Hackner Security Intelligence GmbH are a team of experienced and very specialised white-hat hackers. We are dedicated to challenge your state-of-the-art security system and work together with you and your team to improve it and prepare it for the future.
With years of experience, we seek the most challenging tasks and love to see our customers develop their security measures and knowledge in all areas, including IT security, physical security as well as social engineering.
We were very happy to visit DEFCON in Las Vegas, NV, USA in August 2023 for the first time! DEFCON is an annual event which attracts up 30,000 attendees interested in the fields of Physical Secur...
Our team has grown and we are happy to welcome three new employees to our pentesting team. With their help, it is easier for us to respond to the many project requests we’ve had and we hope to be able...
Treasury on Tour is an event by Schwabe, Ley & Greiner to bring together the leading heads of treasury with high-grade lectures, discussions and the possibility to network. HACKNER Security Intell...
For a global corporation, we tested a web application and a rich client used for software development. Additionally, an agent application played an important role, which could be connected from the web and the rich client. A complex system with many components - and possibilities for security holes!
Sometimes it pays off to test an application over a longer time frame to comb through every small corner. Because during the last days of the project, we identified a vulnerability that could be exploited to run arbitrary commands on the agent software. Furthermore, it was possible to spawn and stop customer server instances in the customer's environment.
For a global sportswear company, the security of payment processes was assessed on three company locations. Securing the interfaces between the different payment tools is usually an underestimated attack vector in this scenario. Not many people are aware of the use of payment files (mostly XML), which contain all the bank account information, including the receiving account.
File transfer, you say? The word "interface" is not always correct in this context because the interface is a human who copies the payment file from their local work station to a network share. This leads to the files being modifiable not only during transmission but also at the location they are being stored at. Internal attackers can utilize this by changing the receiving account in the file to their own account. Depending on the receiver you could make quite some money with this trick.
But how can I prevent this? In short term it is worth to secure payment processes with available methods, meaning encryption of transmission paths and restricting file access. In the long term, this unfortunately is a more elaborate task! Structures and interfaces need to be established that prevent employees from having access to files altogether.
To gain access to the internal network in a social engineering assessment, we first had to gain access to the company building. So we developed the following scenario and realized it:
An employee of ours, dressed up in suit and tie, waited for their cue word in front of the company building. A second employee, out of sight, called the front desk with a faked supervisor number: "The supervisor has a very important meeting but the customer is late. When the customer arrives, they need to be let through as quickly as possible."
The first employee of ours now ran stressed to the front desk, had no need to say much more and was allowed to pass without a control. The result: Free movement within the building!
Gain advantage by having the right information at hand and being able to react faster and more precisely. We offer you all our knowledge in form of trainings customised to your specific needs. Get the knowledge to challenge yourself
Increasing awareness and fostering preparedness for the future are integral parts in creating a more secure working environment. We are dedicated to supporting your mission by offering speaking engagements with live hacking top-of-the-line security defences and discussing possible defence strategies.