The IT Blog

Tag: Security

  • The Illusion of Smart Home Security – or – the remote controlled WebCam in your Home

    Smart home devices are sold with the promise of convenience: plug-and-play setup, remote control, automatic updates, seamless integration. But the recent DJI robot vacuum breach raises questions we should all be asking.

    What happened?

    Sammy Azdoufal, a software engineer, didn’t even need to “hack” anything. By reverse-engineering DJI’s cloud communication, he discovered that the same credentials for his own device also granted access to 7,000 others. Cameras, microphones, even floor plans — all exposed.

    DJI claims the issue is fixed, but to me the incident raises a fundamental question: Do these devices really need to make cameras and microphones accessible from the internet?

    The Myth of Perfect Security

    Shouldn’t we accept that 100% security is just impossible. Obviously, even companies like DJI, with resources and expertise, aren’t immune. But shouldn’t we acknowledge that breaches will happen?

    What if smart devices stored data locally by default and only synced when explicitly needed? What if users could at least choose between internet exposure and local/VPN-only access?

    Yes, there might be technical challenges. But let’s be honest: Does a vacuum cleaner really need to expose its camera feed and microphone to the internet? For status updates? For remote control?

    And even if we say: okay some users really really want it. Why can’t we just have the option to turn reachability via internet on or off?

    But nowadays the only solution seems to be: just don’t buy devices that are “too” smart.

  • Numa Hack: When “Access Control” is just a Number in a URL

    Not long ago, I covered the Merkur hack from Lilith Wittmann – a glaring example of careless handling of sensitive data. And today, here we are again! Another service, another broken-by-design system. This time: the hotel chain Numa, exposing tens of thousands of identity documents to anyone with a URL and a browser.

    What happened

    I just came across this report by this post on Mastodon from the CCC. Their (german) post describes what happened. I’ll briefly try to outline it:

    (more…)
    Fediverse Reactions

  • AI Agents: Loyal Only to the Prompt

    Recently I thought “If AI scrapers are scraping my website, would a prompt injection work? Just adding invisible Prompt commands …?”

    And just today, a colleague sent me this link to an article about prompt injection in GitLab Duo: Remote Prompt Injection in GitLab Duo Leads to Source Code Theft:

    TL;DR: A hidden comment was enough to make GitLab Duo leak private source code and inject untrusted HTML into its responses.

    https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo

    Well – it shows: damit! Someone else was faster! :-D

    But besides that: it confirms a paranoid thought that I have been harboring for quite a while. Any output of an AI system must not be trusted blindly.

    (more…)

  • How to check the Email Security Level of your Provider

    If you’ve ever wondered which security protocols your email-provider supports, there is an easy way that I found via Mastodon:

    The European Commision provides My Email Communications Security Assessment (MECSA) (https://mecsa.jrc.ec.europa.eu/) with which you can quickly check, which of the protocols your provider supports (StartTLS, x509 Ceerts, SPF, DKIM, DMARC, DANE, DNSSEC).

    (more…)

  • New 6-days Validity of Let’s Encrypt Certificates

    I just saw this great news: Let’s Encrypt Announces 6-day Validity Certificates

    Let’s Encrypt, the non-profit certificate authority, has introduced six-day validity certificates, commonly referred to as short-lived certificates.

    Shorter validity periods are great for security. Traditional certificates can last up to a year, meaning if they get compromised, they remain a threat for a long time. Short-lived certificates, reduce the window of opportunity for attackers: Even if a certificate gets compromised, it will become invalid in less than a week.

    Josh Aas, Executive Director of Let’s Encrypt’s parent organization, the Internet Security Research Group (ISRG), emphasizes, “Short-lived certificates practically require automation… automating certificate issuance is crucial for improving security across the web.”

    Oh yeah. I couldn’t agree more.

    Fediverse Reactions

  • How to get simple DNS Protection

    Malware sites are the plague of the century! And it’s so easy to fall for them. Phishing, hacked website content, or malware-ads – one click and you are on a website you shouldn’t be.

    One way to deal with the issue is to block malicious domains at DNS resolver level. The advantage is that you do not have to do any modification at the devices!

    (more…)