Das Ende rein mechanischer Schließsysteme?

Hackern haben im Netz ein 3D-Modell des “TSA Master Key” für Safe-Skies-Schlösser veröffentlicht. Jeder kann mit einem 3D-Drucker solche Generalschlüssel für Koffer und Reisetaschen anfertigen. Die zum US-Heimatschutzministerium gehörende Travel Security Agency (TSA) ist unter anderem für die Gepäckkontrolle bei Flugreisen zuständig. Für Gepäckschlösser der Hersteller “Travel Sentry” und “Safe Skies” gibt es eine sogenannte “TSA-Anerkennung”, weil der Behörde Generalschlüssel für diese Schlösser vorliegen. Mit solchen Schlössern gesicherte Gepäckstücke können durch die TSA durchsucht werden, ohne das Schloss zu beschädigen. Die meisten großen Hersteller von Reisegepäck verwenden solche “TSA-Schlösser”. Nachdem bereits ein 3D-Modell eines Generalschlüssels für Schlösser von Travel Sentry veröffentlicht wurde, liegt nun auch ein Modell für den Generalschlüssel von Safe Skies vor. Die am weitesten verbreiteten Gepäckschlösser können damit nicht mehr nur von Sicherheitsbehörden, sondern von jedermann geöffnet werden. Continue reading

Tesla goes Crasla – First glimpses of the many problems of autonomous driving cars

Car manufacturers are excited about the new options for autonomous driving. Rightly so – it would be the greatest revolution in this field in decades. Autonomously driving cars are not just good to take a nap on a boring ride. They enable entirely new business models, new forms of mobility, they combine the relaxed luxury of a train ride with the individual flexibility of the car, and the ongoing parallel evolution of the information layer on top of everything, the cars may even be turned into robots, doing the groceries all by themselves or picking up the kids without any parents involved. Continue reading

Report on Chinese threat actor group “Mofang” emphasizes the human factor in cybersecurity

Fox-IT, a Netherland-based security company, has recently issued a report on the Mofang group – said to be a closed group with very specific, seldom-used attack tools. Thus far, diverse Mofang attacks have not been observed simultaneously. The first Mofang attacks occurred in 2012, targeting  different government institutions in the USA, Singapore, and Myanmar. These attacks also targeted security-related organizations and companies in Canada, Korea, and India. Two German companies were also attacked, with recent newspaper reports naming Rheinmetall as one of the German victims. Since early 2015, however, organizations in Myanmar have been the only victims. Continue reading

Top encryption mechanism easily attackable through microphones

Researchers from Tel Aviv have just discovered a new and easy attack on encryption: they listen to it. A computer’s processor emits a high-frequency sound while calculating an encryption. This sound varies characteristically due to the changing electrical current during the calculation. This way, the researchers were able to decrypt a 4,096-bit encryption key. Critics may now point out the fact that you would first have to be able to come close enough to listen to the computer. But this problem was solved eloquently. The researchers simply hacked the computer and took over the microphones. Modern-day PC microphones are good enough to pick up the electrical current modulating for a distance of about ten meters.

The UAE are attacking dissidents and journalist with government spyware

The UAE is known at least since 2012 to have joined the many more oppressive nations doing surveillance on their own citizens, more narrowly, on political activists and journalist. In that year, the UAE appeared in the list of customers of the global oppressive surveillance company Hacking Team, who were licensing the country to monitor more than 1100 devices.

Now, a new Citizenlab report has appeared, in which Munk School researchers Bill Marczak and John Scott-Railton analyze the new case of Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, has been attacked by spyware, delivered in a spear phishing attack associated with the UAE surveillance effort. The attack pattern, dubbed “Stealth Falcon” by the Munk School researchers, involved indicators which were used in previous Twitter-based attacks by the UAE on other political opponents. Continue reading

Erfolgreiche Passwort-Hacks – Anbieter riskieren Geldbußen und Schadensersatzleistungen

2012 wurde das Kontaktportal LinkedIn Opfer eines Passwort-Hacks. War damals “lediglich” der Diebstahl von 6 Millionen Benutzernamen und Passwörtern zugegeben worden, hat sich jetzt herausgestellt, dass über 100 Millionen Passwörter aus dem damaligen Hack auf dem Schwarzmarkt gehandelt werden. LinkedIn hat die Echtheit der Daten bestätigt. Ganz abgesehen von dem zweifelhaften Umgang von LinkedIn mit diesem Vorfall, zeigt die hohe Zahl auf dem Schwarzmarkt kursierender Passwörter ein anderes Problem auf: die offenkundig fehlende oder zu schwache Verschlüsselung von Passwörtern durch Diensteanbieter. Continue reading