Within just a few days, the German EU Representation warns people about phishing emails.1 This is the 4th warning regarding data theft since July 20202 by Reinhard Hönighaus, press spokesman and head of the press and media office. Obviously there is an urgent need for action. In his current warning dated 26.11.2020, only two days after the previous one, he identifies T-Online users as targeted by phishing mails and also provides the explanation: Read more

Due to a vulnerability (CVE-2020-3419), attackers could join Webex meetings without being listed in the participants list. Hidden as a “ghost” from the other participants, attackers could eavesdrop on audio and video content. This is what Heise writes in his article today.1 But this is only possible (…) if attackers have access to meetings in the form of shared links and a password. Sounds quite trivial, but it isn’t. The objectives of confidentiality and integrity are lost when others eavesdrop unnoticed during a job interview for instance. Access data can be collected in unencrypted emails. It is not unusual for permanent meeting rooms to keep the same access data over an extended period of time. Read more

What a pity, this is exactly the scenario I first expected for Microsoft. But I’m not really surprised that Apple is now ahead, what happened? The ocsp.apple.com server was apparently down and/or unreachable between yesterday and today1. Unfortunately macOS tries to reach it every time an app is opened to check if a certificate has expired2 or an app has been retracted or some more magic. Of course this is not transparent, closed-source and therefore not verifiable. Read more

I need to admit: I really love writing audits. It has a certain degree of scientific working to falsify statements. So I was recently confronted with the following quote from a responsible IT manager: We are not concerned with security, but with liability. If Microsoft promises security, this is enough for us. Well, unfortunately I did not attend a judicial exam but when I read the Microsoft EULA1 regarding risks and liability, I consider the circumstances slightly more differentiated: Read more

Within a " digital breakfast " I will give a presentation for the DigiNet Südwestfalen at November, 3rd 2020, 08:30 am at my own Conferencing-Server Topic: “Security of Conferencing Software” giving Stakeholders and Decision-Makers Orientation for risk-assesment. This is a non-public event, please register via Sonja Pfaff on the DiginetSWF Website. About DigiNet Südwestfalen: In early 2019, the Transferverbund Südwestfalen started to track down service providers and networks active in the field of digitalization in South Westphalia as part of the NRW.Innovationspartner funding project and to connect them into an open network. The aim is to get to know each other, but also to increase visibility in the region so that companies can find the right solution partner more quickly or young talents can find their suitable employer. Read more

In the previous webinar on IT risk assessment and information security, participants questioned me during the 15-minute live hacking session: Is this not illegal? We took a closer peek at the servers of an ambulant care unit and two other businesses. I found them by chance from a total of 28 million hosts1 across Germany using specific search terms. The search lasted just a few seconds and after that we browsed through the numerous directories with patient data and medical prescriptions. Read more

My rant showed some effect ;-) Coming Friday, 2nd October 2020 from 7pm on, I will give a presentation covering IT risk assessment and information security. Everything will be hands-on with realistic (live) examples from the web for an audience of developers, project managers, independent consultants and anyone interested in technology. Have a look at the original announcement here. Friday, 02.10.2020, 1900 (CEST, local time) Room: https://meet.jakobs.systems/b/tom-hwb-uzi-mo0 Password: 350533 Everybody is welcome but you should have at least a microphone for discussion after the webinar. Read more

Today I’ve recieved a Email with following Headers: Arc-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Erhalten: from xxxxxxxx.protection.outlook.com May I ask openly what this “protection” outlook.com server does in the absence of common spam and security features? There are numerous tools in the web for (self-)checking. I usually provide this link and try to lead by example before going into further details like IP-Stripping, pentests or security: https://mxtoolbox.com/domain/jakobssystems.net/ With this in mind, stay healthy! Read more

I really just wanted to show you this Fnord, which is a very Microsoft-like thing: Well however, you might ask why I am tackling with Outlook 2019, let me please explain. A company with 40 mailboxes has decided to abandon its Exchange server. The following sentence is for all accountants and auditors: We are talking about cost-savings of 15-25% per year! Now everything runs with common internet standards on a Debian 10 with all the comfort and convenience as before: Starting with EAS-ActiveSync for Outlook (sigh if it has to be), a great webmailer, public folders, calendars, contacts and even resources. Here are some more screenshots: Read more