27/04/2021
by Michael Fuchs Leave a comment

The March/April 2021 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

Exploit on Exchange – vulnerabilities in Microsoft Exchange servers trigger a red alert
Learning by doing – data leaks discovered in the Swiss Army’s cyber training school
Rocky start(up) at Verkada – 150,000 surveillance cameras hacked
Refunds from the remorseful Ziggy ransomware gang
Data scraping on Facebook and LinkedIn: big data brings big damage

The Security Report is available in both English and German.

»» Download the English report. »» Download the German report.

06/01/2020
by Michael Hausding

100’000 .ch domain names are secured with DNSSEC!

Imagine you want to visit your online banking website «www.example-bank.ch». Now, instead of getting the correct IP address your computer gets manipulated information and connects you to a website that is owned by a criminal. You wouldn’t notice but disclose your online banking credentials to the attacker.

Luckily, DNSSEC is here to help. The extension of DNS protects you from being misled and helps you reach exactly the address you typed into your browser. A complex cryptographic process makes sure, that you’re always at the right place.

100’000 .ch domain names are signed with DNSSEC

In late December 2019 the .ch zone achieved a milestone with 100’000 DNSSEC secured domains. DNSSEC adds digital signatures to DNS answers and helps to mitigate attacks on DNS name resolution.

The percentage of .ch domain names that are signed is still below 5%, but is rising thanks to a few registrars like Infomaniak, OVH, Firestorm and netzone that sign domain names for their customers by default. The number of DNSSEC signed .ch domain names rose 54% from 1.1.2019 to 1.1.2020.

By January 1st 2020 the .ch zone contained 100’065 domain names that are secured with DNSSEC

Top .ch domain names are just average regarding domain name security

Continue reading →

02/04/2019
by Michael Hausding 1 Comment

DNSSEC Usage in Switzerland is on the rise after widespread attacks on the Domain Name System

Attacks on the DNS System

Cyber attacks on the DNS system are not new. Cache poisoning, Domain Hijacking and BGP injections of routes to public DNS resolvers happen regularly, but they usually don’t get much attention as they target the Internet’s core infrastructure and are not directly visible to end users in most cases. This time it was different. The recent widespread DNS hijacking attacks on several Mid East, North African and European and North American governments and infrastructure providers, published by Ciscos Talos showed that DNS attacks are a real threat to cyber security. Netnod, one of the affected infrastructure providers issued a statement, that called, amongst other domain security mechanisms, for the implementation of the DNS Security Extensions (DNSSEC).

The analysis of these attacks also convinced the Internet Corporation for Assigned Names and Numbers (ICANN) that there is an ongoing and significant risk to key parts of the System (DNS) infrastructure. ICANN issued a call for “Full DNSSEC Deployment to Protect the Internet” across all unsecured domain names.

The question is if these attacks and the awareness that DNSSEC is an absolute essential base layer protection for domain names had some effects on the Implementation of DNSSEC Switzerland?

More DNSSEC signed domain names

As a ccTLD operator SWITCH publishes the number of DNSSEC signed .ch and .li domain names every month. While the number of signed domain names is still very low at around 3-4% we see a rise in the numbers of signed domain names for two years now.

DNSSEC signed .ch domain names 1.4.2019

Continue reading →

17/10/2014
by Frank Herberg 1 Comment

IT-Security-Links #65

Why privacy matters: In this TED talk, Glenn Greenwald makes the case for why you need to care about privacy, even if you’re “not doing anything you need to hide”.
Is your Network Attached Storage (NAS) secure? A proof-of-concept worm was written by security researcher Jacob Holcomb to illustrate how vulnerable such data stores are to malicious attacks.
SSLv3: POODLE (Padding Oracle On Downgraded Legacy Encryption) is a new attack on the legacy SSLv3 protocol which is considered easier to exploit than similar previous attacks against SSL/TLS. A Security Advisory is available here (PDF). To test if your client is vulnerable SANS setup a Poodle test page. And Heise published a good background article (in german).
Shellshock: Michael Smith (Akamai) explains why the Shellshock battle is only beginning: The “long tail” challenge of the recently discovered Bash vulnerability. A Shellshock exploit is aleady included in the Mayhem botnet malware kit.
SandWorm is a zero-day vulnerability impacting all supported versions of Microsoft Windows including Windows Server 2008 and 2012.
Awareness: The US-CERT reminds users to protect against email scams and cyber campaigns using Ebola as a theme.
Beware of the air gap risks! Adi Shamir explains at the opening keynote for the Black Hat Europe conference why air-gapped networks are not as secure as usually anticipated. Have fun!

01/10/2014
by Frank Herberg 1 Comment

IT-Security-Links #64

Shellshock I: Shellshock is a term dating from World War I and it refers to the effect of the trauma of battle on troops. But since last week it’s also the name of a serious GNU Bourne Again SHell (Bash) vulnerability, or to be more exact, a series of vulnerabilities (currently CVE-2014-6271,-7169, -7186,-7187,-6277,-6278). Comprehensive technical overviews are available from SANS (PDF) and TrendMicro (PDF).
Shellshock II: Web servers are indeed currently at the highest risk of being exploited, but the command shell exists all over the Internet. For example there’s also an attack vector in OpenVPN. And Shellshock could also be used to hack VOIP systems.
DMCA-Takedowns: Warner Bros. Entertainment must now release key information about its automated scheme to send copyright infringement notices to websites.
WordPress-Security: Security researcher Ryan Dewhurst released the WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities.
Google and Dropbox launched Simply Secure to improve online security. The newly created organization aims to make security technologies easier to use.
How to deal with old Java-based enterprise applications? Deutsche Bank London helped develop an “application self-defense tool” that sits below the application to detect and prevent attacks and apply virtual patches.

19/09/2014
by Frank Herberg

IT-Security-Links #63

Home Depot overtakes Target: While Target’s breach in December ‘only’ exposed 40 million customer debit and credit card accounts, Home Depot confirms that the recent breach impacted 56 million customers. A malware infected its point-of-sale-network between April and September.
What comes after CVE-2014-9999? The international database for Common Vulnerabilities and Exposures faces its ‘Y2K’ moment. Read more about the syntax change here.
pEp: pretty Easy privacy is a new crowdfunding project based in Switzerland with the aim to simplify encryption for existing communication tools.
IptabLes / IptabLex: Akamai has published a threat advisory (PDF) to warn of attacks where cybercriminals are infecting Linux servers with malware capable of launching powerful DDoS attacks.
Heartbleed: Traffic data collected by researchers on several large networks shows no exploit attempts in the months leading up to the public disclosure of the OpenSSL Heartbleed vulnerability.
US government ordered Yahoo to hand over user data or pay USD 250.000 fine per day!
Do you like Online Security Dashboards? techiehow.com compiled a list.

11/09/2014
by Michael Hausding

Swiss economy makes online security its priority

Switzerland is one of the safest countries in the world. To make also the Internet a secure place in Switzerland, the Swiss online economy has started the Swiss Internet Security Alliance (SISA). The goal of the alliance is to make Switzerland the “cleanest” Internet country in the world! The organization launched an online security check today which allows internet users to clean and protect their systems.

Offering more security
The founding of the Swiss Internet Security Alliance is a sign of its members’ commitment to making the Internet a secure place in Switzerland. The association brings together expert knowledge from representatives of various sectors and promotes information-sharing amongst competitors.

Overcoming challenges together
The Swiss Internet Security Alliance focuses on its main assets – the knowledge, experience and technical expertise of its members. Its members asut, Centralway, credit suisse, cyscon Schweiz, Lucerne University of Applied Sciences and Arts, Hostpoint, Migros Bank, PostFinance, Raiffeisen, Sunrise, Swisscard, Swisscom, SWITCH, UBS, upc cablecom and Viseca have longstanding experience in dealing with online security. The association is open to other interested parties. More information can be found in the press release:

https://www.switch.ch/about/news/2014/sisa.html

Comprehensive security check
Upon founding the association, the Swiss Internet Security Alliance is launching a security check. The Swiss Security Check provides protection on three levels.

Users with outdated or incorrectly configured software who are therefore subject to a security risk, will find this out within seconds.
If there is suspicion of malware, the malware cleaner helps with the diagnosis and resolution of the problems.
A cyber vaccine completes the protection and keeps electronic pests at bay.

The Swiss Security Check is free and can be accessed here:
http://www.swiss-isa.ch

Please follow @swiss_isa on Twitter!

27/06/2014
by Frank Herberg

IT-Security-Links #58

Troopers14: 27 talks from this years Security Conference Troopers are available online….
HITB2014: …as well as a choice of presentation slides from Hack-in-the-box…
IPv6 Security: …and the recently held IPv6 Business Conference.
Kasperky has uncovered the Luuuk banking fraud campaign which stolen half a million euros in a single week from a single bank.
Phishing goes Mobile: Hackers have trojanized a legitimate Mobile Banking App and redistributed it on Google Play.
Update on the “legal” spyware tool “Remote Control System”: Kaspersky discovered a number of related mobile malware modules and 326 Command & Control Server.
Security experts reproduce NSA’s Advanced Network Technology catalog using off-the-shelf components.
A Swiss Google alternative: Swisscows.ch is a new search engine which promises “No tracking“.
A 20-year-old integer overflow vulnerability in the LZO compression algorithm – used by many scientific and open source projects – has finally been patched.

23/06/2014
by Slavo Greminger 1 Comment

The web is completely broken

The web is completely broken,

sagt sinngemäss Jeremiah Grossman [1], ein alter Hase im Bereich der Web Application Security. Zwar vertreibt seine Firma auch einen eigenen Webbrowser mit Fokus auf Security und vor allem Privacy, Recht hat er trotzdem: Täglich verwenden wir Technologien, welche das Etikett “Broken by Design” tragen (sollten). In diesem Artikel befassen wir uns mit zwei Themen: Cross Site Request (Forgery) CSR(F) und Certificate Authorities (CA). Die Probleme sind seit Jahren bekannt. Heute wurde gerade wieder ein CSRF-Exploit für WordPress 3.9.1 publiziert. Und ja, das ist die aktuelle WordPress-Version.

CSR(F) – Cross Site Request (Forgery)

Cross Site Request Forgery ist im Gegensatz zu seinem Bruder Cross Site Scripting nur marginal bekannt. Dennoch belegte CSRF 2010 in den OWASP Top Ten Platz 5, und im Jahr 2013 immerhin noch Platz 8. Es handelt sich folglich um eine häufige und durchaus kritische Sicherheitslücke in Webapplikationen. Doch was ist CSRF und was hat das mit “Broken by Design” zu tun?

Viele Webseiten binden externe Ressourcen, beispielsweise Bilder, Javascripts oder Werbung, ein. Das Adjektiv extern verweist hierbei auf eine andere Domäne. Ein Beispiel: Was geschieht, wenn man auf die Webseite einer typischen Schweizer Tageszeitung http://www.typischeschweizertageszeitung.ch/ geht?

Es werden Ressourcen von typischeschweizertageszeitung.ch geladen.
Es werden weitere Ressourcen von beispielsweise adtech.de, cxense.com, cxpublic.com, visualrevenue.com, wemfbox.ch etc. geladen.
Es werden von cxpublic.com wiederum weitere Ressourcen von 2mdn.net, serving-sys.com etc. geladen.

Diese Anfragen für externe Ressourcen nennt man Cross Site Requests. Und jetzt? Zunächst muss man sich fragen, wer denn diese Requests im Auftrag von typischeschweizertageszeitung.ch ausführt: der Browser. Anschliessend muss man verstehen, dass dieser Request unter Verwendung sämtlicher lokal gespeicherter Daten (insbesondere Cookies) für diese externe Domäne abgesetzt wird. Schauen wir uns ein relativ harmloses Beispiel an:

<html>
<head>
<script type="text/javascript">
   function csrf() {
      alert("Auf 192.168.1.1 läuft ein Apache Server unter OpenBSD.");
   }
   function nocsrf() {
      alert("Test fehlgeschlagen, aber vielleicht funktioniert etwas anderes? ...");
   }
</script>
</head>
<body>
   <img src="http://192.168.1.1/openbsd_pb.gif" onload="csrf()" onerror="nocsrf()">
</body>
</html>

Continue reading →

08/05/2014
by Frank Herberg

Unser SWITCH Security-Report für Mai 2014 ist verfügbar

Die aktuelle Ausgabe unseres monatlich erscheinenden ‘SWITCHcert Reports zu aktuellen Trends im Bereich IT-Security und Privacy‘ ist soeben erschienen.

Themen diesen Monat:

Android prüft zukünftig kontinuierlich installierte Apps – Fake-Virenscanner ist Shooting Star in Googles App-Store
US-Behörde schafft vollendete Tatsachen in Sachen Netzneutralität
«Heartbleed» setzt Frust und Hoffnung der Open-Source-Entwickler frei
Dropbox will mit Hilfe von Condoleezza Rice weltweit expandieren
Und wie immer Links zu spannenden Präsentationen, Artikeln und Videos rund um die Themen IT-Security und -Privacy.

Zum Download (PDF):

Haben Sie unseren vorigen Security-Report verpasst? Hier kommen Sie zum Archiv.

17/04/2014
by Frank Herberg

IT-Security-Links #54

First of all: The coolest Heartbleed-Memory-Dump so far.
How to avoid a heart attack: After the first rush of Heartbleed patching, people should investigate which of their other services or devices are vulnerable as well.
The German Aerospace Centre (DLR) in Cologne has been the victim of a targeted attack carried out by state-sponsored hackers.
The fingerprint sensor in the Samsung Galaxy S5 is as insecure and poorly implemented as the one in the iPhone 5S.
Crimeware or APT? Malware’s “Fifty Shades of Grey”: Security experts from FireEye have been monitoring the activities of a cybercrime group that uses various types of malware in its operations.
Results of the TrueCrypt source code audit: No critical flaws or intentional backdoors.
The Economics of Security: How can you quantify the true value of a security investment?
After the Heartbleed experience it’s time to admit it: We have a library security problem.

11/04/2014
by Frank Herberg

IT-Security-Links #53

This week the IT-Security world was busy with 3 important things: Heartbleed, Heartbleed and Heartbleed. It’s a serious vulnerability in the very widespread OpenSSL cryptographic software library. The bug has been introduced while implementing the Heartbeat extension in December 2011. When exploited it leads to the leak of memory contents, which might be secret keys or credentials.
Next week the IT-Security world will probably be busy with “the other side of Heartbleed”: Client Vulnerabilities or Reverse Heartbleed. And the question, which services and products are also affected.
2nd major data theft in Germany this year: 18 Million email addresses and passwords have been stolen. Among them also 38.000 which are registered in Switzerland.
WinXP in SCADA systems: Never change a running system? This computer wisdom of the 80th is still reality in critical infrastructure environments.
Android Security: Collin Mulliner compiled a list of Android Hardening Tools.
Security Researcher have to think out-of-the-box: A five-year-old boy worked out a security vulnerability on Microsoft’s Xbox Live service. And has been officially thanked by the company.

28/03/2014
by Frank Herberg

IT-Security-Links #52

Microsoft released a Security Advisory this week to notify customers that opening an e-mail containing a crafted RTF file in Outlook may hand the computer to hackers. Microsoft provides a fix-it tool. Another option: Read your e-mail in plain text.
The Full Disclosure security mailing list has been shut down after 12 years and more than 91.500 posts …
…and reborn under new management after a few days! You need to manually subscribe if you wish to be a member.
Amazon Web Services (AWS) is urging developers using GitHub to ensure they haven’t inadvertently exposed their log-in credentials. A search on GitHub reveals thousands of results where code containing AWS secret keys. (How to remove sensitive data on GitHub.)
NTP DDoS Attacks: Since December 2013 there has been a dramatic rise in NTP traffic, much of it due to NTP amplification attacks. According to the Open NTP Version (Mode 6) Scanning Project, currently 4.6 million distinct IPs (IPv4) respond to a NTP Mode 6 query.
Operation Windigo: Hackers compromised more than 25.000 servers and used them for stealing SSH credentials, sending an average of 35 million spam messages on a daily basis and infecting visitors with malware. ESET published a 69-page paper (PDF) with details of the large and sophisticated operation.
Data Privacy: Is it an out of date concept or more important than ever?

German:

Die Digitale Gesellschaft Schweiz hat ihren Swiss Lawful Intercept Report 2014 veröffentlicht. Dieser dokumentiert die Überwachungsaktivitäten der Kantone und des Dienstes Überwachung Post- und Fernmeldeverkehr (ÜPF).

28/02/2014
by Frank Herberg

IT-Security-Links #50

The ICC Belgium published a 72-page Cyber Security Guide including a Security Self Assessment Questionnaire.
Have you heard about the Security Bloggers Network? It’s the largest collection of information security focused blogs and podcasts in the world with almost 300 different blogs and podcasts included. They offer one feed of all the sites. (Sub-feeds for specified categories are in the works.)
Mobile Malware: Ten Years of Mobile Malware – From Symbian Worm to Tor-Based Android Backdoor, an overview by Softpedia with a nice graph from Symantec. Also Kaspersky published an article on Mobile Malware Evolution.
On 20th February 2014 the Niklaus Wirth Birthday Symposium took place in Zurich. Slides and video recordings of the talks are freely available. We recommend Software Defenses Using Compiler Techniques, a talk about compiler-generated software diversity as a defense mechanism against cyber attacks.
Anatomy of a “goto fail” – Apple’s SSL bug explained, by Sophos.

21/02/2014
by Frank Herberg

IT-Security-Links #49

Economic Crime Data: PwC published the findings of their Global and Swiss Economic Crime Survey 2014 as well as a 30-page PDF “Global Economic Crime Survey 2014 – A Swiss Perspective“.
More than 300.000 credentials were posted on Pastebin in 2013 according to a recent analysis by a Swiss security firm – which is just a small percentage of the stolen information posted publicly by hackers.
Sophos says 2013 was an epic year for data breaches – with over 800 million records lost.
DDoS: Who run the DDoS-for-hire services and why they themselves have to hide behind DDoS protection?
DDoS: What comes after NTP reflection attacks? And a friendly BCP38-reminder…
Meet Brian Krebs: How the author of the widely read cyber security blog ‘Krebs on Security’ lives and survives.
The ‘Moon’ worm never reaches a device which has anti-virus protection running on it. Why? It infects your Linksys router.

SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

Category Archives: Vulnerabilities

The March/April 2021 issue of our SWITCH Security Report is available!

100’000 .ch domain names are secured with DNSSEC!

100’000 .ch domain names are signed with DNSSEC

Top .ch domain names are just average regarding domain name security

IT-Security-Links #65

IT-Security-Links #64

IT-Security-Links #63

Swiss economy makes online security its priority

IT-Security-Links #58

The web is completely broken

The web is completely broken,

CSR(F) – Cross Site Request (Forgery)

Unser SWITCH Security-Report für Mai 2014 ist verfügbar

IT-Security-Links #54

IT-Security-Links #53

IT-Security-Links #52

IT-Security-Links #50

IT-Security-Links #49