04 Case Study: Special Electronic Attorney Mailbox (PDF)

Summary

This case study examines the security issues related to a special electronic mailbox system for attorneys in Germany. It details various security vulnerabilities, including cross-site scripting, character encoding problems, and incorrect certificate handling. The study highlights how even large technology companies can still have difficulties ensuring secure systems.

Full Transcript

04 Case Study: Special Electronic Attorney Mailbox
("Besonderes elektronisches Anwaltspostfach")
What's the Purpose?

Communication with with courts, authorities, and with other attorneys

Communication needs to be encrypted.

Timestamps are verified in order to meet deadlines.

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 2
What's that all about?

The mailbox is a large scale IT system, as all attorneys in Germany have to use it.

Communication is done using a central server.

Atos IT Solutions and Services (~4500 employees, 1,3 billion Euro annual
sales) was chosen to implement the software and to provide the central
server.

The mailbox is not compatible with regular email.

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 3
The Timeline

28.11.2016: A first version is launched

22.12.2017: Due to security, issues the application is shut down

03.09.2018: A second version is launched

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 6
Security Issues?

Cross-Site-Scripting vulnerabilities

Problems with character encodings

Erroneous handling of certificates

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 7
Cross-Site-Scripting Vulnerabilities

Non-temporary Cross-Site-Scripting Attacks could be carried out on the web
client.

https://streamable.com/xddl5

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 8
Problems with Character Encodings

When using German umlauts (ä, ö, ü, ß) in them, messages could not be
delivered

However, the transfer of the message was still acknowledged by the server

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 9
Erroneous handling of Certificates 1 / 3

The client software had the private key of the server's certificate included
due to the system design

This infringed the certificate policy of the Deutsche Telekom who issued the
certificate

Therefore, the certificate was revoked

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 10
Erroneous handling of Certificates 2 / 3

But, why was the private key included?

A server application was executed on the local computer a client was
installed on

Communication with this server application was done using the domain
bealocalhost.de which pointed to 127.0.0.1

To prevent security warnings when connecting to this domain, a valid
certificate for this domain, including the private key, was deployed together
with the application

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 11
Erroneous handling of Certificates 3 / 3

How to not fix this?

After the certificate was revoked, a self-signed root certificate was issued

Users were instructe how to include this certificate in their computer's
certificate store

This basically compromised HTTPS in its entirety

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 12
Anything else?

The implementation of the client was based on outdated JAVA libraries

Messages were not end-to-end encrypted

The implementation was vulnerable to a ROBOT attack

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 13
Summary

Even hiring a large tech company does not prevent security issues

Knowledge about (cyber)security is really important nowadays!

DEPARTMENT OF ADVANCED COMPUTING SCIENCES, MAASTRICHT UNIVERSITY COMPUTER SECURITY | 14