SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


The Drama of Awareness – using Aristotle and Brecht to raise awareness: Part II

In the previous article, we were looking for inspiration on how to raise security awareness in Aristotle’s approach to artistic communication between actor and audience. His Theater of Illusion with its catharsis momentum gave us some insights on how to manufacture communications measures in order to achieve a learning process by proxy.

In the present article, we’re going to have a closer look at Brecht’s more modern concept of Epic Theater. The German playwright strives to move away from the Theatre of Illusion, from identification and purification, towards the active re-evaluation of reality by the audience.

Continue reading


1 Comment

The Drama of Awareness – using Aristotle and Brecht to raise awareness: Part I

There is a lot of drama surrounding the subject of security awareness. Whether it is because of the limited resources available in the face of ever-increasing demand, or the fact that awareness measures are still largely the responsibility of technically trained security experts – one could say that security awareness is surrounded by an air of tragedy.

How can you get users to manage data and devices securely? People have long wondered how to craft a message that moves people (to do something) – since well before the invention of advertising or awareness campaigns. It’s the same problem that lies at the heart of artistic communication between actor and audience. This article is, therefore, not about drama in the proverbial sense, but rather about literary drama as a work of art (of the theatre). Can literary scholarship provide us with insightful answers to this big question? First, we’re going to have a look at Aristotle  and the Classical Drama. Continue reading


The March/April 2019 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • Lenin and the detectives: Mobiispy stalkerware can make highly personal data collected while monitoring children and partners publicly accessible
  • Ransomware trojan LockerGoga brings companies to their knees
  • Straight talk at Facebook: when tech giants fail to meet even minimal security requirements
  • Malware straight from the factory: when Shadow Hammer strikes the supply chain

The Security Report is available in both English and German.

»»  Download the English report.     »»  Download the German report.

Did you miss our previous Security Report? Click here to go to the archive.


1 Comment

DNSSEC Usage in Switzerland is on the rise after widespread attacks on the Domain Name System

Attacks on the DNS System

Cyber attacks on the DNS system are not new. Cache poisoning, Domain Hijacking and BGP injections of routes to public DNS resolvers happen regularly, but they usually don’t get much attention as they target the Internet’s core infrastructure and are not directly visible to end users in most cases. This time it was different. The recent widespread DNS hijacking attacks on several Mid East, North African and European and North American governments and infrastructure providers, published by Ciscos Talos showed that DNS attacks are a real threat to cyber security. Netnod, one of the affected infrastructure providers issued a statement, that called, amongst other domain security mechanisms, for the implementation of the DNS Security Extensions (DNSSEC).

The analysis of these attacks also convinced the Internet Corporation for Assigned Names and Numbers (ICANN) that there is an ongoing and significant risk to key parts of the System (DNS) infrastructure. ICANN issued a call for “Full DNSSEC Deployment to Protect the Internet” across all unsecured domain names.

The question is if  these attacks and the awareness that DNSSEC is an absolute essential base layer protection for domain names had some effects on the Implementation of DNSSEC Switzerland?

More DNSSEC signed domain names

As a ccTLD operator SWITCH publishes the number of DNSSEC signed .ch and .li domain names every month. While the number of signed domain names is still very low at around 3-4% we see a rise in the numbers of signed domain names for two years now.

DNSSEC signed .ch domain names 1.4.2019

Continue reading


The January/February 2019 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • Company networks at serious risk: recent waves of malspam have been spreading the multifunctional trojan Emotet, targeting Windows devices in particular
  • Phishing, porn, data theft: rogue apps appearing as a new and harmful type of ‘non-sellers’ on Google Play and other app stores
  • Spy Time now also available for Apple devices – Serious security vulnerabilities allow outsiders to eavesdrop on FaceTime conversations and steal passwords from Keychain in MacOS
  • Alexa home alone, nuclear attack via Nest and a new password law in California – what happens when IoT gadgets run amok?

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.

Mobile Malware


Rogue Mobile App

Rogue mobile apps are counterfeit apps designed to mimic trusted brands or apps with non-advertised malicious features. In both cases, the goal is that unaware users install the app in order to steal sensitive information such as credit card data or login credentials.

The common way to install apps is to use the official app store. By default, neither Android nor Apple’s iPhone allow users to install apps from unknown sources. However, this does not mean we can just trust the official app store. SWITCH-CERT has been monitoring Apple’s App Store and Google Play for some time and noticed that many rogue apps are able to sneak into Google Play especially.

Google Play

Attackers are abusing the weak app testing procedure of Google to sneak their rogue apps into Google Play. One can find counterfeit apps of Swiss brands on a regular basis. Typically, the apps reside on Google Play for some time until it is removed because of take down requests from security researchers. Until that happens, unaware users are likely to install such apps and put their data at risk.

The screenshot below shows apps found when searching for Bluewin. During the last months, Bluewin has been a common target for rogue counterfeit apps. The red circle indicates the rogue app.

Play Store result for the search key word “Bluewin”

Continue reading


The November/December 2018 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • SiSyPHuS gives Windows 10 low marks for data protection and security
  • Vivy app suffering from multiple diseases: security researchers uncover several vulnerabilities in the patient data app
  • Facing court: Chinese facial recognition unfairly lands big entrepreneur in hot water
  • Not exactly cuddly: data protection authority imposes first GDPR fines after hacking attack

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.


The Sep/Oct 2018 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our SWITCH Security Report has just been released.

The topics covered in this report are:

  • Turning Good instead of Breaking Bad? Hacking to fend off other hackers
  • What do a firefighter and Google Chrome 69 have in common?
  • 15 months later: new attacks, same old vulnerability
  • Peekaboo exploits vulnerability in surveillance cameras in a major way

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.

 


A new issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • An own goal and serious foul: Spanish football league’s app turns 10 million users into involuntarily spies
  • Amazon Rekognition – useful security and convenience tool or total surveillance for pennies?
  • An underestimated risk: the number of malware attacks on smartphones and tablets is exploding
  • Phishing with the stars: scammers take advantage of our celebrity obsession and the crypto craze to cause harm to users

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.


Top 1000 .ch Domain Names

UPDATE 19.02.2019:

From February 2019 on there will be a few small changes. A co-worker, Antoine, has discovered a flaw in the current measurement of the top 1000 .ch domain names which has been removed by now. Since we only counted the number of distinct IP addresses per domain for both IP versions, using IPv6 one can easily send queries from a whole /64 range which results in approximately 1.8*10^19 different addresses. Being a private customer of the Swiss ISP Init7 even gives you an entire /48 range. Like that you can easily push a domain name to the top! In order to prevent this from happening we will now count the distinct number of ASes per domain.

Additionally, we will provide 2 lists from now on. One that contains a ranking based on ALL queries, i.e. including queries that have returned NXDOMAIN, and one whithout those NXDOMAIN queries. Previously, we just provided the former. Continue reading


The May/June 2018 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report has just been released.

The topics covered in this report are:

  • Microsoft will never contact you by phone: support scam continues to gain momentum
  • «Efail» between hype and disaster: the security world needs to learn how to communicate
  • Sonic waves on the attack, recent incidents are reason to prick up your ears
  • Waterholing attacks: infrastructure is and remains a target

The Security Report is available in both English and German.

»»  Download the English report.      »»  Download the German report.

Did you miss our previous Security Report? Click here to go to the archive.

 


The March/April 2018 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report has just been released.

The topics covered in this report are:

  • The dark side of the Data Force: Facebook, Cambridge Analytica, and the pressing question of who is using whose data for what
  • News from the world of state trojans: Microsoft’s analysis of FinFisher
  • Russian APT28 hackers’ month-long infiltration of the computer network of Germany’s federal government
  • Bitcoin bounty or close encounter: bizarre side-effects of cryptomining

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.

 


Additional DNSSEC Training with PowerDNS on May 7 and 8

We announced 3 one day DNS trainings in the end of February and all three trainings where fully booked within 24 hours. We are happy to see so much demand for DNSSEC in Switzerland.
We managed to add two more dates for the DNSSEC training together with PowerDNS
The training will be given at the following dates in Zurich:

7.5. Zurich, SWITCH
8.5. Zurich, SWITCH

The one day training will give you an introduction into DNSSEC and show you how to sign DNS zones on an autoritative DNS server.
We will use PowerDNS for the practical and hands on part. PowerDNS contains support for DNSSEC, enabling the easy serving of DNSSEC secured data, with minimal administrative overhead.

Agenda:

• Short introduction to DNSSEC
• how DNSSEC works
• keys / signatures / NSEC / NSEC3
• Working with DNSSEC and the PowerDNS Authoritative server
• Short overview over PowerDNS Authoritative server backends (MySQL, PostgreSQL, BIND, pipe, …)
• DNSSEC signing
• Pre-signed zones
• CDS
• Zone transfers
• Utilities (pdnsutil)
• The PowerDNS ALIAS record (and its future)

Required skills: Unix system administrator skills and DNS server know how.The training will be delivered in english.

More information and registration here:

https://www.eventbrite.com/e/dnssec-training-zurich-may-7-tickets-44474772241
https://www.eventbrite.com/e/dnssec-training-zurich-may-8-tickets-44474795310


A Day in the Life of nic.ch

Ever wondered what the DNS traffic looks like on a usual day on a .ch name server? This article briefly sketches the landscape of systems querying .ch domains. To be exact, the following statistics and statements are based on a small subset of the overall data since the underlying sources just consist of 2 out of 8 name servers, i.e. a.nic.ch and b.nic.ch.  Overall the .ch zone consists of 8 name servers distributed all over the world. While some of them are setup as anycast network, others are set up traditionally as unicast servers located in a single data center.

We capture the DNS traffic as pcaps and subsequently process and store it with the help of Entrada which relies on HDFS and Impala. Currently, we operate a Hadoop cluster with 7 data nodes which provides us with a good basis for future in-depth analysis.

The following sections discuss two statistics that we publish on www.nic.ch in greater detail.

Who queries the name servers?

To start with, let’s have a look at who queries our name servers. Figure 1 shows the top 10 countries in terms of generated DNS traffic observed during week 4 of 2018. Additionally, the share of distinct IP addresses per country is displayed with a second bar. Since the original DNS traffic does not contain explicit information about the country where the query originates from this information is being added by Entrada with the help of the Maxmind database. To have a more representative image of the DNS landscape, Google resolvers and OpenDNS resolvers are excluded from this statistic.  Although from the queries themselves one cannot be sure about the nature of the querying system, for convenience, throughout this article we’ll call those systems resolvers.

top_ten_countries.png

Figure 1

Continue reading


5 Comments

DNSSEC training with PowerDNS in Switzerland

SWITCH is organising a one day DNSSEC training together with PowerDNS

The training will be given at the following dates:

9.4. Zurich, SWITCH
10.4. Bern, Uni
11.4. Carouge HESGE

The one day training will give you an introduction into DNSSEC and show you how to sign DNS zones on an autoritative DNS server.
We will use PowerDNS for the practical and hands on part. PowerDNS contains support for DNSSEC, enabling the easy serving of DNSSEC secured data, with minimal administrative overhead.

Agenda:

• Short introduction to DNSSEC
• how DNSSEC works
• keys / signatures / NSEC / NSEC3
• Working with DNSSEC and the PowerDNS Authoritative server
• Short overview over PowerDNS Authoritative server backends (MySQL, PostgreSQL, BIND, pipe, …)
• DNSSEC signing
• Pre-signed zones
• Zone transfers
• Utilities (pdnsutil)
• The PowerDNS ALIAS record (and its future)

Required skills: Unix system administrator skills and DNS server know how.The training will be delivered in english.

More information and registration here:

Zurich: https://www.eventbrite.com/e/dnssec-training-zurich-tickets-43350331007
Bern: https://www.eventbrite.com/e/dnssec-training-bern-tickets-43592055010
Carouge: https://www.eventbrite.com/e/dnssec-training-carouge-tickets-43592840359

Update 28.2.2018: All three trainings are fully booked after only 24 hours. We are happy to see so much interest in DNSSEC in Switzerland. Waitlist is now open.