Interview in Experte zu Handy-Hacks: So kann man sich schützen

Experte zu Handy-Hacks: So kann man sich schützen TECHNIK 14:04 04.02.2020Zum Kurzlink Von Bolle Selke Die USA hacken das Handy von Bundeskanzlerin Angela Merkel und Saudi-Arabien das von Amazon-Chef Jeff Bezos? Müssen sich also nur Prominente Sorgen um ihr Smartphone machen? Nein, sagt der IT-Experte Sorin Mustaca im Interview und erklärt, wie man sich schützen kann. Read here the original: Die USA hacken das Handy von Bundeskanzlerin Angela Merkel und Saudi-Arabien das von Amazon-Chef Jeff Bezos? Müssen sich also nur Prominente Sorgen um ihr Smartphone machen? Nein, sagt der IT-Experte Sorin Mustaca im Interview und erklärt, wie man sich schützen kann. – Herr Mustaca, dass sich Leute wie Jeff Bezos oder Angela Merkel Sorgen um die Sicherheit ihrer Handykommunikation machen müssen ist logisch, aber muss man sich auch als Privatperson darüber Gedanken machen? – „Ich denke schon. Das Geld oder die Vorteile, die man von einer Privatperson bekommt, sind genauso gut, wie die von anderen Quellen. Man darf nicht vergessen, dass jeder von uns ein duales Leben hat: als Privatperson und als Geschäftsperson – egal ob als Angestellter oder Selbstständiger. Ein Lebensteil beeinflusst den anderen, das ist immer so. Die Informationen, die jemand über unser Privatleben hat, beeinflussen daher auch das Geschäftsleben.“ – Immer wieder gibt…

Read More

The pros and cons of new tech: Science fiction collides with reality

“The pros and cons of new tech: Science fiction collides with reality” by Michael O’Dwyer As Sorin Mustaca, an independent IT security consultant, says, “Adopting new technologies is never a mistake, if done properly.” Assess the pros and cons of new tech There’s rarely a one-size-fits-all solution in technology, and repercussions are never as severe or life-threatening as in pop culture. However, there are repercussions for ill-chosen solutions in terms of business continuity or process interruption. Mustaca advises businesses to consider all the following before adopting new tech: Know what you want. Find and clearly define the planned use of the technology. Evaluate your processes and decide how you can adapt the working processes to effectively utilize the new technology and gain the full effects and benefits it provides. Consider end users and supply them with guidance and training, as necessary. Make sure the technology is secure. You want it to properly interact with the data you provide and forbid unauthorized data access. Be mindful of infrastructure management, as the use of new software may also drive hardware upgrades.   To adopt or not to adopt—that is the question By identifying what was not optimized, the company upgraded their system…

Quoted in ECommerceTimes: Gmail to Warn Users of Unencrypted Email

Gmail to Warn Users of Unencrypted Email Author: Richard Adhikari   Quotes: The warning “will help in cases where hackers try to perform DNS poisoning while trying to infect or phish users visiting well-established websites,” security consultant Sorin Mustaca said.   Going with TLS is not necessarily the answer because “many emails would not reach their destination if the destination servers don’t support TLS,” security consultant Mustaca told the E-Commerce Times. Emails continue to be delivered because of opportunistic encryption. “Servers first try to establish a TLS connection and, if they don’t succeed, they continue communicating on unencrypted connections,” he explained.

No Image

The mysterious OpenSSL vulnerability has been patched

No, it doesn’t have a name like Heartbleed or POODLE, it was “just” a denial-of-service. “Just” is by no means something to be ignored, but it is less dangerous with the previous vulnerabilities. All users of OpenSSL 1.0.2 should upgrade immediately to version 1.0.2a. In the advisory published on their website the OpenSSL vulnerability is called “ClientHello sigalgs DoS (CVE-2015-0291)”. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. According to OpenSSL’s Security Policy, a “high severity issue”  includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS (like this one), a significant leak of server memory (Heartbleed), and remote code execution. OpenSSL promises that such issues “will be kept private and will trigger a new release of all supported versions”. They will attempt to keep the time these issues are private to a minimum, but the goal would be “no longer than a month” where this is something that can be controlled, and significantly quicker if there is a significant risk or we are aware the issue is…

No Image

OpenSSL: Patch for secret “high severity” vulnerability

After Heartbleed, Poodle and FREAK which turned the IT world upside down, numerous companies have asked to have a though review of the most used SSL implementation in the world: OpenSSL. And indeed, in order to avoid being again in the news, the OpenSSL Foundation is set to release later this week several patches for OpenSSL, fixing undisclosed security vulnerabilities, including one that has been rated “high” severity. Matt Caswell of the OpenSSL Project Team announced that OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf will be released Thursday. “These releases will be made available on 19th March,” Caswell wrote. “They will fix a number of security defects. The highest severity defect fixed by these releases is classified as “high” severity.” OpenSSL has been hit hard and the trust in it and in open source in general has been severely shaken in the last 12 months. Last year in April, Heartbleed (CVE-2014-0160) was discovered in older versions of OpenSSL, but still highly used, which allowed hackers to read the sensitive contents of users’ encrypted data, such as financial transactions, instant messages and even steal SSL keys from Internet servers or client software that were running the affected versions of OpenSSL. Two…

No Image

“Ze Foreign Accent” spam is back

Twelve years ago the IT security world was fighting against an unprecedented amount of spam emails. Spam is not and never was just a nuisance; it is a big problem because it slows down the good emails and takes up resources. Together with Virus Bulletin and some antispam researchers from various companies, a list called “The Spammer Compendium” was created.  This list contains methods used by spammers to trick spam filters and to have their emails delivered to the end users. One of the methods listed there is called “Ze Foreign Accent” spam or(BWO!Accent!Plain). The main characteristic of this method is the usage of special characters called “accents”. They make no sense in English, but they exist in other languages like French, German, Romanian, and others. We haven’t seen this kind of spam in the wild for many years now because it was very easy to detect (due to the heavy usage of special characters). So you can imagine our surprise to see this technique pop up again in a spam message. What makes “Ze Foreign Accent” spam so special? This spam is special because it combines various methods described in “The Spammer Compendium”: Whiter Shade of Pale – TA!Pale!HTML and  Invisible Ink…

No Image

Protect individuals and their devices within an organisation, not just their desktops

The classic approach to secure a company is to secure its assets against all attack vectors: laptops, workstations, servers, storage entities and programmes. The standard attack methods are usually: infections through files carried on USB sticks, memory cards, mobile hard drives, downloaded files network attacks (spoofing, DOS) vulnerabilities that get exploited in common software   In recent years, it is no longer enough to just protect these assets. Whilst it remains mandatory to continue to protect them, we have seen that the most vulnerable elements in the enterprise are actually the employees. They are attacked using: drive-by downloads in order to become infected with malicious software phishing websites in order to steal identity and financial information spam and phishing emails in order to lose money and other personal information fuzzy privacy agreements that don’t limit the amount of information shared   But this is not all, because employees also have a private life. In his private life, which increasingly becomes more difficult to separate from the professional life, the employee uses technologies, services and devices which he brings into the enterprise. The extensive adoption of third-party file synchronization services, like Dropbox , Skydrive, Box, Drive and many others, make it…

No Image

Three key security threats seen during 2013 – and how to protect against them

Originally published here: 1. Security breaches and hacks   2013 was the year that major security breaches and hacks really took hold. Millions of credentials were stolen from the likes of Twitter, Tumblr,Yahoo, Adobe and many others. Whenever data breaches like this occur, targeted attacks against the users of such wesbites can quickly follow. The targeted attacks usually consist of URLs to phishing websites or malware delivered to users’ email inboxes, so it’s imperative that end-users and corporate IT teams keep a close look out for what might be attempting to attack. Having the username and same password for all online accounts introduces significant security risks, of course. Login credentials used to access social media websites such as Facebook, could also be used to spread malware on behalf of the owner via their email address. If a website you have an account with has suffered a security breach, change your password immediately. But it’s essential that you ensure that you’re not using the same single password for all of your online accounts. Make sure you use a different passwords for different accounts. You can find some tips here on how to create better passwords and remember them whilst ensuring they are unique to each service. 2….

%d bloggers like this: