Researchers have disclosed a vulnerability in popular OpenPGP and S/MIME encryption clients and plug-ins which allows an active attacker to use an email client as a „decryption oracle“ (see the “EFail” homepage or their scientifc publication). In other words, if the attacker is in the possession of an encrypted email, he can craft a new email and send it to the recipient of the decrypted email. If the email client used by this recipient is vulnerable, the email client will decrypt the encrypted email and use a (hidden) backchannel to send the now decrypted message back to the attacker.
Malvertising – that is the spreading of malware or fraudulent content through malicious ads on otherwise trustworthy homepages – is not only persistent but also growing as recent articles from Motherboard  and Ars Technica  suggest, both refering to a report from Cyphort as their primary source. This increase in delivery of malicious ads poses an imminent threat to users on the Internet. Ars Technica emphasises that one consortium only, consisting of 28 fake ad agencies, was able to reach 62% of ad monetized websites on a weekly basis. Continue reading
Two new attacks Meltdown and Spectre have been announced that can be seen as a new class of attacks that make use of so called microarchitectural features in modern CPUs. What makes these attacks special is that they do not exploit a bug in software, but exploit how modern CPUs operate and have been operating for many years.
The complexity of modern processor has been ever increasing to a degree that it is extremely hard for a developer to understand how and in what order instructions are executed on the CPU. Techniques such as out-of-order execution, branch predictions and multiple levels of caches have been integrated in modern CPUs for many years and have been constantly refined. This resulted to great improvements in computation speeds. That this speed optimization can also cause security issues has also been known. For example, implementing cryptographic algorithms on modern CPUs that do not leak sensitive data over so-called timing side-channels has been a major challenge for years. Several academic papers also showed that microarchitectural features such as shared caches can lead to significant data leakages between different processes running on the same CPU or even on multiple CPUs (see e.g. [CSAW07] [usenix14] or [SP15]).
Anti virus software is probably one of the first things to be installed on a fresh system before any other software hits the harddisk. There seems to be consensus that a virus scanner is a must-have nowadays, the only thing that is not clear, is which one is supposedly the best when it comes to malware, ransomware, spyware, scareware, root-kit, spam, phishing, botnet, trojan or <place random word here> detection. No-one has ever been blamed for using AV, the opposite might be the case though. But in fact, there is an ongoing discussion about the usefulness of such software and it is as old as virus scanners themselves. Continue reading
US VC Joe Biden just announced that the US will “send a message” to Russia. Apparently, it will be a message in the shape of a cyberattack. Cyber-offensive forces in the US have reported to having been activated to that end. The nature of the response is uncertain as escalatory dynamics in cyber signaling have not been defined. It could be a silent demonstration of serious hacking power, or a counter-leaking of embarrassing facts about the Kremlin or secrets of the FSB. But something will happen. The announcement is considered an in-kind answer to a set of recent allegedly Russian cyberattacks on the US electoral process, the latest and largest of which was the attack on the DNC, followed by the publication of Clinton’s emails. Russia denies all allegations, and whether the attacker really is Russia or not actually must be doubted. All indicators point to Russia, but only publicly known indicators have been used in the design of the attack. In other words: everything could be spoofed and may in fact be spoofed. The indicators are almost too obviously Russian. If fake, a third party successfully stages false flag operations to raise tensions between Russia and the US. Either way, with the coming outcome, the incident and its result must be considered very serious. The back and forth may look like mudslinging, but mudslinging with a Clausewitzian notion to it between nuclear superpowers is far from funny.
On Friday, October 21, 2016, Major internet sites such as Amazon, Netflix, Spotify, and Airbnb were no longer available in the United States. One of the most serious downtimes of internet services ever was caused by a denial-of-service attack on the US provider Dyn. Dyn is providing traffic management services for internet providers. Dyn helps them to optimize and steer internet traffic. Therefore, Dyn services are regularly involved in the operations of major internet sites. The DDoS attack on Dyn was performed by a botnet consisting of devices infected with the „Mirai“ malware. Unless the most know botnet malwares, Mirai’s bots are not computers, but so-called „internet of things“ (IoT) devices. For instance, Mirai infects CCTV cameras, baby phones, satellite antenna receivers, network hard drives, routers, and wifi range extenders. All these devices are internet-connected devices controlled by a linux operating system, and: with very poor security. Continue reading
Während Österreich seine Präsidentschaftswahl wegen mangelhaften Klebstoffs verschieben muss, plagt die Weltmacht USA ein anderes Wahlproblem: Die Sorge vor einem Hacking-Angriff auf die US-Präsidentschaftswahlen in 2 Monaten. Es ist unwahrscheinlich, dass es Hackern gelingen könnte, die Resultate der US-Präsidentschaftswahl maßgeblich zu beeinflussen. Aber gezielte Angriffe auf Teile des Wahlsystems, wie zum Beispiel Wählerdatenbanken oder Wahlmaschinen, können Wähler im Vorfeld verunsichern und Vertrauen in den Wahlprozess und zuständige Institutionen schwächen. Continue reading
Hackern haben im Netz ein 3D-Modell des „TSA Master Key“ für Safe-Skies-Schlösser veröffentlicht. Jeder kann mit einem 3D-Drucker solche Generalschlüssel für Koffer und Reisetaschen anfertigen. Die zum US-Heimatschutzministerium gehörende Travel Security Agency (TSA) ist unter anderem für die Gepäckkontrolle bei Flugreisen zuständig. Für Gepäckschlösser der Hersteller „Travel Sentry“ und „Safe Skies“ gibt es eine sogenannte „TSA-Anerkennung“, weil der Behörde Generalschlüssel für diese Schlösser vorliegen. Mit solchen Schlössern gesicherte Gepäckstücke können durch die TSA durchsucht werden, ohne das Schloss zu beschädigen. Die meisten großen Hersteller von Reisegepäck verwenden solche „TSA-Schlösser“. Nachdem bereits ein 3D-Modell eines Generalschlüssels für Schlösser von Travel Sentry veröffentlicht wurde, liegt nun auch ein Modell für den Generalschlüssel von Safe Skies vor. Die am weitesten verbreiteten Gepäckschlösser können damit nicht mehr nur von Sicherheitsbehörden, sondern von jedermann geöffnet werden. Continue reading