In my last post I mentionned the motor driven door locks I have at my home. A frequent question I get from friends visiting me is, wether that doorlock system, which works with pincodes, RFID, remote conrols and over the Internet, is connected to the KNX/EIB bus system I also have in my house to control lights, shutters, air circulation, music and some other features. And the answer is no. Because, no joke, EICB/KNX, which seems to be the most spread “standard” for home automation, does not provide any security feature. no encryption, no authenication. If you get access to the 2 wires of a bus, then you can control anything which is connected to it.

Luckily, EIB/KNX installations are so incredibly expensive (my installation is a DIY one), that it will never spread on a large scale…

My colleague Martin Kuppinger recently (and quite a while ago) has posted some critical articles on smart infrastructures in his blog.Yes, security is a big issue there. However, it is not only about security in these more or (in most cases) less smart infrastructures. It is also about making these infrastructures work at all and, last but not least feasible for a large audience.

In my home, which is a so called passive house (well insulated, large, south bound windows for passive solar heating, saving 98.5% of heating energy compared to a standard building…) I have a smart meter. I have solar panels on my roof and the sun also is producing the warm water. Altogether, the house is producing more energy than we are consuming, so that we can sell electric energy back to the supplier during the day. The utility company, which had to  install such smart meters by law,  would not have done that if I had not insisted on doing that. And I know now why.

Because the utility company is not able to “meter smartly”. During the past few weeks we had repeated visits by their employees trying to collect the data the smart meter has collected. They are using the human interface between their central and my house with somebody making an appointment and then visiting me, bringing along some small device for infrared for communication between the smart meter and his own mobile device. That infrared device than should send the data via Bluetooth to an iPhone app. So the interface looks like this: phone-appointment — car — walk — doorbell — visiting the smartmeter — attaching the infrared device to the smart meter — waiting with the iPhone in hands until something happens — and waiting — and waiting — and back to start. This obviously is a perfect mix of unsecure devices and unsecure and inefficient communication standards and processes.

However, the risk is limited given that it just does not work. The utility companies’ employees are waiting for minutes in front of the smart meter, hoping that something shows up in their app. That did not happen. On the other hand, he was not able to manually read the data from the smart meter because he just had no clue what the different values shown on the smart meter’s display are about. Eh — I didn´t mention before — it is more than one smart meter. We have a separate one for the solar energy we sell to the utility and we have one that counts the solar energy we user ourselves. But those meters are read by a different person and not together with the reading of the meter measuring the inbound energy consumption.

Now, luckily enough, I have a door with motor lock at my home, which I can operate remotely though my windows phone, so that I don´t necessarily need to be at home when somebody from the local utility company makes appointment (or just rings the doorbell). Until the day I got these smart meters in my home, I thought that they are built to be connected and read remotely. But this is not the case. The meter would be able to, but oviously the infrastructure for accessing those meters remotely does not exist. And also, having experienced the skills level of the person operating the reading device, it probably is better for me if the utility don´t even try to remotely connect to my meters. Being smart is definitely being something different. And no one needs to wonder why I’m the only one in my neighborhood with a smart meter.

This story and the topic of smart metering is not only about security. It is about building an infrastructure that works smart. It is about having smart, well educated, and informed employees that can handle that new infrastructure. Both security and the lack of usability are symptoms of a horribly planned entry into smart infrastructures. This is probably one of the very big misses over here in Europe and the main reason why we are now entering a period of ultra-high hacking damages ….

Recently I came across a news alert that Google have released Android 4.0 on some new mobile phone. 4.0 already? That is extreme, Android hasn´t been around that long. It is good on one side, that there seems to be a strong community of developers eliminating bugs and improving on a fast pace. On the other side – you need to be quick in carrying your new Android smartphone home if you want to install the first OS update before your hardware becomes incompatible with the latest release.

Cupcake, Donut, Eclair, Froyo, Gingerbread, Honeycomb…. now Ice Cream Sandwich and soon Jelly Bean – Android versions are named after desserts – I got lost with my Android device (a HTC Hero) somewhere between Cupcake and Donut, or between Donut and Eclair. The problem was, that I never got my phone to sync with my PC.  No sync, no Android update. But I would have needed that update, because the Android release installed on my phone produced an error which would not let me use my google user account to log into the marketplace. No sync, no update, no new apps. No smartphone. According to some forum entries (I wasn´t the only one with that problem), this issue was due to be solved with the next update. While waiting for that update, I made the experience that even such elementary features like receiving a phone call could let the device crash and reboot. So I changed back to my ordinary phone – and missed to install Donut or Eclair. Or was it Froyo already? Froyo 2.2? Froyo 2.2.1 or Froyo 2.2.2? The only thing that I remember is that  the available Android release wasn´t compatible anymore with my hardware.

As not even my 12 years old son was interested to take over a nearly unused piece of Android based Smartphone Hardware, I threw it into that carton containing empty batteries and defective hardware, and switched to Windows Phone 7, and now everything works. I installed the Sim card, switched it on and everathing worked. I added my IMAP user account information to access my mail folders and I configured LDAP to access my addressbook. Then I installed some very useful apps, like a mountainbike navigation software, and for the first time ever I now have a smartphone which really is smart. I have been using it for over a year now and never had any issue with it. It just does what it is supposed to do.

The question I have: Why is my personal experience so different from what I read and hear from others? Anyone else with similar experience?

It seems that we now have entered the “Age of Political Cretinism”, with governments reducing themselves to either waste money or produce malware. We have several recent examples for this tendency: Stuxnet, Duqu and similar, (have alook at Martin´s recent blogpost on this) well elaborated and dangerous trojans aiming at large industrial facilities on the one side, and poorely timbered Trojans used to regain the option to spy anybody´s communication with anyone in a time where skype and similar services have made this more difficult for governments. The German so-called “Staatstrojaner” (State Trojan) used by police and customs to look at what suspects are doing with their computers, is an example for the latter type of government malware.

Why, for heaven´s sake, is a government taking the risk to attack citizens with such a stinkeroo coded Staatstrojaner? Considering that information security is as poor as that Staatstrojaner – just imagine the damage somebody can create if he/she strikes back.

I just read that UBS is reporting some 2 Billion $$ damage from “unauthorized deals” one of their investment bankers made. 2 years after Kerviel / Société Generale. This is the hard way of learning things. The only thing that now might really help those who will be asked why somebody is able to do unauthorized deals and create 2 Billion Dollars loss: Get the latest album from Australian Hard Rock Band Airbourne: “NO GUTS NO GLORY”, take a day off and listen to it. Or for immediate relief, have a look at their “NO WAY BUT THE HARD WAY” video. Great music.

Only hours after the individual/group claiming responsibility for the DigiNotar hack had posted on pastebin, that he/they have access to 4 more high profile CAs and had named GlobalSign to be one of those 4, GlobalSign reacted and released a statement that they have ceased to issue any SSL certificates. Also GlobalSign have asked Fox-IT for e-discovery and investigative services to verify the hacker´s claim. GlobalSign, a GMO Internet Inc. company since 2006, has its roots in Belgium. Back in 2000, Vodafone had bought a 40% share of GlobalSign through their German subsidiary D2 Mannesmann. Vodafone still is one of the most important GlobalSign customers, like also Skype.

GlobalSign´s quick reaction is proper and very different to DigiNotar. Also, reading in between the lines of the hacker´s announcements, it looks more like he may have had access to some secondary systems and stole some customer database information. While this still would be bad, it is not at all comparable to DigiNotar, where he actually got into the CA itself.

GlobalSign knows that trust is something you only can lose once.

DigiNotar is a Dutch “Internet Trust Provider” running a Certificate Authority (CA),  selling SSL Certificates and digital signature solutions. DigiNotar had recently been bought by VASCO.  On August 30, 2011, DigiNotar/VASCO reported that DigiNotar detected on July 19th, 2011 an intrusion into their CA infrastructure, “… which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. ” In the meantime we know that so far the known number of fraudulently created certificates is beyond 500 and it concerns domains like windowsupdate.com, microsoft.com, the Tor anonymization network, CIA and MI6. An interim report describing the first results of a forensic investigation conducted by the experts from Fox-IT, headed by it´s founder and CEO J.R. Prins and released on Sept. 5th, 2011, found out that many Certificate Authorities managed by DigiNotar, including the PKI CA Overheid, where the Certificates for the Dutch Government are created, had been penetrated by hackers with root permissions. Besides the already mentioned Overheid CA the Fox-IT report mentions the CAs of the Dutch Federal Ministry of Justice, the Koninklijke Notariele Beroepsorganisatie CA (maybe the CA where digital certificates for the Dutch Notaries have been issued?), Renault Nissan Nederlands, Technical University Delft and many others, which were compromised. DigiNotar now is under control of the Dutch Government.

So far, one rogue certificate issued for the www.google.com domain has been misused by Iranian hackers to perform man-in-the-middle attacks mainly against co-patriots using Google Gmail to write and read emails. Note: the rogue certificate itself is not yet enough to run this kind of attack. The hackers additionally need access to the DNS system in order to deviate Internet traffic from the real Gmail server to a different one. In a country like Iran this of course is not a problem.

As each use of a certificate causes a verification call to the CA, which had released the certificate, the number of such attacks can be counted precisely (OCSP responder traffic). Between July 27 and August 29, 2011, 300,000 Google Gmail sessions had been hijacked. The very very sad thing about this information is that during the period of attack DigiNotar did know that they had been hacked, but they kept it secret. This is not the kind of trust a trust provider should provide. Considering that Iranian hackers may at least be supported by their government, as such hacking would provide the government with intelligence about the political opposition in their country, the trial to keep this “accident” private may cause Iranian dissidents to face sanctions from their governments.

Beyond the obvious aim of the attack to control Iranian internet outside Iran, there also may be some revenge involved, answering the virus attacks against the Iranian atomic plant in Bushher. A real cyberwar, so to say, with DigiNotar being a (indeed very weak) piece of the western world Internet security backbone called PKI. One more piece, as it has not been the first attack against PKI. In March this year Comodo, another Internet Trust Provider, had been victim of an attack, where somebody compromised a user account to create 9 rogue certificates. It seems that both attacks had been conducted by the same hacker or group of hackers, as he/they left the same message on the servers (“Janam Fadaye Rahbar” – which means something like “my life for the leader”). Furthermore, there just appeared a message on pastebin, which seems to have been posted by the hacker(s):

“You know, I have access to 4 more so HIGH profile CAs, which I can issue certs from them too which I will, I won’t name them, I also had access to StartCom CA, I hacked their server too with so sophisticated methods, he was lucky by being sitted in front of HSM for signing, I will name just one more which I still have access: GlobalSign, let me use these accesses and CAs, later I’ll talk about them too…”

So, there is more to come and we should now start to think about the consequences that can be drawn from the fact that CAs can be compromised at any time. Is PKI as secure as we have been made to believe, even from governments? Maybe, as a starter, have a look at this more than 10 years old article from well known security expert Bruce Schneier, which I kind of referenced in my headline: “Ten Risks of PKI: What You´re not Being Told about Public Key Infrastructure“. Much of what he wrote is still true, and some things have gone even worse. While Schneier had asked in his “Risk#1: Who do we trust, and for what?”,  who authorized the CA to behave like an authority in granting authorizations and while he found the term “trusted” to be misused in the case of CAs, today such authorizations are in place. By law. By legal document. In the case of DigiNotar, the Dutch government even used the hacked infrastructure to run that one root CA, which should be the last one to be hacked before a country loses its independence.

In his “Risk#9: How secure are the certificate practices?”, Bruce Schneier states:

“Certificates aren’t like some magic security elixir, where you can just add a drop to your system and it will become secure. Certificates must be used properly if you want security.”

PKI leaves plenty of space for insecure practices. Although there have been several incidents now suggesting that we have a serious problem with bad practices at trusted (sic!) third parties, it may be the vast majority that are safe and indeed trustworthy. Sure? It´s unfortunately not for us to decide, which CAs are trustworthy and which not. This decision is being taken fo example by the browser manufacturers, because it is them who manage the lists of trusted certificates, which are part of each browser. Wouldn´t it be better if the trust decisions are left to the users, without any influence? DigiNotar has now been deleted from all those lists, so that you will get a warning if a server uses a certificate issued by them. Comodo has not been deleted. What is it that makes the difference?

So, PKI seems to not be the trust model that will last forever, at least not without some fundamental renovation. But what can we do in the meantime? As a trust provider: don´t make the management part of your CA software available in the cloud. That would not be good for you. As a client, you should have a business continuity plan telling what to do if your Root CA is compromised, even or especially if that Root CA is managed by a 3rd party.

Venafi´s Calum MacLeod just sent out a mail proposing 4 steps to make you survive a compomised root CA:

1. Have more than one, so that you can just throw away the compromised one.
2. Organizations must have an accounting of all the CAs that they use as third party trust providers
3. They must have a complete inventory of the owner and location for each certificate in the enterprise. This often numbers in the thousands and even tens of thousands or more in Global 2000 organizations.
4. Every organization must have an actionable and comprehensive plan in place to recover from a CA compromise. The time to recover needs to be measured in hours, not weeks or months.

Even if these proposals come from a key and certificate management vendor – they aren´t wrong at all.

In 10-12 years from now, the whole Utilities and energy market will look dramatically different. Decentralization of energy production with consumers converting to prosumers pumping solar energy into the grid and offering  their electric car batteries as storage facilities, spot markets for the masses offering electricity on demand with a fully transparent price fixing (energy in a defined region at a defined time can be cheaper, if the sun is shining or the wind is blowing strong), and smart meters in each home being able to automatically contract such energy from spot markets and then tell the washing machine to start working as soon as electricity price falls under a defined line. And – if we think a bit further and apply Google-like business models to the energy market, we can get an idea of the incredible size this market will develop into.

These are just a few examples, which might give you an idea on how the “post fossile energy market” will work. The drivers leading the way into this new age are clear: energy production from oil and gas will become more and more expensive, because pollution is not for free and the resources will not last forever. And the transparency gain from making the grid smarter will make electricity cheaper than it is now.

The drivers are getting stronger every day. Therefore, we will soon see many large scale smart grid initiatives, and we will see questions rising such as who has control over the information collected by the smart meter in my home. Is it my energy provider? How would Kim Cameron´s 7 laws of Identity work in a smart grid? How would a “grid perimeter” look like which keeps information on the usage of whatever electric devices within my 4 walls? By now, we all know what cybercrimes are and how they can affect each of us. But what are the risks of “smart grid hacking”? How might we be affected by “grid crimes”?

I think, these are questions which should be discussed interdisciplinary. If anybody would like to contribute to such a discussion, which I am trying to include into this year´s EIC 2010 agenda, please propose!

Drew Bartkiewicz, Vice President at The Hartford E&O, Cyber and New Media Liability, just joined the EIC 2010 speaker lineup and will give a keynote on “Unseen Liability - The Irreversible Collision of Technology and Business Risk“. Drew also just has written a book with the same title, which will be published in May.

Once again, we are very lucky at Kuppinger Cole, that so many excellent experts from all over the world forward their speaker proposals for the European Identity Conference (EIC), which this year will take place on 4th to 7th May, again in Munich (we will move to a new venue next year!). The agenda is still in draft mode and many things yet have to be added or modified, but if you want to have a first look, even before it is officially published, here is the link: http://www.id-conf.com/events/eic2010/agenda.

Some very exciting and controversal strategic views, like for example Munich Re CIO Dr. Rainer Janßen talking about “what business has to learn, so that IT can align”, lots of “real” cloud security topics, many phantastic best practices, and, for the first time this year, combined with a German speaking track (which can be booked separately), dedicated for medium sized companies and public organizations. Stay tuned, I´ll be adding content to the agenda every day.