The BSI report for 2025 (as of October 2025) is out.1 There is not much fundamentally new. Here the key points, with some context: The threat level remains high and stable.2 Misconfiguration of systems and software jumped from 28% in the previous period to 44%.3 Web-facing attack surfaces are in a “concerning state”.4 The scope includes all reachable IPs under .de domains. EDR and similar security tools do not provide sufficient protection. They remain ineffective against common attack patterns and can be bypassed with so-called EDR killers, according to Heise.5 Small and medium-sized businesses are increasingly targeted by ransomware groups. The report calls this a “fundamental misjudgment” of risk by those in charge.6 Questionable self-praise This is also typical for the BSI: Self-praise about supposed wins against international cybercrime and improved protection of critical infrastructure. That sounds odd when the same report states:7 Read more

Since October 14th, 2025, Microsoft has disabled previews in Windows File Explorer, for at least all downloaded files from the Internet and stored on network shares.1 Attackers could capture NTLM hashes simply by viewing the preview. I had to smile. It’s as if Microsoft had read my blog post “Why Every Windows AD Should Be Kept Offline” earlier this month,2 where I discussed exactly this kind of NTLM leakage. Read more

Not only since my seven security tips1 have I been getting questions about why I prefer to keep Windows and an Active Directory2 offline. That may sound inflexible, and in an era of AI-generated cybersecurity slop3 I may look like an outsider. So in today’s blog post I provide more context, explain the technical background, and lay out how ransomware works. Finally, I show how an AD operated offline can still be used with the internet and email as usual. Read more

A typical crisis meeting scenario: The Management and myself as an external consultant or information security officer sitting in a conference room: Our processes are being slowed down by too many security requirements. Employees are complaining. ‘Your’ IT security is becoming a risk to our business. Such statements mark an important turning point for IT in small and medium-sized enterprises. They reflect concerns about change and loss of control. Where collaboration used to be shaped by proximity and hierarchy before, successful companies rely on teamwork, clear processes, modern management tools, and automation today. A few examples: Read more

Hard-wired networks are usually provided with numerous security features. With wireless networks, however, admins often remain blind to intrusion attempts, which can be carried out by inexperienced users thanks to affordable gadgets. The remedy is a Wireless Intrusion Detection System (WIDS). Sounds expensive, but it isn’t. A Raspi, a Wi-Fi stick and free open-source software are all you need. In the upcoming c’t edition 19/2021, starting on 28 August, I will show in a “hardcore” article of several pages how to better protect your own wireless network1. Read more

Benjamin Delpy did it again. This time his attention was focused on the aged SCCM1. Once developed in the late 90s, it looks back on a turbulent history with some twists and turns. Unfortunately the security behind it looks exactly the same what you would expect and at best can be considered as “rotten” when still using 3DES2 to communicate with clients3. The video of a current Windows 2019 server with RDS/RDP terminal services clearly stand for itself. No prior code injection, no previously installed tools or libraries - just mimikatz4 on any connected AD machine and all passwords of current logged in users become visible in plain text5. Read more

Everybody with an Internet-faced Microsoft Exchange server, Outlook Web Access (OWA) or Exchange Active Sync (EAS) can consider his or her system as compromised since January. This is reported by security experts like Chris Krebs1 and news magazines like Golem2 or Heise3. In Germany, the BSI has contacted more than 9,000 companies4. The scope of the current security vulnerabilities are comparable to the previous Microsoft major Incidents regarding Eternal-Blue5 and Wannacry6 4 years ago. Read more

This picture is for all the people I have had discussions with in recent years about Digitisation in general or, more specifically, about the integration of tablets or notebooks within a corporate network. My recommendation then and now: Zero Trust! Isolate and segment potentially insecure, closed-source AD infrastructures! Keep smartphones, tablets or laptops out! This also applies to unknown, untrusted applications. " jumper laptops" are the better places for them. Put business applications on RDP/RDS terminal servers1 and create uniform, web-based, open interfaces that can be monitored and controlled. Nextcloud2 is suitable for accessing SMB files, Apache Guacamole3 for RDP access via HTTPS. Use RFC-standardised4 multi-factor authentications! Technologies like Keycloak5 or PrivacyIDEA6 make this possible throughout the enterprise. Read more

Yesterday and today I’ve noticed the author malvuln1. He has uncovered vulnerabilities for 14 malware and backdoor applications. Yes, you are correct: He has found vulnerabilities in malware and backdoors, practically with proof-of-concepts to reproduce. No need to emphasise, that’s all Windows malware we’re talking about. There is no indication whether he contacted the respective vendors of the affected “software” prior to his full disclosure. Also missing are CVE2 reference numbers and CVSS3 Scores. But with a chuckle we just look away. Read more

Tomorrow I will give a short presentation for the DigiNet Südwestfalen December, 1st 2020, 08:30 am on my Conferencing-Server Topic: “Security of Conferencing Software” giving Stakeholders and Decision-Makers Orientation for risk-assesment. This is a non-public event. Please register via Sonja Pfaff on the DiginetSWF Website. About DigiNet Südwestfalen: In early 2019, the Transferverbund Südwestfalen started to track down service providers and networks active in the field of digitalization in South Westphalia as part of the NRW.Innovationspartner funding project and to connect them into an open network. The aim is to get to know each other, but also to increase visibility in the region so that companies can find the right solution partner more quickly or young talents can find their suitable employer. Read more