our weblog

Latest update from our blog post

Threat Modeling Methods for Manufacturing Companies (Part 1) - Do you know your assets?

Threat modeling is a practice in information security that involves identifying and evaluating threats and possible attack vectors during the design phase. This makes it possible to address the identified threats appropriately and at an early stage. This is particularly relevant for risk management, as decisions regarding risk acceptance or mitigation can be made on the basis of the risk assessment from the threat model. In addition, the European Cyber Resilience Act and the IEC 62443 series of standards stipulate that a cybersecurity risk assessment or threat modeling must be carried out for products, software and hardware.

The question with cyber incidents is not if it will happen, but when it will happen

Interview about the preparation and legal aspects of cyber incidents

by: Mia Volmut Monday, October 23, 2023

OSINT: How companies can benefit from open source intelligence

The term OSINT stands for “Open Source Intelligence” and refers to the systematic systematic collection and analysis of freely available information. These These freely accessible sources of information include, for example databases, social media, (dark net/deep web) websites, online blogs, but of course offline content such as magazines, books or company flyers. company flyers. The use of The use of publicly available sources to obtain information has a very long history and was already used over 100 years ago by secret services, security security organizations and resourceful entrepreneurs to gain an information advantage.

Security Advisory: Clock Fault Injection on Mocor OS – Password Bypass

  Introduction This security advisory addresses a vulnerability discovered during a recent forensics engagement. Our investigation together with ONEKEY revealed that the Mocor OS, running on UNISOC SC6531E devices, is susceptible to a clock fault injection attack, which poses a significant threat to user data security and privacy. Through this attack vector, an unauthorized user with physical to a device access can bypass the device’s user lock, gaining unrestricted access to the main screen and compromising the integrity of the system.

BCM – Business Continuity Management & Resilienz: Zwei Bausteine vitaler Organisationen

In Zeiten von Naturkatastrophen, Cyberangriffen und anderen Krisen ist es für Unternehmen unerlässlich, sich auf diese Bedrohungen bestmöglich vorzubereiten. Business Continuity Management (BCM) und Resilienz sind zwei wesentliche Aspekte, um Unternehmen und Organisationen vor unvorhersehbaren Ereignissen, dies kann alles von Naturkatastrophen bis hin zu Cyberangriffen, umfassen, zu schützen und im Ernstfall das Unternehmen schnell wieder handlungsfähig zu machen. Es geht dabei nicht nur darum, eine Krise zu überstehen, sondern vor allem auch gestärkt daraus hervorzugehen.

by: Michaela Peischl Thursday, July 13, 2023

CERTAINITY European Cyber Resilience Act Preparedness Survey

  In cooperation with the University of Innsbruck CERTAINITY is conducting an online survey to investigate how well-prepared companies are for the introduction of the European Cyber Resilience Act. Our target audience are organizations and stakeholders being responsible for product development and ongoing maintenance. If your organization develops, sells or imports networked hardware or software products within the EU, you are a perfect candidate to participate in our study.

by: Michael Brunner, PhD. Wednesday, May 31, 2023

No plan survives the first contact with the enemy

  The importance of exercises in IT security While the saying "No plan survives first contact with the enemy" is certainly true, this fact rarely leads to resignation and surrender. Rather, attempts are made to keep the delta between plan and reality as small as possible, even after fine contact, through constant practice and training. Transferred to the preparation for IT security incidents (incident readiness), this means regularly and thoroughly practicing emergency plans, backup-restore processes, and the like.

by: Thomas Langthaler Sunday, May 21, 2023

Security Advisory: Unauthenticated Remote Command Execution in Multiple WAGO Products

  Introduction As we already demonstrated through our recent advisories (Asus M25 NAS, Phoenix Contact, NetModule , Festo)  ONEKEY's "zero day identification" module is quite versatile when it comes to finding bugs in PHP, Lua, or Python code we find in firmware uploaded to ONEKEY's platform. However, we recently discovered that we were missing an interesting source for PHP taint analysis: PHP wrappers. PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem functions such as fopen(), copy(), file_exists() and filesize().

Security Advisory: Multiple Vulnerabilities in Phoenix Contact Routers

  Introduction This is the fourth security advisory we release together with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY's platform. You can find the first three here: Asus M25 NAS Vulnerability, Multiple Vulnerabilities in NetModule Routers, and Unauthenticated Configuration Export in Multiple WAGO Products. Phoenix Contact is a manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system.

NIS2 - der Treibstoff für die ISO 27001

Cyberangriffe gehören zu der weltweit am schnellsten wachsenden Form an Kriminalität. Ein guter Indikator für den aktuellen Zustand ist die Tatsache, dass laut Medienberichten die Versicherbarkeit von Unternehmen gegen Cyberangriffen deutlich schwerer geworden ist. Die Versicherer schrauben den erforderlichen Reifegrad an Sicherheit hoch. Und genau das wird die Ablöse der derzeit gängigen Self-Assessments durch qualifizierte Audits mit der Hinterlegung zwingend erforderlicher Evidenzen mit sich bringen. Geschäftsführung ist in der Pflicht Durch die Richtlinie (EU) 2022/2555 erfolgt eine wesentliche Erweiterung der betroffenen Unternehmen und deren Pflichten.

by: Michael Brunner, PhD. Friday, March 3, 2023

Security Advisory: Multiple Vulnerabilities in NetModule Routers

  Introduction This is the third security advisory we release in cooperation with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform. NetModule is an Original Equipment Manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system.

Cyber-Incident do’s and don’ts

As a Cyber-Incident Response provider, we at CERTAINITY have to deal with Ransomware- and other cyberattacks that do have devastating effects on the affected organization. In this blog post, we outline the most important do’s and don’ts when dealing with Cyber-Incidents. Cyber incident response refers to the actions taken by an organization to manage and contain the impact of a cyberattack or data breach. Effective cyber incident response is crucial to minimizing the damage caused by a cyber incident and restoring normal operations as quickly as possible.

by: Florian Walther und Thomas Langthaler Wednesday, February 15, 2023

Security Advisory: Unauthenticated Configuration Export in Multiple WAGO Products

  As shown in our previous security advisory for the Asus M25 NAS from our research cooperation with ONEKEY, we recently introduced a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform.  This module reported two potential issues within a WAGO Series PFC100  configuration API: a path traversal and a command injection vulnerability. The command injection turned out to be a false positive (we strengthened our analysis capabilities since then) but it got us to investigate a specific PHP file where we identified that the authentication and authorization code blocks were commented.

The European Cyber Resilience Act – Silver bullet to sustainably increase cyber security or deservedly dreaded regulation to hinder digital product innovation?

The final proposal of the European Cyber Resilience Act is publicly available since September 2022 and so are the results of the EU's impact assessment of the planned regulation. While the overall need for the European Cyber Resilience Act or a similarly targeted regulation is out of question so is the fact that it will impact enterprises throughout Europe in the market of digital product development and sales. In this article we will offer a high-level analysis of the regulation itself, provide some clarification regarding its scope and the potential impact as well as immediate remediation steps enterprises can take to address the requirements.

by: Michael Brunner, PhD. Friday, December 9, 2022

Security Advisory: Asus M25 NAS Vulnerability

ONEKEY and CERTAINITY - together for more cybersecurity In October we announced our joint research cooperation, and we are able to present you our first findings. We recently deployed the first component of our “zero-day identification” module, which aimed at identifying vulnerability patterns in scripting languages. It’s been a long time coming and we want to share a few technical details about it with you. Our objective is to support identification of vulnerability patterns in both scripting languages and compiled binaries.