Secure Information Technology Center – Austria

Threats posed by malicious USB devices

Kategorie: IT-Security

The flexibility of USB supports the integration of a variety of devices via a common interface without authentication. Since a computer cannot recognize a USB device until it is connected, it identifies a device by using the information it provides about itself. A user, in turn, expects from USB devices, the functionality they are designed for. In the recent past, manipulated USB devices have appeared that can not be detected as a threat to current protection measures.

Within the scope of a short study, known methods have been summarized that enable the manipulation of USB devices in order to attack a computer. After a brief introduction to the USB standard, known attack vectors have been subsumed. Particular attention has been paid to the manipulation of the firmware of USB flash drives (“BadUSB” attack). Practical case studies have been used to highlight the problem and to illustrate the possible consequences of an attack. Finally, the use of possible protective mechanisms has been discussed.
Weiter lesen…

Secure Peer-to-Peer communication

Kategorie: IT-Security

This project proposes a flexible and modular approach for existing peer-to-peer frameworks to enable a secure communication using well-established and proven protocols and algorithms. It introduces an interoperability layer where existing peer-to-peer frameworks and transport security protocols can be plugged in seamlessly and analyses the components of end-to-end security protocols. Finally a proof-of-concept application using the proposed framework is introduced which enables peers to establish secure connections with different types of identities. It can be found in the download area Weiter lesen…

Analyzing HTTPS services offered by GV.AT domains

Kategorie: eGovernment, IT-Security

In this project several properties of the services offered by gv.at domains have been analyzed. The main emphasis of the analysis was placed on services that were offered via HTTPS (SSL, TLS protocols). The results of this analysis are presented in a technical report. In addition to the analysis, a basic framework for the automated analysis has been implemented.
The main results of the analysis are summarized as follows:

  • 1285 services have been analyzed, 763 of those services do not support HTTPS
  • For the 552 services which offer HTTPS the following details were observed:
    • 59 services were configured for HTTPS. The other 463 services offered default HTTPS services (e.g. provider-specific default HTTPS certificates, or non-valid test certificates)
    • The services have then been analyzed for their supported cipher-suites, which have a strong influence on the security of the TLS protocol.
    • cipher

All details are available in the following report (in German):

Use of SHA-1 in certificates

Multiple vendors of web browsers are intending to retire the popular hash algorithm SHA-1 in favour of more recent alternatives. Therefore, guidelines have been elaborated that plan to take a leave of SHA-1 in multiple steps.

The subsequent table illustrates the support for SHA-1 in a chronological manner and highlights the handling according to the browser. The gradual sunset of SHA-1 is shown separated into steps whereas each is assigned an individual color: Notice (green), Warning (yellow) and escalation (red).

SHA-1

During the HTTPS analysis, a list of signature algorithms used on servers of public institutions, has been composed. Based on that, the following key figures can be derived:

  • 41 servers use a certificate which is no longer valid after 1/1/2016.
  • 21 out of 91 certificates are still valid in 2016. Major browsers will consider the affected servers secure, with minor errors.
  • 27 remaining certificates will be still valid after 1/1/2017. As a consequence, they will appear indifferent to unprotected HTTP connections, starting with the release of Google Chrome in version 40.

A detailed description of all deprecation policies and the list of investigated certificates are explained in the following report (in German):