03.12.2013 by Martin Kuppinger
Last week, the German BSI (Bundesamt für Sicherheit in der Informationstechnik, the Federal Office for IT Security), published a document named “ICS-Security-Kompendium”. ICS stands for “Industrial Control Systems”. This is the first comprehensive advisory document published by the German BSI on this topic so far. The BSI puts specific emphasis on two facts:
- ICS are widely used in critical infrastructures, e.g. utilities, transport, traffic control, etc.
- ICS are increasingly connected – there is no “air gap” anymore for many of these systems
It is definitely worth having a look at the document, because it provides an in-depth analysis of security risks, best practices for securing such infrastructures, and a methodology for ICS audits. Furthermore it has a chapter on upcoming trends such as the impact of the IoT (Internet of Things) and the so-called “Industry 4.0” and of Cloud architectures in industrial environments. Industry 4.0 stands for the 4th industrial revolution, where factories are organizing themselves – the factory of the future.
As much as I appreciate such publication, it lacks – from my perspective – an additional view of two major areas that are tightly connected to ICS security:
- Aside from the ICS systems, there is a lot more of IT in manufacturing environments that frequently is not in scope with the corporate IT Security and Information Security departments. Aside from attacks to such systems, for instance in the area of PLM/PDM (Product Lifecycle/Data Management), there are standard PCs that might serve as entry point for attacks.
- This directly leads to the second aspect: It is not only about technical security, but about re-thinking the organizational approach to Information Security in all areas within an organization, i.e. a holistic view on all IT and information. Separating ICS and manufacturing IT from the “business IT” does not make sense.
The latter becomes clear when looking at new business cases such as the connected vehicle, smart metering, or simply remote control of HVAC (heating, ventilation, and air conditioning) and other systems in households (or industry). In all these scenarios, there are new business cases that lead to connecting both sides of IT.
Also have a look at our KuppingerCole research on these issues, such as the KuppingerCole report on critical infrastructures in finance industry (not about iCS) and the KuppingerCole report on managing risks to critical infrastructure.
05.08.2013 by Martin Kuppinger
When looking at the recent security news, there is one predominant theme: The NSA surveillance disclosure by Edward Snowden. There is some more news, but little “breaking news”. We might count the news about the SIM card flaw, however this seems to be less severe in reality than it was reported at first.
I will not comment much on the NSA issue. Both Dave Kearns and me here and here have touched on this topic. There are a lot of political discussions going on, with some accusing others of not telling the (whole) truth about what they knew. Interestingly, here in Germany the opposition is accusing the current government, even though they were in the government some years ago, thus being well aware of what has been going on at least since 2001. Clearly, this is not a topic for election campaigns and at least until now, it does not seem to be working out as such for the current opposition.
In addition, the reaction of Apple, Google, Microsoft and others did not surprise me. They are asking the US government to unveil more information about when they were urged to provide information to the NSA. That fits to what I have said from the very beginning: The entire thing is a business challenge, especially for US Cloud providers. Thus, they will create (some) political pressure. On the other hand: As long as there are no real alternatives to US-based Cloud services, not much will change. Maybe the shift from on-premise to the Cloud will slow down. However, over time the commotion will fizzle out.
Facebook usage in schools
Another news item that did not gain much attention is from Baden-Württemberg, the southwestern part of Germany I live in. The government of Baden-Württemberg has forbidden the use of Facebook for communication between teachers and their scholars. In some schools, Facebook has been used to communicate about homework and the results. However, this communication might include privacy-relevant contents. In addition, using Facebook mandatorily as a communications tool would force scholars into this social network. Thus, according to the order of the government of Baden-Württemberg (and in accord with the German privacy regulations), it is not allowed. As I’ve mentioned, there has been only little discussion in public about that – either the use has been rather limited or the decision has been widely accepted.
Teaching computer science in schools?
When talking about schools, there has been another news item. The German BITMi (Bundesverband IT-Mittelstand e.V.), the association of medium-sized IT businesses, demands that computer science becomes a required subject in German schools, starting rather early. Currently, it is optional in many schools and regions, and taught as a separate subject only in few grades, mainly in the higher grades. However, it is integral part of several courses in virtually all schools. Recently, Hamburg has decided to reduce the time spent on computer science.
There is some discussion about whether scholars really need to learn coding – which is part of Informatics as a separate subject, while the integral part focuses more on core competencies in using computers, the Internet, word processors, spreadsheets, etc. I think this can be discussed. However, I’d like to see some thorough education on IT security in schools, so that scholars understand this critical subject far better than they typically do today.
17.07.2013 by Martin Kuppinger
Last week I did a webinar concerning the recent news about secret/intelligence services such as the NSA and their activities, e.g. PRISM and others. This is not really news, but the broad and intense public discussion about this is new. In that context, many organizations have raised the question of whether they can still rely on Cloud Computing or whether they would be better off stopping their Cloud initiatives. Businesses raise this question especially as regards the risk of industrial espionage in cloud space – something that is not proven, but appears to be a risk from the perspective of many businesses.
The main points I made are that
- there is a risk in Cloud Computing, but we should not underestimate the risks of attacks against on-premise environments;
- encryption across the entire information lifecycle is a key element in information security especially for Cloud Computing;
- businesses need to understand the information risks to decide about what to put in the Cloud and what not, but also to evaluate the protection requirements for different information.
The entire webinar has been recorded and is available for replay. It is in German.
The attendees raised a large number of questions that I could not fully answer in the remaining time at the end of the webinar. Thus, I want to address some of these questions now.
Are there specific Cloud encryption algorithms, how secure are they, and are they already in use?
One question has been about encryption approaches for Cloud Computing and their security. In fact, there are several proven strong encryption methods out there. Most of the algorithms have been published. Clearly, there is a risk of backdoors in the installations; however, this should not be overestimated. Backdoors that are not easily available to the surveillants are not of interest to them.
There are no specific algorithms for the Cloud, which makes sense for two reasons. One is that there are several well-established and proven encryption methods already available. Another is that there is no sense in doing IT for on-premise and the Cloud separately, given that most environments are hybrid.
So it is all about applying existing encryption methods and algorithms, although the solutions might vary and range from secure email over transport security such as TLS to secure folders or simply encrypted files that are held on Cloud services.
Are there encryption approaches where the encryption is managed by the Cloud Service Provider, but all keys are on-premise at the customer?
The simple answer here is: No. The CSP would need access to the key for encryption, thus he cannot do this without access to the key. Once he has access he potentially can store the key or pass it to someone else.
How do we know that S/MIME implementations of vendors do not contain backdoors for the NSA, for instance via “key escrow”?
We do not know, for “closed source”. However, unless the vendor has access to keys, there cannot be any key escrow. Thus, that risk applies to Cloud Services, where keys are stored at the CSP. But as long as the keys are managed on-premise, this does not work.
How can I automatically support employees in my organization to better protect tools such as Salesforce.com Chatter or Microsoft SharePoint? These tools are rather unprotected by default. Can I use them at all in the manufacturing industry?
As with any tools, both on-premise and Cloud, decisions about procurement and implementation should take security into account. The use of Cloud tools favored by the business might require mitigating controls to deal with information risk in an appropriate way. More information on this is available in the replay of this webinar.
In general, organizations should implement the concept of Information Stewardship. You will find extensive information on that concept at our website and in the EIC presentations and videos.
I would not say that these tools could not be used at all. However, it is important to understand what information is stored or communicated using these tools and configure them accordingly – or restrict their use. Thus, it requires a thorough understanding of information classification and risk and well-defined policies, before these tools are used.
Isn’t there a risk in using encryption technologies to bypass security?
Clearly, there is some risk. S/MIME or PGP might be used to forward information to unauthorized recipients. It comes as no surprise that the Tor network is frequently used for illegal purposes. This is about finding the right balance.
How can I enforce confidentiality for internal communication?
Technically, many approaches for digitally signing email and documents are available, as well as encryption. Lotus Notes/Domino is one of the systems that has supported this for many, many years. S/MIME is a standard that supports this for email. Enterprise Rights Management technologies such as Microsoft RMS (Rights Management Services) can do that for documents. So there are various approaches available, many of these are rather mature. Thus, it is about re-evaluating the information risks and identifying an adequate set of technologies to help mitigating these risks, based on well-defined policies.
It is not a question of technology availability. It is a question of setting the organizational framework (Information Stewardship) and investing in security. With all the new incidents – and this goes beyond nation-state attacks and suspected industrial espionage to all the cyber-attacks of today – the equation changes. The risk is far higher today, thus investing in information security is increasingly an economic imperative for businesses.
What about article 10 of the German constitution?
The German constitution (“Grundgesetz”) defines on one hand that the privacy of correspondence, posts, and telecommunications are inviolable. On the other hand, the second part of article 10 states that the law might allow exceptions, especially for protecting the free democratic system of Germany or the state of Germany. That gives the government some freedom – so we should not be too surprised if we learn in future about the activities of the German intelligence/secret services.
Interestingly, one of the participants pointed back to the cover story of the German news magazine “Der Spiegel” from week 8 of 1989. That story was about Echelon and talked about the fact that industrial espionage was already happening. However, there was little attention to that story back then. Things have changed now.
Still, as I have said in the webinar: there is not that much news, and there are even less proven facts. Companies should just assume that their information is at risk and act accordingly, both in on-premise environments and the Cloud.
If you need our advice on that, just contact my colleagues at firstname.lastname@example.org and listen to upcoming KuppingerCole webinars on that topic.
25.06.2013 by Martin Kuppinger
The big topic clearly is what Edward Snowden unveiled: The PRISM program and some other nation-state activities on the Internet. In fact, this did not really come as a surprise. There have been discussions and rumors about such activities (and others) for many, many years. Maybe it helps driving forward risk- and information-centric security concepts and end-to-end-security instead of investing in point solutions. I will cover that topic in another blog post soon.
Facebook again struggles with privacy
However, besides PRISM etc. there have been various other security-related incidents and news. Facebook inadvertently shared eMail addresses and phone numbers of 6 million users with other members. That also comes as no surprise, given that Facebook always has been brilliant in weak security and privacy architectures and implementation.
Google under regulatory pressure – again
Google sees itself confronted with new pressure from regulators. The U.K. ICO (Information Commissioner Officer) has placed a legal requirement on Google to delete any data the company still has related to its Street View snooping.
In addition, the French regulator CNIL (Commission nationale de l’informatique et des libertés) ordered Google to change its privacy policies. Unfortunately, the fines are ridiculously low, starting at 150,000 €. Obviously, the plans of the EU to massively increase the potential fines and relate them to an organization’s annual revenue would put far more pressure on companies such as Google.
Old bugs appear again
Sometimes, security weaknesses appear to have a long lifetime. A bug that had been fixed by Adobe back in 2011 appeared again in the Adobe Flash Plug-In for Google Chrome browser. Adobe informed the public that Google is working on a patch for that bug.
And again plug-ins
Plug-Ins in general appear to be a potential weakness when it comes to security. The German BSI, the federal department for IT security, analyzed systems such as WordPress, Joomla!, Typo3, etc. from a security perspective. Most identified security weaknesses are related to plug-ins and add-ons, sometimes up to 95%. Thus, you should be (even more) careful when you start enhancing such systems.
Besides these news items, there have been many others. One of the positive reports has been that Microsoft and the FBI recently shut down a massive Citadel botnet. A negative one has been another issue in the DNS system where a human error led to the mis-routing of thousands of domains. Maybe it is time to start developing a successor to the stone-aged DNS system?
In general, the situation in security appears to remain rather unchanged. A lot of security bugs, incidents caused by human misbehavior, nation-state attacks and other activities, and the ongoing struggle around privacy, including some massive data leaks.
29.04.2013 by Martin Kuppinger
The number one issue in the past weeks is the LivingSocial hack, where attackers reportedly have stolen massive amounts of personal data, including names, eMail addresses, birthdates, and encrypted passwords. LivingSocial has confirmed an attack, but not the reported number of 50 million stolen data sets – which would be the vast majority of all LivingSocial users.
However, there still is relatively little information about the details. It is still unclear whether all non-Asian accounts are actually affected. (LivingSocial holds the Asian accounts on another server.) It is not publicly known how the passwords have been encrypted and thus it remains unclear to what extent the attackers might use them for subsequent attacks on other websites. Fortunately, it appears that the credit card information of the LivingSocial users is held in separate databases and is not affected by the attack.
Given that this sort of attack against large sites happens regularly, the question becomes what lessons are learned and what defenses should be taken. The lessons for the companies running such sites clearly are to invest in security, for both protection and monitoring. However, successful attacks will happen and, in contrast to some former incidents at other sites, LivingSocial at least encrypted the passwords and used a separate database for credit card information.
For the users, the answer is also straightforward: raise the bar for authentication. Reconsider using sites and services if they do not provide options for stronger authentication such as (good) 2FA approaches. Clearly using different hard-to-guess passwords is an option, but that is fairly inconvenient – my colleague Craig Burton once stated that you do not have such thing as a password muscle you can simply strengthen by training.
FIDO Alliance and Google
Another interesting bit of news is the uptake of the FIDO Alliance. Google now is also a member of this alliance and there is some chance that the FIDO Alliance might gain sufficient momentum to become a success. I will cover this in a separate upcoming blog post.
Reported number of attacks
During the past few weeks, several companies such as Symantec, IBM (X-Force Report), or Akamai have published their security reports talking about the observed number of attacks. I found two actually interesting aspects in these numbers. One is that the numbers are highly inconsistent. Some companies report massive increases in attacks, others some decrease at least for certain types of attacks.
The other interesting finding is one in the Symantec Internet Security and Threat Report 2013. The report says that the number of targeted attacks increased by 42 percent. This number stands for a shift towards industrial espionage, with small business being affected in 31 percent of those attacks. Direct attacks differ from the large-scale phishing attacks in that the attackers are looking for specific data or to cause concrete harm against specific targets, instead of just trying to phish as much data from their rather anonymous victims.
Data Broker Acxiom to sell data back to real owners?
You may not have heard of Acxiom, a company that describes itself as an “enterprise data, analytics and software as a service company” that is “known worldwide for our marketing database and consumer data”. There was a report that Acxoim plans to introduce a service that allows individuals to reveal the information Acxiom knows about them. In Germany, such services are mandated by law. For instance Schufa, a company that provides information about the financial credibility, offers such service. This is considered a part of your fundamental rights, in that case the “right for informational self-determination”.
Making a business out of this is a somewhat strange thing from a European perspective. In fact what Acxiom is said to plan is that people have to pay to learn about their data. The fundamental difference here obviously is whether “data about you” is “your data” per se or not.
17.04.2013 by Martin Kuppinger
This week, I read an article (in German) about a severe security bug in heating systems provided by Vaillant, one of the larger manufacturers in that space. The issue was found in so called “nano block heating systems” that are made for detached houses and duplex houses.
The entities have an IP-Interface that allows both the service technicians of the vendor and the owner of the heating system to remotely manage the device. However, a security bug allows pretty much anyone to easily access, in clear text, the passwords of the owner, the technician (expert), and even the developer. In other words: attackers can easily gain full access and control all settings. That allows increasing the temperature of the outgoing water in summer, which can damage the heating element. It allows stopping heating in winter, which could result in frost damages. There most likely are other types of damages an attacker can cause.
Even worse, these systems communicate with the DynDNS (Dynamic DNS) service of the vendor. That allows attackers to identify all systems in a simple way, just by “trial and error”.
Vaillant has announced that they will inform the customers, update the software – which requires, despite having an IP interface, that a technician visits the customers – and provide VPN communication for technicians.
This issue is a perfect example of what is happening these days in smart metering and other areas of “smart homes”. Vendors start adding IP interfaces, but they fail in security. In the entire segment of home automation, which is based on standards such as EIB/KNX, understanding of security issues appears to be rather limited. Security is understood as “availability”, not as being secured against attackers. That is, by the way, true for other standards as well – most bus systems in manufacturing are not secure at all. EIB/KNX does not even have a security layer. These bus systems typically rely on simple broadcasting. Who has access to the bus, has access to everything. Once you connect the bus to the Internet, things become obviously highly insecure.
The obvious solution for that is protecting the IP interface. However, as long as that is not done perfectly well, the problem remains. The entire manufacturing industry, but also the automotive industry and others that rely on rather primitive bus systems, have to fundamentally rethink their security approaches. Not doing this is wantonly negligent.
Smart infrastructures require smart security. Not having well-thought-out and well-implemented security approaches in place but relying on stone-aged security approaches for (sometimes) stone-aged bus systems puts us all at risk. There is a good reason for the massive potential of Stuxnet: It arises by opening up unsecure environments – unsecure by design – to the Internet, without appropriately changing the security approaches.
02.04.2013 by Martin Kuppinger
During the past few days, there have been at least two notable events in security. One was the attack on South Korean banks and TV networks. The other was the “Spamhaus incident”. I will talk about these two more in detail further down that post.
Besides that, it was interesting to observe that iOS and OS X seem to become increasingly the malware targets of choice.That is not surprising, however, since there are masses of iOS and OS X devices out there. Thus, the platform is far more attractive than in the past. Combined with the fact that Apple’s patch policy still is not convincing, this results in an increasing number of attacks. When I count the platform related news of the past two weeks in my CNET RSS feed, then 5 out of 6 articles were related to the two Apple operating systems. That just confirms what I have been saying for a long time: It is not that much about whether a platform is secure or insecure; it is about reaching a critical mass to become a target of choice for attackers. They will always find weaknesses, because complex systems never will be perfect. By the way: It would only be fair if the castigators of Microsoft Windows security from the past would act the same way now regarding Apple. Microsoft has learned a lesson. Has Apple already learned its lesson? I doubt that.
One other interesting news article was about Java updates. According to a new Websense report, 94% of endpoints running Java are vulnerable to at least one exploit. This shows that Java Updates do not work well as of now. One of the issues clearly is that Java runs on a variety of devices. While updating PCs is straightforward, other devices – especially the ones where Java is deeply embedded – are hard to update, due to a lack of a simple, standardized approach for patching these devices. From my perspective, Oracle should concentrate on adding sort of “patch support by design” capabilities to all future Java versions. While many people criticize the Microsoft Update concept, it is – from my perspective – by far the best approach that is currently in place across the entire industry.
South Korea vs. North Korea
Last week, some South Korean companies – TV broadcasters and banks – were hit by a massive cyber-attack run by a group that calls itself “Whois Team”. There were clear signs that the attack was part of the ongoing “cold war” between South Korea and North Korea, which currently is escalating again. Despite the fact that it is still unclear where the attack originated, I think that this is another indicator for the emerging risks of cyber-attacks in conflicts between nations.
The “Spamhouse incident”
Finally, a cyber-fight between Spamhouse, a spam-fighting organization, and a group of attackers even made it to the TV news over here in Germany and in other countries. This attack is reported to be the largest DDoS (Distributed Denial of Service) attack ever. It reportedly affected the whole Internet, especially in the U.K., Germany, and the Netherlands (Spamhouse is based in the Netherlands). There are two lessons we can learn from that. One is that the Internet, despite its distributed nature, is not immune to attacks. The second is that obviously cyber-criminals are well prepared to counter attacks against them, having large botnets on hand to place such DDoS attacks.
Physical Attacks on Critical Infrastructure
What I also found interesting were some articles about the Egyptian police arresting three men that tried to cut through some cables for Internet connectivity owned by the Egypt Telecom network. Some days ago, other cables of the Seacom network, being a part of the Internet connecting various countries under the Mediterranean Sea, were destroyed. The Egyptian police arrested the divers that tried to cut through the cables of the Egypt Telecom in action, from what was reported. I have not read anything about the motivation of these attackers. However, this clearly is another indicator of the massive risk for Critical Infrastructures these days.
27.03.2013 by Martin Kuppinger
I read an interesting article about the future of vehicles and their connectivity in the Geo magazine, sort of the German counterpart to the National Geographic magazine. The article was quite interesting; however, I did not find anything about security. This is not a new experience: most of the articles and discussions about the concept of connected vehicles and their integration into the smart grid (plus all the discussions about smart grids and smart infrastructures) still are security-agnostic.
Do we really want to drive unsecured connected vehicles? Do we really want to live in a smart but unsecured world? How smart will that world really be? I have blogged about this way before. In these days of increasing cyber-attacks and of an increased understanding of the risks of critical infrastructures, agnosticism regarding security is not acceptable anymore.
The article discussed concepts like using electric vehicles as a storage for electric power, as sort of a distributed, large battery for storing power from the large power networks. This is a great idea; however, thinking about the required connectivity for that, just in the context of correct billing alone, shows that this is an interesting topic from both the security and the identity perspective.
At EIC 2012, we held a workshop on the topic of the connected vehicle. We had a very intense discussion there. We quickly identified a complex ecosystem of identities that need to share data. However, most data must be shared only between a few selected parties. There are the owner, the driver, the leasing company, the passengers, the garage, the insurance company, the vendor, and the manufacturer, to name just a few of the possible interested parties. Within the car there are components provided by many different manufacturers which might talk to others – or not. There are other cars, there are traffic management systems, there is the police, etc. Not to mention the utilities companies here… It is an extremely complex ecosystem.
Within that ecosystem, sharing of data must be very tightly managed. Some data might pass to the police only, while other data must not go there. However, that might differ from country to country. Some data is only relevant to the driver or the vendor; other data should be also available for the manufacturer.
However, sharing of data is the smaller part of the challenge. The need for well-controlled security and identity becomes even larger when we are talking about controlling the car or the traffic in general. The idea of cyber-criminals taking control of vehicles is frightening.
I know that several car manufacturers are investing in PKI and related technologies to secure communication among various components. That might work for the components within a car, but it will not be sufficient for the bigger ecosystem of the connected vehicle I have outlined above. What we need are bigger concepts, cross-industry, integrating all the related parties and components. The good thing is that many of the answers to the challenges of a connected vehicle are there. Life Management Platforms are one element, which allow managing a lot of related information in a privacy-aware and security-aware manner. The API Economy and API security is important for managing security of all the interfaces in these complex, connected systems. Identity Federation is an important piece of the puzzle as well. However, what I still miss is both a clear view of the big picture and coordinated initiatives for a secure smart planet, including the connected vehicles.
It is past time to act. At EIC 2013, we will have a roundtable for the Automotive Industry – a good place to connect with others. We will have various sessions around Life Management Platforms, the API Economy and other security topics. So do not miss EIC 2013 when you are involved in securing the smart planet of the future and when you are looking for a more holistic approach instead of point solutions for various pieces.
19.03.2013 by Martin Kuppinger
When looking through the security related news of the past two weeks, there is very little that is surprising. Again, the usual topics such as discussions about whom to accuse of cyber-attacks and about newly found attack vectors have led to a series of news articles. There also have been ongoing discussions around privacy. However, as I have said and stated in my previous security blog post: Most topics remain the same. Some weeks it is about routers, this time reports about security weaknesses in connected HP printers and some other routers (TP-Link) spread the news.
However, there have been news articles on two topics that caught my attention.
Trend Micro on ICS/SCADA security
Trend Micro published results of a test they have run to analyze the real security threats for ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition Networks) networks. These environments have been under attack by Stuxnet, Duqu, and Flame over the past years.
Trend Micro chose a small town in California and installed a virtual pumping station with a control system for water pressure. They made the station visible in the Internet. All software components existed, but no water pumps. They created three different “honeypots” with the typical weaknesses found in real world environments.
Within roughly one month, Trend Micro detected 39 attacks out of 14 different countries. The leading countries were China (35%), USA (19%), and Laos (12%). At least twelve attacks appeared to be targeted. One or more attackers repeated 13 attacks on different days. These obviously were targeted and automated. Trend Micro is still investigating the other attacks.
Clearly, there is a well-established ecosystem for espionage and cyber terrorism out there. No single organization with industrial production environments and no single organization in the “critical infrastructure” area can claim that it is not an attack target. It is past time to act and to better protect all IT environments in organizations.
Obama vs. Merkel
I also found some news articles about Obama hosting a meeting on cyber-security with CEOs and on putting cyber-threats amongst the top topics in his call with the Chinese president. This helps increasing awareness in the industry, in governmental organizations, etc.
When looking at Germany, the situation is quite different. There are infrequent statements and activities from some of the ministries. There are some activities by different governmental organizations. However, there clearly is a lack of public statements and attention from Angela Merkel, if I compare this to Barack Obama. At CeBIT fair 2013 she visited, for instance, the booth of a provider of secure smartphones, the “Merkel phone”, which allows her secure, encrypted/scrambled communication. I think that putting the cyber-threats at the top of the agenda would have been far more important than putting the focus on that phone (and the technology provider behind). Time to wake up, I’d say.
06.03.2013 by Martin Kuppinger
When I’ve started writing this series of blog posts recently I thought that I will have sufficient material for a weekly post. However, when looking consequently at the security news of various sources it becomes obvious that there are a few recurring topics:
- New (and old) waves of attacks and new and old types of malware
- New exploits – the target of choice differs, the topic always remains the same
- Discussions about privacy
- Vendors with inappropriate security patch policies
Yes, sometimes there are interesting announcements from vendors. However, besides the new big data approaches of IBM and RSA Security I have covered before, there has not been great news this week, despite RSA Security Conference in the U.S. and the CeBIT fair in Germany starting today (which, by the way, still is the largest IT fair worldwide).
Let’s have a quick look at the most important news.
Java as the new target of choice
It comes to no surprise that there are an increasing number of attacks using Java exploits. This includes some of the known exploits, but also some new ones. This also is not surprising given that hackers look for related weaknesses once a particular type of exploit has been identified. In consequence this means that Java updates have to be performed regularly and that the use of Java (especially within the browser) has to be carefully reconsidered.
Privacy vs. Freedom of Speech?
I read a fairly strange article on a lawsuit Google is facing in Spain these days. The article argues that the privacy debate over here in Europe is around “Privacy vs. Freedom of Speech”. In fact the argument raised therein is that Google is allowed to publish a link based on the Right for Freedom of Speech. Notably, this right exists in Europe as well, not only “Fair Speech” as the author assumes. And the idea behind Freedom of Speech in Europe is to protect the individual, not only the society – which is in stark contrast to what the author says. Maybe the difference is that Europeans do not tend to protect questionable business models and principles through one of the fundamental human rights. From my (European) perspective, the article is based on a fundamental misunderstanding and misconception of what is considered the European position. Notably, there is not the single European position but an intensive debate about these topics.
There is little change in the news around cyber-attacks. There are still masses of attacks and the discussion about who is behind these attacks is continuing. There is good reason to assume that some part of the attacks is state-sponsored, while others are caused by cyber criminals. At the end it is about accepting that there is a severe risk for any organization and any individual and that we need to protect ourselves in a more sophisticated way. In a Trend Micro press release I received yesterday, the author compared it with the “fork” in chess play where you create two threats at a time. The other player can’t defend against both at the same time (but he might threaten you in another way). The argument of the author has been that based on a fork, i.e. multiple defense layers, the attackers are always in danger of being detected. I’m not sure whether the fork is the best pattern in chess to compare with and whether this is not more the approach the attacker could take – but I liked this analogy.
The victim of the week has been Evernote – they reported that some data has been hacked and asked all of their users to reset passwords. Who will be next?