German Federal Trojan Suspected

The german hacker club CCC claims that they found a trojan malware used by german federal police (german source).
It seems that the software has many security issues and, even worse, has abilities which are illegal under german law.

The interesting question is now: Does it really originate from german authorities? Of course they deny that. And if so, how would one prove that? It seems that the trojan uses command servers outside of germany. At the moment it is unclear who operates these machines.

I do not expect that this will ever be resolved completely. It's way too embarrassing.

Update: The Bavarian Government accepted responsibility for the trojan. Antivirus vendors claim that it would be caught be heuristic malware detectors. Looks like there is an egg on someone's face.

Smartphones Not Ready for Mobile TANs

In the last weeks we had an outbreak of security issues with smart phones. The most famous was the pdf font bug that hit the iPhone and other iOS devices which was fixed by Apple with iOS 4.0.2. This one was really dangerous because it could infect iPhones just by opening an infective web site.

Then we had a rootkit for Android phones. A first criminal exploitation was a Trojan, also for Android, that sent text messages to premium numbers.

Of course there is much more. The reason for this is, of course, that there is no magical security for telephones. Old-style telephone-and-SMS-only phones were simply too dumb to be hacked (if we disregard the occasional bluetooth hack). Modern smartphones are normal computers that happen to contain a radio baseband chip.

However, we have that security feature M-TAN or Mobile TAN for online banking. When a M-TAN user has entered their transaction into the online banking website, they get a SMS with some details on the transaction and the M-TAN number. If the details of the transaction look good, they enter the M-TAN into the web site to complete the transaction.

So, here is the criminal master plan:

1. own as many PCs as you get
2. own as many smartphones as possible
3. match smartphones and PCs
4. start phony transactions on the PC
5. capture the resulting SMS
6. send the M-TAN to the Trojan on the PC
7. Profit

Sounds complicated, but if everyone has a backup of their smart phone on the PCs step 3 should be quite easy and the only remaining issue for the criminal is whether they find enough matches so that the plan is worth the effort.

A promising version of this plan would be to attack the smart phone via the infected PC. In iPhone speak this would be called the "trojan jailbreak". If this can be done without the user noticing it, the M-TAN is completely broken.

I don't recommend using M-TANs on a smartphone.

Why not simply use explosive-sniffing dog?

In the aftermath of the failed attack on the Delta 253 flight everyone calls for new technologies which may be quite intrusive and certainly are very expensive. So, I'm wondering why don't we use explosive-sniffing dog at the airports? These animals can find even smallest quantities of explosives. Even bees can be used to search for explosives.

Shreddered Stasi Documents Reconstructed

In the November 1989, the agents of the east german secret police Stasi, had a problem: On the streets there was revolution that would soon take over the government and in the archives there was a precise documentation of what they did in the last 40 years. So, they hurriedly shreddered as much documents as they could.

In the years to follow, people hat to accept the fast that it was just not feasible to reconstruct these documents.

One engineer of Fraunhofer Gesellschaft didn't accept that and developed a program that can reconstruct shreddered documents. The trick is to categorize the shreds before making an attempt to match them. Otherwise, the number of possible combination would grow exponentially with the number of shreds.

The security lesson? Shredding documents no longer keeps them secret.