-use it – using even your former content available on public archives … taking advantage of your former reputation.
Give the ‘Thing’ a Subnet of Its Own! (2016-11-20)
A brief report ‘from the workbench’: How recent Internet of Thing hacks reminded me of the often overlooked ‘routing feature’ in Windows… which was helpful in quickly giving control units’ data loggers access to the internet.
Internet of Things. Yet Another Gloomy Post (2016-09-30)
Some thoughts about recent DDoS attacks – and why I think the discussion about manufacturers locking down their printers is somewhat related. About the tension between being an independent neutral netizen and being plugged in to an inescapable matrix, maybe beneficial but Borg-like nonetheless.
Have I Seen the End of E-Mail? (2016-06-10)
I have been impressed by a targeted ransomware attack on very small Austrian businesses.
When I Did Social Engineering without Recognizing It (2014-08-05)
Title says it all.
5 Years Anniversary: When My Phone Got Hacked (2014-07-18)
This post has some technical information it is more of a personal rant. Now I can laugh about it. I am not a phone phreaker so any input is welcome!
Network Sniffing for Everyone – Getting to Know Your Things (As in Internet of Things) (2014-06-05)
Not specifically about certificates - but about what is often required to troubleshoot validation of certificates: Sniffing.
Demo: Mapping Certificates to Users in in Windows Active Directory (2014-06-03)
… based on mapping the User Principle Name on the Active Directory Object and the respective certificate attribute.
Diffusion of iTechnology in Corporations (or: Certificates for iPhones) (2014-05-11)
Experimenting with a new format of technical posts - by dividing them into two distinct parts 1) Hopefully accessible 'pop-sci' / 'business' / 'philosophical' introduction, followed by 2) hardcore technical details the non-geek reader could skip.
The Strange World of Public Key Infrastructure and Certificates (2014-03-12)
Exactly what the title says. Some issues from my text file presented in more pop-sci way to your typical geek.
What I Never Wanted to Know about Security but Found Extremely Entertaining to Read (2014-02-13)
A review of Peter Gutmann's terrific book Engineering Security, and some of my related encounters.
Cyber Security Satire? (2013-05-19)
Not exactly zoomed in on PKI - but the overall message is in line with the next two posts. This post also includes the only hilarious aspect of my master thesis on smart metering and security.
Public Key Infrastructures (2007-04-20)
Vision, Trends and Real-World Implementation. Talk given at the opening event of the Master's degree program Advanced Security Engineering @ University of Applied Sciences Joanneum.
Verschlüsselungs- und Signaturtechnologien (2006-09-02)
Von den theoretischen Grundlagenbis zur praktischen Umsetzung. ditact 2006, Salzburg.
Echo Unreadable Hex Characters in Windows: forfiles (2019-05-08)
Certificates and PKI. The Prequel. (2019-02-18)