In 10-12 years from now, the whole Utilities and energy market will look dramatically different. Decentralization of energy production with consumers converting to prosumers pumping solar energy into the grid and offering  their electric car batteries as storage facilities, spot markets for the masses offering electricity on demand with a fully transparent price fixing (energy in a defined region at a defined time can be cheaper, if the sun is shining or the wind is blowing strong), and smart meters in each home being able to automatically contract such energy from spot markets and then tell the washing machine to start working as soon as electricity price falls under a defined line. And – if we think a bit further and apply Google-like business models to the energy market, we can get an idea of the incredible size this market will develop into.

These are just a few examples, which might give you an idea on how the “post fossile energy market” will work. The drivers leading the way into this new age are clear: energy production from oil and gas will become more and more expensive, because pollution is not for free and the resources will not last forever. And the transparency gain from making the grid smarter will make electricity cheaper than it is now.

The drivers are getting stronger every day. Therefore, we will soon see many large scale smart grid initiatives, and we will see questions rising such as who has control over the information collected by the smart meter in my home. Is it my energy provider? How would Kim Cameron´s 7 laws of Identity work in a smart grid? How would a “grid perimeter” look like which keeps information on the usage of whatever electric devices within my 4 walls? By now, we all know what cybercrimes are and how they can affect each of us. But what are the risks of “smart grid hacking”? How might we be affected by “grid crimes”?

I think, these are questions which should be discussed interdisciplinary. If anybody would like to contribute to such a discussion, which I am trying to include into this year´s EIC 2010 agenda, please propose!

Drew Bartkiewicz, Vice President at The Hartford E&O, Cyber and New Media Liability, just joined the EIC 2010 speaker lineup and will give a keynote on “Unseen Liability - The Irreversible Collision of Technology and Business Risk“. Drew also just has written a book with the same title, which will be published in May.

Once again, we are very lucky at Kuppinger Cole, that so many excellent experts from all over the world forward their speaker proposals for the European Identity Conference (EIC), which this year will take place on 4th to 7th May, again in Munich (we will move to a new venue next year!). The agenda is still in draft mode and many things yet have to be added or modified, but if you want to have a first look, even before it is officially published, here is the link: http://www.id-conf.com/events/eic2010/agenda.

Some very exciting and controversal strategic views, like for example Munich Re CIO Dr. Rainer Janßen talking about “what business has to learn, so that IT can align”, lots of “real” cloud security topics, many phantastic best practices, and, for the first time this year, combined with a German speaking track (which can be booked separately), dedicated for medium sized companies and public organizations. Stay tuned, I´ll be adding content to the agenda every day.

It has been a successful political strategy since the roman empire to divert the people with petty amusements instead of showing attitude. In this sense, German Consumer Minister Ilse Aigner is hitting at Google StreetView and proposes legal action against the camera cars cruising through German cities taking photos.

A the same time, the same government successfully implemented a law that forces any communication provider to store all communication data for at least 6 months and make it available to government institutions without a legal warrant. The same government allowes tax authorities to use a spider software (“Xpider”) to screen online auction sites and other market places to  puzzle and store a complete image of what they might consider to be relevant for a tax declaration. And, again the same government allowes tax authorities to screen any bank account at any time without a legal warrant.

So, Google-bashing is just a great thing for German Politics, as they don´t even have to fear intervention from a lobby over here. There are enough good reasons for some Google-bashing. But it´s not StreetView.

It has been in the press and Martin already wrote something in his blog about it -German tax authorities have been approached by various individuals who want to sell information about Germans who hold bank accounts at some Swiss Banks, like Credit Suisse and UBS. I don´t want to go into the discussion, wether such a deal, where the government buys “stolen” data (I put it into brackets, because over here, data are not a thing and only things can be stolen) from somebody, is immoral or not. But it certainly is pushing the market for customer information, if it´s value becomes as visible as it is in this case. I´m pretty sure that some of those unknown individuals possessing sensitive customer information already learned that there are institutions out there who would pay significantly more than German tax authorities (for example the banks from where the data had leaked).

So, data leakage prevention, access governanve, privileged user management – these basic disciplines of information security are becoming more than ever part of the survival kit for institutions holding customer identity information. A much better (and cheaper) way to learn more on how such leakage can be avoided, would be to join us at the European Identity Conference 2010. We´ll have some best practices showing that it isn´t impossible at all to prevent such leakage.

I love this kind of statement. It contains total ignorance of the fact, that security is not an absolute value and that it should take into account the actions of people attempting to cause damage. This time it was Hans-Jürgen Nantke, head of the German governmental trading platform for CO2 emission permits (DeHSt – Deutsche Emissionshandelsstelle), who said this, after a successful phishing attack had caused a damage of 3 Million Euros to some of the companies using this platform to trade their emission permits.

Imagine – a trading platform where “real” money is being moved – with just a simple password protection. Not even transactions are protected with TANs. Once you have access to one of the 2,000 accounts on this platform, you can do anything. And they did. The only thing the attackers did slightly better than in most other phishing cases – their mail did not contain too many spelling errors and looked pretty serious.

I hope that the companies now suffering the damage take a good lawyer, because it will be not very difficult to proof, that in the year of 2010 the technology  market offers some better options to separate assets from threats than just a simple password.

What really strikes me is that again it is a German governmental institution showing this kind of willful ignorance, when it comes to technology.

In my previous posts I described iSec Lab´s de-anonymizer, which combines a browser´s history with data from a social network (in this case Xing) to find out who is sitting behind a computer surfing the Internet. Just imagine how attractive it would be for many website owners to exactly know who is visiting their site. As it seems to be pretty simple to create such a de-anonymizer, there we might soon see broad use.

Therefore the question: is it allowed to run such a de-anonymizer? Well, I´m not a lawyer, but in the German Criminal Law (§ 202a StGB, Ausspähen von Daten), data theft is a crime only if the stolen data had been protected against unauthorized use and if the attacker did crack that protection. Browser history is not protected against unauthorized use. So it is not a crime over here.

Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I´m a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That´s weird!

De-Anonymizer Test Result

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network.

The combination of memberships to different groups seems to be  nearly as unique as a fingerprint. According to a paper they published (their server is overloaded at the moment, you may need to try again later), this kind of identification through pattern recognition works with most large social networks, like Xing, Linkedin, Facebook etc. They used a webcrawler to collect all those group membership information from the social network (they ran their proof of concept against Xing.com). Here is a link where you can find out wether this very simple browser history exploit works for you: http://www.iseclab.org/people/gilbert/experiment/.

Iseclab is the first entity to publish about such pattern recognition using browser history information. Let´s hope, that it hasn´t been secretly in use at other places, although I fear that exactly this is the case.

Recently I came across YubiKey, which is a hardware token generator from a young Swedisch comapny called Yubico. YubiKey is a small and slim USB device with just one button. If you push it, the device produces a 1-time password and sends it to the server. Compared to token generators in card format, you don´t need to manually enter your 1-time password anymore through a computer keyboard, which makes YubiKey unreachable for trojans directly listening to keyboard entries. One more remarkable thing is, that Yubico offer an identity platform for their device, which already contains an OpenID Server.

If this device holds it´s promise, there should be reason to worry for the other players in the strong authentication market. I wrote a mail to Yubico´s CEO Stina Ehrensvärd, asking for some background and a sample device, and got an answer within minutes. So I´now waiting for the YubiKey and will keep you informed.