The inadequately encrypted Webex connection between various air forces has barely cooled down when a press release about the “Taurus leak” causes grins in the editorial offices. Not only was it protected with a very popular password – the developers of the software platform also seem to indulge in an interesting sense of humor.
Advertisement
Despite all the current criticism about unencrypted Webex sessions with highly explosive content from Asian hotel rooms, the Bundeswehr is doing a few things in an exemplary manner when it comes to IT security. Directly under the main domain “bundeswehr.de” there is an apparently correctly maintained security.txt with information for security researchers and reporters of gaps. They will find a detailed and understandable security policy, along with clear statements about criminal liability and expectations of (whitehat) hackers. They can look forward to eternal glory on the Bundeswehr thank you page. Steps that make it easier to report security vulnerabilities and that some large companies should take note of.
1234 has to be enough for the press
But why, WHY Does the BMVg press office then secure an audio statement from the Defense Minister on the Taurus wiretapping affair with the password “1234”? Is this some kind of inside joke or did someone simply not feel like letting Nextcloud's own password generator do its work undisturbed after the ruined weekend on Monday? It automatically suggests passwords that comply with the guidelines – if you let it. Other press releases from Pistorius' house also contain sensible passwords, which probably only serve to protect against automated retrieval for the information that is already publicly released.
And if the interested editor then clicks the link – half expecting to be an involuntary participant in a nationwide phishing test for journalists or to be rickrolled – the telling note “is emblazoned at the bottom of the download page.”s6 dev gru ⚔ b0rn 2 l33t
“. When briskly reading acronyms, the first part that catches the eye is “GRU” – the common abbreviation for the Главное разведывательное управление, commonly known as the Russian military intelligence service. “b0rn 2 l33t”, however, felt like every other counter was called it in the late 1990s Strike player; apparently Behind the pseudonym is a soldier who is enthusiastic about eSports.
The expert is amazed, the layman wonders: What could be behind the strange name – an insider between software developers who has made it to the live environment? Or are there even dark forces behind it? The latter seems unlikely: The Bundeswehr's Nextcloud platform is only a few weeks behind the current version and, according to the Nextcloud scanner, has no possible security gaps. At least those suffering in the Bendlerblock are spared that.
(cku)