"I don't know why I check this…" Investigating Expert Users' Strategies to Detect Email Signature Spoofing Attacks

OpenPGP is one of the two major standards for end-to-end email security. Several studies showed that serious usability issues exist with tools implementing this standard. However, a widespread assumption is that expert users can handle these tools and detect signature spoofing attacks. We present a user study investigating expert users’ strategies to detect signature spoofing attacks in Thunderbird. We observed 25 expert users while they classified eight emails as either having a legitimate signature or not. Studying expert users explicitly gives us an upper bound of attack detection rates of all users dealing with PGP signatures. 52% of participants fell for at least one out of four signature spoofing attacks. Overall, participants did\ud not have an established strategy for evaluating email signature legitimacy. We observed our participants apply 23 different types of checks when inspecting signed emails, but only 8 of these checks tended to be useful in identifying the spoofed or invalid signatures. In performing their checks, participants were frequently startled, confused, or annoyed with the user interface, which they found supported them little. All these results paint a clear picture: Even expert users struggle to verify email signatures, usability issues in email security are not limited to novice users, and developers may need proper guidance on implementing email signature GUIs correctl

Attacking Deterministic Signature Schemes using Fault Attacks

Many digital signature schemes rely on random numbers that are unique and non-predictable per signature. Failures of random number generators may have catastrophic effects such as compromising private signature keys. In recent years, many widely-used cryptographic technologies adopted deterministic signature schemes because they are presumed to be safer to implement. In this paper, we analyze the security of deterministic ECDSA and EdDSA signature schemes and show that the elimination of random number generators in these schemes enables new kinds of fault attacks. We formalize these attacks and introduce practical attack scenarios against EdDSA using the Rowhammer fault attack. EdDSA is used in many widely used protocols such as TLS, SSH and IPSec, and we show that these protocols are not vulnerable to our attack. We formalize the necessary requirements of protocols using these deterministic signature schemes to be vulnerable, and discuss mitigation strategies and their effect on fault attacks against deterministic signature schemes

Afferent Visual Pathway Affection in Patients with PMP22 Deletion-Related Hereditary Neuropathy with Liability to Pressure Palsies

Background The PMP22 gene encodes a protein integral to peripheral myelin. Its deletion leads to hereditary neuropathy with liability to pressure palsies (HNPP). PMP22 is not expressed in the adult central nervous system, but previous studies suggest a role in CNS myelin development. The objective of this study was to identify potential structural and functional alterations in the afferent visual system in HNPP patients. Methods Twenty HNPP patients and 18 matched healthy controls (HC) were recruited in a cross-sectional study. Participants underwent neurological examination including visual acuity, visual evoked potential (VEP) examination, optical coherence tomography (OCT), and magnetic resonance imaging with calculation of brain atrophy, regarding grey and white matter, and voxel based morphometry (VBM), in addition answered the National Eye Institute’s 39-item Visual Functioning Questionnaire (NEI- VFQ). Thirteen patients and 6 HC were additionally examined with magnetic resonance spectroscopy (MRS). Results All patients had normal visual acuity, but reported reduced peripheral vision in comparison to HC in the NEI-VFQ (p = 0.036). VEP latency was prolonged in patients (P100 = 103.7±5.7 ms) in comparison to healthy subjects (P100 = 99.7±4.2 ms, p = 0.007). In OCT, peripapillary retinal nerve fiber layer thickness RNFL was decreased in the nasal sector (90.0±15.5 vs. 101.8±16.5, p = 0.013), and lower nasal sector RNFL correlated with prolonged VEP latency (Rho = -0.405, p = 0.012). MRS revealed reduced tNAA (731.4±45.4 vs. 814.9±62.1, p = 0.017) and tCr (373.8±22.2 vs. 418.7±31.1, p = 0.002) in the visual cortex in patients vs. HC. Whole brain volume, grey and white matter volume, VBM and metabolites in a MRS sensory cortex control voxel did not differ significantly between patients and HC. Conclusion PMP22 deletion leads to functional, metabolic and macro- structural alterations in the afferent visual system of HNPP patients. Our data suggest a functional relevance of these changes for peripheral vision, which warrants further investigation and confirmation

Listen to Your Heart: Evaluation of the Cardiologic Ecosystem

Modern implantable cardiologic devices communicate via radio frequency techniques and nearby gateways to a backend server on the internet. Those implanted devices, gateways, and servers form an ecosystem of proprietary hardware and protocols that process sensitive medical data and is often vital for patients’ health. This paper analyzes the security of this Ecosystem, from technical gateway aspects, via the programmer, to configure the implanted device, up to the processing of personal medical data from large cardiological device producers. Based on a real-world attacker model, we evaluated different devices and found several severe vulnerabilities. Furthermore, we could purchase a fully functional programmer for implantable cardiological devices, allowing us to re-program such devices or even induce electric shocks on untampered implanted devices. Additionally, we sent several Art. 15 and Art. 20 GDPR inquiries to manufacturers of implantable cardiologic devices, revealing non-conforming processes and a lack of awareness about patients’ rights and companies’ obligations. This, and the fact that many vulnerabilities are still to be found after many vulnerability disclosures in recent years, present a worrying security state of the whole ecosystem

Unbeabsichtigte und verdeckte Informationslecks in vernetzten Softwareanwendungen

Side channels are vulnerabilities that can be attacked by observing the behaviour of applications and by inferring sensitive information just from this behaviour. Because side channel vulnerabilities appear in such a large spectrum of contexts, there does not seem to be a generic way to prevent all side channel attacks once and for all. A practical approach is to research for new side channels and to specifically tailor mitigations for new side channel attacks. In this thesis, we extend the field of side channel attacks by introducing new ways to attack and to mitigate side channels in web applications. We start by proposing a new classification scheme for information leaks based on the information decoding effort an attacker has to spend. The four differ- ent classes—sorted by the order of ascending effort for the attacker—are: direct deterministic information leaks, obfuscated deterministic information leaks, pos- sibilistic information leaks, and probabilistic information leaks. Storage side channels are a new type of side channels which leak information through redundancies in protocols such as HTTP or languages such as HTML. We formalise storage side channels and describe a new method that allows de- tecting obfuscated deterministic information leaks in storage side channels even in dynamic and noisy environments. We test our method by applying it to real- world web applications and find that several widely used web applications are prone to obfuscated deterministic information leaks. Furthermore, we show a new method to exploit those timing side channels that have the property that the timing differences can be influenced by the at- tacker. We model these special timing side channels as a possibilistic timing side channel. The method allows very efficient timing side channel attacks even over noisy networks such as the Internet. We show that our method can break the confidentiality of XML Encryption messages in realistic environments. Finally, we model common existing timing side channels in web applications as probabilistic information leaks and present a new method to mitigate them in web applications. The method works by padding the response time using a deterministic and unpredictable delay (DUD). We show that DUD offers security guarantees that can be freely traded with performance reduction. By applying this method to vulnerable web applications, we show that the method offers an effective and performant way to mitigate timing side channels.Seitenkanalangriffe funktionieren, indem man das Verhalten von Anwendungen beobachtet und auf geheime Informationen anhand von diesem Verhalten schließt. Da Seitenkana ̈le in vielen Kontexten auftauchen, scheint es keine generischen Gegenmaßnahmen zu geben. Ein pragmatisches Vorgehen ist jedoch, nach neuen Seitenkan ̈alen zu suchen und spezielle Gegenmaßnahmen fu ̈r neu entdeckte Seit- enkan ̈ale zu entwerfen. In dieser Dissertation untersuchen wir neue Seitenkana ̈le in Web-Anwendungen und Gegenmaßnahmen fu ̈r Seitenkanalangriffe. Zuerst ordnen wir den Aufwand eines Angreifers, um Informationslecks eines Seitenkanals zu dekodieren, in vier Klassen ein: direkte deterministische Informa- tionslecks, verschleierte deterministische Informationslecks, possibilistische Infor- mationslecks und probabilistische Informationslecks. Storage-Seitenkan ̈ale bilden eine neue Art von Seitenkana ̈len, die durch Redun- danzen in Protokollen wie z.B. HTTP oder in Sprachen wie z.B. HTML entste- hen. Wir formalisieren Storage-Seitenkana ̈le und stellen eine neue Methode vor, die es erlaubt, verschleierte deterministische Informationslecks durch Storage- Seitenkan ̈ale selbst in dynamischen und verrauschten Umgebungen zu entdecken. Wir validieren unsere Methode, indem wir sie an weit verbreiteten Anwendungen testen. Die Resultate zeigen, dass mehrere Anwendungen verschleierte determin- istische Informationslecks enthalten. Danach stellen wir einen neue und effiziente Angriffsmethode vor, um solche Timing-Seitenkan ̈ale auszunutzen, bei denen der Angreifer die Zeitunterschiede beeinflussen kann. Wir modellieren den Angriff als possibilistisches Informations- leck und zeigen, dass dadurch sehr effiziente Timing-Angriffe m ̈oglich werden, die sogar u ̈ber verrauschte Netzwerke, wie z.B. das Internet, funktionieren. Als prak- tische Anwendung zeigen wir, dass wir mit unserer Methode die Vertraulichkeit von XML Encryption-Nachrichten innerhalb von drei Stunden u ̈ber den Local- host und in weniger als einer Woche u ̈ber das Internet brechen ko ̈nnen. Abschließend modellieren wir existierende Timing-Seitenkan ̈ale in Web-Anwen- dungen als probabilistische Informationslecks und stellen eine neue Methode vor, mit der man solche Angriffe zuverla ̈ssig verhindern kann. Die Methode verwendet deterministische und nicht-vorhersagbare Verz ̈ogerungen (DUD), die Sicherheits- garantien bereits mit geringer Performanzreduktion bietet. Wir zeigen, dass die Methode Timing-Seitenkana ̈le effektiv und performanzeffizient verhindert

WAFFle: Fingerprinting filter rules of web application firewalls

Abstract-Web Application Firewalls (WAFs) are used to detect and block attacks against vulnerable web applications. They distinguish benign requests from rogue requests using a set of filter rules. We present a new timing side channel attack that an attacker can use to remotely distinguish passed requests from requests that the WAF blocked. The attack works also for transparent WAFs that do not leave any trace in responses. The attacker can either conduct our attack directly or indirectly by using Cross Site Request Forgeries (CSRF). The latter allows the attacker to get the results of the attack while hiding his identity and to circumvent any practical brute-force prevention mechanism in the WAF. By learning which requests the WAF blocks and which it passes to the application, the attacker can craft targeted attacks that use any existing loopholes in the WAF's filter rule set. We implemented this attack in the WAFFle tool and ran tests over the Internet against ModSecurity and PHPIDS. The results show that WAFFle correctly distinguished passed requests from blocked requests in more than 95 % of all requests just by measuring a single request