After security breach at D-Trust: CCC speaks of "cyber window-dressing"
The Chaos Computer Club demands that the trust service provider D-Trust take responsibility and abolish the hacker paragraph.
(Image: SuPatMaN/Shutterstock.com)
The Chaos Computer Club (CCC) accuses the trust service provider D-Trust of "cyber window-dressing" instead of facing up to its responsibilities following the discovery of a security leak. CCC spokesperson Linus Neumann is therefore proposing a 5-point plan to the company.
The person who discovered the API vulnerability contacted the CCC instead of communicating directly with D-Trust. The reason for this was the lack of legal protection for security researchers, according to Neumann. While D-Trust speaks of "targeted manipulation" and has filed criminal charges, the CCC emphasizes that no access protection was circumvented.
Following this incident, the CCC recommends a 5-point plan, according to which the company must, among other things, take responsibility and comply with the state of the art and thus "security standards of the current century". In addition, the CCC is once again calling for the abolition of the hacker paragraph and punishment by the Federal Commissioner for Data Protection and Freedom of Information.
Videos by heise
In the podcast "Logbuch:Netzpolitik", Neumann said that, in his opinion, those responsible for the open API should face criminal charges. Instead, the data had been placed on the internet without adequate protection, which D-Trust should explain, according to Neumann.
After D-Trust reported an attack on its application portal for signature and seal cards last week, Neumann contacted the company in an email and informed them that an anonymous security researcher had accessed the data via an open API. The data had been completely deleted.
On January 13, D-Trust informed the company that data from an interface of the "portal.d-trust.net" portal had been read and that the company had filed a criminal complaint. "Application data for electronic health professional cards (eHBA) and practice and institution ID cards (SMC-B)" were also affected. Doctors need these special ID cards to access the telematics infrastructure – which is intended for the exchange of data in the healthcare sector – and to sign documents.
(mack)
