04 Case Study: Special Electronic Attorney Mailbox (PDF)
Document Details
Uploaded by CarefreeBlankVerse5061
Maastricht University
Tags
Related
- Kansas City Missouri Police Department Personnel Policy 260 - Computer Use and Security 2021 PDF
- Controlling Networks PDF
- Hardware Trojan Threats and Countermeasures Lecture-2 PDF
- Ethics for the Information Age, Chapter 7, Computer and Network Security
- Computer Security Module 13, Saudi Electronic University 2011-1432 PDF
- Cybersecurity Lecture Notes PDF
Summary
This case study examines the security issues related to a special electronic mailbox system for attorneys in Germany. It details various security vulnerabilities, including cross-site scripting, character encoding problems, and incorrect certificate handling. The study highlights how even large technology companies can still have difficulties ensuring secure systems.
Full Transcript
04 Case Study: Special Electronic Attorney Mailbox ("Besonderes elektronisches Anwaltspostfach") What's the Purpose? Communication with with courts, authorities, and with other attorneys Communication needs to be encrypted. Timestamps are verified in order to meet...
04 Case Study: Special Electronic Attorney Mailbox ("Besonderes elektronisches Anwaltspostfach") What's the Purpose? Communication with with courts, authorities, and with other attorneys Communication needs to be encrypted. Timestamps are verified in order to meet deadlines. DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 2 What's that all about? The mailbox is a large scale IT system, as all attorneys in Germany have to use it. Communication is done using a central server. Atos IT Solutions and Services (~4500 employees, 1,3 billion Euro annual sales) was chosen to implement the software and to provide the central server. The mailbox is not compatible with regular email. DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 3 The Timeline 28.11.2016: A first version is launched 22.12.2017: Due to security, issues the application is shut down 03.09.2018: A second version is launched DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 6 Security Issues? Cross-Site-Scripting vulnerabilities Problems with character encodings Erroneous handling of certificates DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 7 Cross-Site-Scripting Vulnerabilities Non-temporary Cross-Site-Scripting Attacks could be carried out on the web client. https://streamable.com/xddl5 DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 8 Problems with Character Encodings When using German umlauts (ä, ö, ü, ß) in them, messages could not be delivered However, the transfer of the message was still acknowledged by the server DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 9 Erroneous handling of Certificates 1 / 3 The client software had the private key of the server's certificate included due to the system design This infringed the certificate policy of the Deutsche Telekom who issued the certificate Therefore, the certificate was revoked DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 10 Erroneous handling of Certificates 2 / 3 But, why was the private key included? A server application was executed on the local computer a client was installed on Communication with this server application was done using the domain bealocalhost.de which pointed to 127.0.0.1 To prevent security warnings when connecting to this domain, a valid certificate for this domain, including the private key, was deployed together with the application DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 11 Erroneous handling of Certificates 3 / 3 How to not fix this? After the certificate was revoked, a self-signed root certificate was issued Users were instructe how to include this certificate in their computer's certificate store This basically compromised HTTPS in its entirety DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 12 Anything else? The implementation of the client was based on outdated JAVA libraries Messages were not end-to-end encrypted The implementation was vulnerable to a ROBOT attack DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 13 Summary Even hiring a large tech company does not prevent security issues Knowledge about (cyber)security is really important nowadays! DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 14