Heise Medien on Mastodon

0 Beiträge0 Beteiligte0 Beiträge heute

Erik van Straten<a href="https://mastodon.social/@dianasusanti" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@dianasusanti</a> : very good! It would help if more people did that.Of course "avast-pdq dot com" sounds weird, but these scammers also had: (or still have, I'm not sure): avast-antivirus dot com(see <a href="https://www.virustotal.com/gui/domain/avast-antivirus.com/summary" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.virustotal.com/gui/domain/avast-antivirus.com/summary</a>).HOWEVER: it is too hard for most people and simply insufficient. There are a lot of fake webshops, of whom you don't know the domain name in advance.A domain name is a *unique* identification (good!) but it does *not* identify (bad!) who is responsible for a website.Certificates *used* to provide that information, but Big Tech insisted on "simpler", in fact anonymous, certificates - as can be seen below. There is *no* information regarding the owner of the website, including their country of jurisdiction.We were used to visit shops in streets. It is extremely hard to run a fake physical shop (or bank with a counter and employees), while it is incredibly easy to create an anonymous website that may mimic everything the scammers want.Perhaps there were more scammers on pasars (markets) because a new salesperson can appear any day - possibly without permits. Doing that in an actual building is harder.P.S. a site to look up certificates is <a href="https://crt.sh" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://crt.sh</a> (example: <a href="https://crt.sh/?q=google-ivi.com" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://crt.sh/?q=google-ivi.com</a>).<a href="https://infosec.exchange/tags/DVCerts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DVCerts</a> <a href="https://infosec.exchange/tags/DomainValidated" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DomainValidated</a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Certificates</a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Identification</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonation</a>

Flipboard News DeskPolice in three U.S. states have arrested people impersonating Immigration and Customs Enforcement officers as activity in the organization heats up after President Trump’s deportation orders. Read more from <a href="https://flipboard.com/@CNN" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@CNN</a> <a href="https://flip.it/gsd.tL" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://flip.it/gsd.tL</a> <a href="https://flipboard.social/tags/ICE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ICE</a> <a href="https://flipboard.social/tags/Trump" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Trump</a> <a href="https://flipboard.social/tags/Deport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Deport</a> <a href="https://flipboard.social/tags/Immigration" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Immigration</a> <a href="https://flipboard.social/tags/Migration" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Migration</a> <a href="https://flipboard.social/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impersonation</a>

Erik van Straten<a href="https://infosec.exchange/@patrickcmiller" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@patrickcmiller</a> : Germany's eID system vulnerable to AitM (*) attacks, leading to possible (hard to dispute) impersonation / identity fraud(*) Attacker in the MiddleNote that this vulnerablity may affect other or all "electronic passports".The German site Heise.de (well known in western Europe, publisher of popular paper IT magazines such as c't and iX) reports [1] that a researcher was able to attack the German "eID", an electronic passport using a malicious smartphone app.BSI, Germany's Federal Office for Information Security [2], acknowledges the vulnerability (CVE-2024-23674) but says [3] that there is no fix (I fully agree, device compromise means game over - even if the secrets themselves are safely stored in the passport itself, in a "secure hardware enclave" in a smartphone, or in a TPM in a PC).The researcher, "CtrlAlt", published an extensive English write-up (plus PDF) at:[0] <a href="https://ctrlalt.medium.com/space-attack-spoofing-eids-password-authenticated-connection-establishment-11561e5657b1" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://ctrlalt.medium.com/space-attack-spoofing-eids-password-authenticated-connection-establishment-11561e5657b1</a>This risk will be exacerbated for European citizens once they can download iOS/iPadOS apps from alternative "app stores" (the EU forces Apple to allow this).I'd like to point out that eID apps are typically VULNERABLE TO PHISHING AS WELL (not requiring device compromise and/or malicious apps): a fake (AitM) website may ask a person to authenticate using their electronic passport, and forward such credentials to another website, impersonating the real person.Furthermore, in December BSI together with their French collegues ANSSI published "Remote Identity Proofing" [4], assessing the risks of "VideoIdent" - to my surprise not mentioning AitM's at all. Not to mention the rapidly increasing risk from AI (such as OpenAI's Sora, which generates artificial videos).In my opinion some things cannot be digitalized reliably without significantly increasing risks - in particular for vulnerable people (those with limited cybersecurity awareness and/or those using old, no longer supported, hardware).Authentication, involving significant risks (for the person authenticating), therefore requiring maximum reliability, can only be achieved IN A LIVE SETTING by letting trustworthy verifiers thoroughly check hard-to-duplicate passports for falsifications and/or manipulations, and asserting that the person matches their passport-photo (plus any other physically identifying attributes).Yes, this is more expensive, time-consuming and inconvenient, but in my opinion inevitable if risks are to be kept low.[1] (German) <a href="https://www.heise.de/news/AusweisApp-Kritische-Schwachstelle-erlaubt-Uebernahme-fremder-Identitaeten-9630452.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.heise.de/news/AusweisApp-Kritische-Schwachstelle-erlaubt-Uebernahme-fremder-Identitaeten-9630452.html</a>[2] <a href="https://bsi.bund.de/EN/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://bsi.bund.de/EN/</a>[3] (German) <a href="https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/240216_Hinweis-auf-eID-Schwachstelle.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/240216_Hinweis-auf-eID-Schwachstelle.html</a>[4] <a href="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html</a>P.S. A personal thank you for keeping many followers informed on current security risks!<a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#authentication</a> <a href="https://infosec.exchange/tags/impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#impersonation</a> <a href="https://infosec.exchange/tags/IdentityFraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IdentityFraud</a> <a href="https://infosec.exchange/tags/idfraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#idfraud</a> <a href="https://infosec.exchange/tags/passport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#passport</a> <a href="https://infosec.exchange/tags/ElectronicPassport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ElectronicPassport</a> <a href="https://infosec.exchange/tags/MaliciousApps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MaliciousApps</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/sideloading" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sideloading</a> <a href="https://infosec.exchange/tags/BSI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BSI</a> <a href="https://infosec.exchange/tags/ANSSI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ANSSI</a> <a href="https://infosec.exchange/tags/EU" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EU</a>

Martin HollandImpersonation Rampant on <a href="https://social.heise.de/tags/Twitter" class="mention hashtag" rel="tag">#Twitter</a> as Musk Ends Verification System – <a href="https://mstdn.social/@RollingStone" class="u-url mention">@RollingStone</a> Now that the legacy <a href="https://social.heise.de/tags/BlueCheck" class="mention hashtag" rel="tag">#BlueCheck</a> s are gone, users are free to pose as celebrities and government agencies "As predicted by almost its entire user base, Twitter CEO <a href="https://social.heise.de/tags/ElonMusk" class="mention hashtag" rel="tag">#ElonMusk</a>’s decision to do away with its free identity-<a href="https://social.heise.de/tags/verification" class="mention hashtag" rel="tag">#verification</a> system on Thursday has unleashed a torrent of <a href="https://social.heise.de/tags/impersonation" class="mention hashtag" rel="tag">#impersonation</a>, <a href="https://social.heise.de/tags/misinformation" class="mention hashtag" rel="tag">#misinformation</a>, and general anarchy."<a href="https://social.heise.de/tags/TwitterTakeover" class="mention hashtag" rel="tag">#TwitterTakeover</a> <a href="https://social.heise.de/tags/SocialMedia" class="mention hashtag" rel="tag">#SocialMedia</a> <a href="https://www.rollingstone.com/culture/culture-news/twitter-impersonators-elon-musk-verification-system-1234720892" target="_blank" rel="nofollow noopener noreferrer" translate="no">https://www.rollingstone.com/culture/culture-news/twitter-impersonators-elon-musk-verification-system-1234720892</a>

Frühere Suchanfragen

Suchoptionen

Verwaltet von:

Serverstatistik:

#impersonation