Modern problems require modern solutions, this applies to the finance sector as well. So what problems am I talking about? Digital Invoices in a Mixed Payment Slip Landscape In Switzerland we are currently using multiple different variations of payment slips for invoices. There are four different types. Two of them are orange and the other […]
Compass Security Blog
Offensive Defense
About a year ago, the Burp extension SAML Raider [0] was released as a result of a bachelor thesis [1] in collaboration with Compass Security. This Burp extension automates most of the steps, which are necessary to test a SAML single sign-on process and perform according attacks. With SAML Raider, an authentication bypass vulnerability in a Service […]
Introduction The Content Security Policy (CSP) is a security mechanism web applications can use to reduce the risk of attacks based on XSS, code injection or clickjacking. Using different directives it is possible to lock down web applications by implementing a whitelist of trusted sources from which web resources like JavaScript may be loaded. Currently […]
Cyrill Brunschwiler’s talk was selected “among the very best research available today” to be presented side-by-side with the security industries top researchers on the world’s most renowned security conference – Black Hat USA in Las Vegas. He will be speaking on “Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)”. The work presented […]
The article will provide a quick overview and introduction into the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro [1] methodology, its approach and terminology. OCTAVE Allegro is an asset centric and lean risk assessment successor of the OCTAVE method. The method supports a straight-forward qualitative risk assessment and structured threat analysis which mainly […]
The advanced metering infrastructure (AMI) is typically structured into a bunch of networks and composed of a few major components. Figure 1 provides an overview of all components and most networks. It is made up of the Meter, the Collector and of the server systems at the distribution system operator (DSO) or metering company side. […]
I have provided introductions to the electrical and specifically the smart grid earlier on. Today I will briefly introduce the advanced metering infrastructure – its purpose, benefits and issues. Moreover, different approaches to metering and some ongoing security standards and specifications processes and organizations will be referenced. Purpose of Smart Meters The reason for smart […]
Secure web communications using HTTPS isn’t anything fancy anymore these days. It ensures traffic from a user to your web application cannot be eavesdropped or tampered with, given it has been set up securely using SSL/TLS. But, do you trust your web application’s code to entirely disregard unencrypted requests? Are you sure your Apache/IIS is […]
This post will briefly introduce the major aspects and goals of smart grids. For those not familiar with electrical grids, have a look at the former post for a quick intro. This article aims to describe the challenges and requirements smart grids are dealing with. Moreover, the need for an intelligent measurement network – the […]
When it comes to industrial control systems (ICS) specifically to supervisory control and data acquisition (SCADA) then a basic unterstanding of the business is crucial. In the curse of my master thesis I am currently digging into parts of the electrical grid and try to examine the issues and security level of some specific protocols. […]
© 2024 Compass Security Blog