social.heise.de ist einer von vielen unabhängigen Mastodon-Servern, mit dem du dich im Fediverse beteiligen kannst.
Der Mastodon-Server von und für Heise Medien und insb. die Nachrichten von heise online.

Serverstatistik:

39
aktive Profile

#impersonation

0 Beiträge0 Beteiligte0 Beiträge heute
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.social/@dianasusanti" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>dianasusanti</span></a></span> : very good! It would help if more people did that.</p><p>Of course "avast-pdq dot com" sounds weird, but these scammers also had: (or still have, I'm not sure):</p><p> avast-antivirus dot com</p><p>(see <a href="https://www.virustotal.com/gui/domain/avast-antivirus.com/summary" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/domain/avas</span><span class="invisible">t-antivirus.com/summary</span></a>).</p><p>HOWEVER: it is too hard for most people and simply insufficient. There are a lot of fake webshops, of whom you don't know the domain name in advance.</p><p>A domain name is a *unique* identification (good!) but it does *not* identify (bad!) who is responsible for a website.</p><p>Certificates *used* to provide that information, but Big Tech insisted on "simpler", in fact anonymous, certificates - as can be seen below. There is *no* information regarding the owner of the website, including their country of jurisdiction.</p><p>We were used to visit shops in streets. It is extremely hard to run a fake physical shop (or bank with a counter and employees), while it is incredibly easy to create an anonymous website that may mimic everything the scammers want.</p><p>Perhaps there were more scammers on pasars (markets) because a new salesperson can appear any day - possibly without permits. Doing that in an actual building is harder.</p><p>P.S. a site to look up certificates is <a href="https://crt.sh" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh</span><span class="invisible"></span></a> (example: <a href="https://crt.sh/?q=google-ivi.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh/?q=google-ivi.com</span><span class="invisible"></span></a>).</p><p><a href="https://infosec.exchange/tags/DVCerts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DVCerts</span></a> <a href="https://infosec.exchange/tags/DomainValidated" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DomainValidated</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a></p>
Flipboard News Desk<p>Police in three U.S. states have arrested people impersonating Immigration and Customs Enforcement officers as activity in the organization heats up after President Trump’s deportation orders. Read more from <span class="h-card" translate="no"><a href="https://flipboard.com/@CNN" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>CNN</span></a></span><br><a href="https://flip.it/gsd.tL" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">flip.it/gsd.tL</span><span class="invisible"></span></a><br><a href="https://flipboard.social/tags/ICE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICE</span></a> <a href="https://flipboard.social/tags/Trump" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trump</span></a> <a href="https://flipboard.social/tags/Deport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Deport</span></a> <a href="https://flipboard.social/tags/Immigration" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Immigration</span></a> <a href="https://flipboard.social/tags/Migration" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Migration</span></a> <a href="https://flipboard.social/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@patrickcmiller" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>patrickcmiller</span></a></span> : Germany's eID system vulnerable to AitM (*) attacks, leading to possible (hard to dispute) impersonation / identity fraud</p><p>(*) Attacker in the Middle</p><p>Note that this vulnerablity may affect other or all "electronic passports".</p><p>The German site Heise.de (well known in western Europe, publisher of popular paper IT magazines such as c't and iX) reports [1] that a researcher was able to attack the German "eID", an electronic passport using a malicious smartphone app.</p><p>BSI, Germany's Federal Office for Information Security [2], acknowledges the vulnerability (CVE-2024-23674) but says [3] that there is no fix (I fully agree, device compromise means game over - even if the secrets themselves are safely stored in the passport itself, in a "secure hardware enclave" in a smartphone, or in a TPM in a PC).</p><p>The researcher, "CtrlAlt", published an extensive English write-up (plus PDF) at:</p><p>[0] <a href="https://ctrlalt.medium.com/space-attack-spoofing-eids-password-authenticated-connection-establishment-11561e5657b1" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ctrlalt.medium.com/space-attac</span><span class="invisible">k-spoofing-eids-password-authenticated-connection-establishment-11561e5657b1</span></a></p><p>This risk will be exacerbated for European citizens once they can download iOS/iPadOS apps from alternative "app stores" (the EU forces Apple to allow this).</p><p>I'd like to point out that eID apps are typically VULNERABLE TO PHISHING AS WELL (not requiring device compromise and/or malicious apps): a fake (AitM) website may ask a person to authenticate using their electronic passport, and forward such credentials to another website, impersonating the real person.</p><p>Furthermore, in December BSI together with their French collegues ANSSI published "Remote Identity Proofing" [4], assessing the risks of "VideoIdent" - to my surprise not mentioning AitM's at all. Not to mention the rapidly increasing risk from AI (such as OpenAI's Sora, which generates artificial videos).</p><p>In my opinion some things cannot be digitalized reliably without significantly increasing risks - in particular for vulnerable people (those with limited cybersecurity awareness and/or those using old, no longer supported, hardware).</p><p>Authentication, involving significant risks (for the person authenticating), therefore requiring maximum reliability, can only be achieved IN A LIVE SETTING by letting trustworthy verifiers thoroughly check hard-to-duplicate passports for falsifications and/or manipulations, and asserting that the person matches their passport-photo (plus any other physically identifying attributes).</p><p>Yes, this is more expensive, time-consuming and inconvenient, but in my opinion inevitable if risks are to be kept low.</p><p>[1] (German) <a href="https://www.heise.de/news/AusweisApp-Kritische-Schwachstelle-erlaubt-Uebernahme-fremder-Identitaeten-9630452.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/news/AusweisApp-Kriti</span><span class="invisible">sche-Schwachstelle-erlaubt-Uebernahme-fremder-Identitaeten-9630452.html</span></a></p><p>[2] <a href="https://bsi.bund.de/EN/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">bsi.bund.de/EN/</span><span class="invisible"></span></a></p><p>[3] (German) <a href="https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/240216_Hinweis-auf-eID-Schwachstelle.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bsi.bund.de/DE/Service-Navi/Pr</span><span class="invisible">esse/Pressemitteilungen/Presse2024/240216_Hinweis-auf-eID-Schwachstelle.html</span></a></p><p>[4] <a href="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bsi.bund.de/SharedDocs/Downloa</span><span class="invisible">ds/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.html</span></a></p><p>P.S. A personal thank you for keeping many followers informed on current security risks!</p><p><a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> <a href="https://infosec.exchange/tags/impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>impersonation</span></a> <a href="https://infosec.exchange/tags/IdentityFraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IdentityFraud</span></a> <a href="https://infosec.exchange/tags/idfraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>idfraud</span></a> <a href="https://infosec.exchange/tags/passport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passport</span></a> <a href="https://infosec.exchange/tags/ElectronicPassport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ElectronicPassport</span></a> <a href="https://infosec.exchange/tags/MaliciousApps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MaliciousApps</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/sideloading" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sideloading</span></a> <a href="https://infosec.exchange/tags/BSI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BSI</span></a> <a href="https://infosec.exchange/tags/ANSSI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANSSI</span></a> <a href="https://infosec.exchange/tags/EU" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EU</span></a></p>
Martin Holland<p>Impersonation Rampant on <a href="https://social.heise.de/tags/Twitter" class="mention hashtag" rel="tag">#<span>Twitter</span></a> as Musk Ends Verification System – <span class="h-card" translate="no"><a href="https://mstdn.social/@RollingStone" class="u-url mention">@<span>RollingStone</span></a></span> </p><p>Now that the legacy <a href="https://social.heise.de/tags/BlueCheck" class="mention hashtag" rel="tag">#<span>BlueCheck</span></a> s are gone, users are free to pose as celebrities and government agencies </p><p>&quot;As predicted by almost its entire user base, Twitter CEO <a href="https://social.heise.de/tags/ElonMusk" class="mention hashtag" rel="tag">#<span>ElonMusk</span></a>’s decision to do away with its free identity-<a href="https://social.heise.de/tags/verification" class="mention hashtag" rel="tag">#<span>verification</span></a> system on Thursday has unleashed a torrent of <a href="https://social.heise.de/tags/impersonation" class="mention hashtag" rel="tag">#<span>impersonation</span></a>, <a href="https://social.heise.de/tags/misinformation" class="mention hashtag" rel="tag">#<span>misinformation</span></a>, and general anarchy.&quot;</p><p><a href="https://social.heise.de/tags/TwitterTakeover" class="mention hashtag" rel="tag">#<span>TwitterTakeover</span></a> <a href="https://social.heise.de/tags/SocialMedia" class="mention hashtag" rel="tag">#<span>SocialMedia</span></a> </p><p><a href="https://www.rollingstone.com/culture/culture-news/twitter-impersonators-elon-musk-verification-system-1234720892" target="_blank" rel="nofollow noopener noreferrer" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">rollingstone.com/culture/cultu</span><span class="invisible">re-news/twitter-impersonators-elon-musk-verification-system-1234720892</span></a></p>