A well-known podcast in Germany recently interviewed a hacker. The title is naturally somewhat sensationalist (Hacker: This is how we’ll get you in 5 minutes), but I still hoped to learn something new about common methods and security vulnerabilities.
My impression: there’s actually little that’s truly new in this regard. The most common method still requires user consent, and social engineering remains the number one risk. Heightened vigilance is therefore still the order of the day. Furthermore, access opportunities still arise from outdated software.
However, the implications for the public sector are interesting. There have been some new developments in this area over recent years.
The Most Common Attack Vectors in 2025
1. Phishing and Social Engineering: This is described as the easiest way to obtain access credentials, for example for email accounts, Dropbox, or iCloud.
◦ There are now automated tools available as Software-as-a-Service (SaaS) that create professional phishing pages for just €50 per month and can even capture multi-factor authentication (MFA).
◦ Hackers use psychological triggers such as fear, curiosity, or greed to entice victims to click (e.g., emails about alleged salary statements, suspicious logins, or Covid infections in the workplace).
2. File Attachments (Malware Distribution): Attackers use email attachments to execute malicious code directly at the operating system level without having to perform complicated hacking.
◦ This often works through files containing macros or control codes (e.g., manipulated Excel or CSV files), and on Windows systems without hardened configurations, quickly leads to full system access.
3. Call ID Spoofing: This is a method where the caller’s phone number is falsified (e.g., your bank’s number is displayed). This is combined with social engineering to create pressure and get victims to reveal passwords or click links in phishing emails. Tools for this are easily accessible, costing for example just $6 per minute, or can be set up for free within half an hour with technical know-how.
Although social engineering is the most common and most efficient, there are technically sophisticated attack vectors that require no human interaction or only minor user errors, refuting the assumption that systems cannot be “hacked”:
1. Perimeter Attacks (DNS Manipulation):
◦ Attackers can compromise systems at the internet perimeter (such as firewalls or unsecured routers/Fritzboxes).
◦ If the router or DNS service is manipulated, the attacker can control where you end up on the internet, even if you enter the correct domain (e.g., sparkasse.de) into your browser. This would elevate phishing to an extremely dangerous level, as domain verification by the user would no longer work.
◦ If the attacker has control over DNS, they can also control where you download updates from, and thus install malicious code as fake software updates.
2. Exploitation of Unpatched Software:
◦ If software is outdated (e.g., VLC Player or Adobe), a security vulnerability (exploit) can be exploited, sometimes just viewing an email is enough.
◦ Such exploits can be used to break out of the normally secure containers of operating systems (such as macOS or iOS).
3. Sophisticated Zero Day Exploits (Zero Day Hacking):
◦ These are security vulnerabilities that are still unknown to software manufacturers and attack directly at the system level.
◦ These exploits are extremely expensive and are mainly used by intelligence agencies or state-sponsored actors.
◦ They enable access to devices without user action, such as monitoring cameras, microphones, or keyboard inputs. For example, an iPhone can be infected via an SMS that the user may not even see. Such tools cost up to $1.2 million or more for a current iPhone zero day exploit.
◦ A historical example is the NSA tool Eternal Blue, which exploited a previously unknown vulnerability in Microsoft systems and enabled remote takeover of any operating system.
In summary, social engineering and phishing are the most commonly used and most efficient methods for gaining access. Technical hacking, however, remains a relevant vector, especially when the target is specific or has unlimited resources to carry out zero day exploits or attacks on network perimeters.
Public Sector Dependency
The public sector’s dependency on commercial software, particularly from US providers, is a central concern as it severely limits the decision-making capabilities of German or European authorities.
General Dependency:
• This dependency exists primarily toward American products and Software-as-a-Service (SaaS) solutions from various manufacturers and providers.
• The concern is that a state controlling these companies could decide to discontinue the software’s operation, which would lead to a very major problem.
• The source points out that allied states are not necessarily friendly states. An example of such political influence was an incident in the year (before recording), when then-US President Trump ordered the blocking of an Israeli politician’s email account, which the German government also noted with concern. The core of the problem is that states or continents consider it unfavorable to be in such a disadvantageous position, regardless of whether it concerns a war scenario or other interests.
Example: Schleswig-Holstein
As a particular response to this dependency and to strengthen data sovereignty, Schleswig-Holstein has decided to leave the Microsoft bubble.
This federal state’s authorities are in the process of converting their entire infrastructure to open source, including publicly available software such as Linux and Libre Office.
• Motivation: The goal of this costly and laborious path is to secure sovereignty and reduce dependence on a few large corporations.
• Challenges: The conversion requires a lot of money and time. Employees who may have used Microsoft Word for decades need to be trained in new programs like Libre Office, which can take several days per employee. Although open-source software is generally viewed positively, in practical application it is often not as good as commercial products, as it lacked the ability to scale and develop extensively.
• Strategic Perspective: The switch is seen as a necessary price to increase the maturity level of open source and thus create an independent alternative in the medium to long term.
Conclusion
It will likely prove costly for several German federal states to have made the exit from open source toward Microsoft products. Today they are reconsidering a re-migration to complete the 360° pirouette.