I love this kind of statement. It contains total ignorance of the fact, that security is not an absolute value and that it should take into account the actions of people attempting to cause damage. This time it was Hans-Jürgen Nantke, head of the German governmental trading platform for CO2 emission permits (DeHSt – Deutsche Emissionshandelsstelle), who said this, after a successful phishing attack had caused a damage of 3 Million Euros to some of the companies using this platform to trade their emission permits.

Imagine – a trading platform where “real” money is being moved – with just a simple password protection. Not even transactions are protected with TANs. Once you have access to one of the 2,000 accounts on this platform, you can do anything. And they did. The only thing the attackers did slightly better than in most other phishing cases – their mail did not contain too many spelling errors and looked pretty serious.

I hope that the companies now suffering the damage take a good lawyer, because it will be not very difficult to proof, that in the year of 2010 the technology  market offers some better options to separate assets from threats than just a simple password.

What really strikes me is that again it is a German governmental institution showing this kind of willful ignorance, when it comes to technology.

In my previous posts I described iSec Lab´s de-anonymizer, which combines a browser´s history with data from a social network (in this case Xing) to find out who is sitting behind a computer surfing the Internet. Just imagine how attractive it would be for many website owners to exactly know who is visiting their site. As it seems to be pretty simple to create such a de-anonymizer, there we might soon see broad use.

Therefore the question: is it allowed to run such a de-anonymizer? Well, I´m not a lawyer, but in the German Criminal Law (§ 202a StGB, Ausspähen von Daten), data theft is a crime only if the stolen data had been protected against unauthorized use and if the attacker did crack that protection. Browser history is not protected against unauthorized use. So it is not a crime over here.

Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I´m a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That´s weird!

De-Anonymizer Test Result

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network.

The combination of memberships to different groups seems to be  nearly as unique as a fingerprint. According to a paper they published (their server is overloaded at the moment, you may need to try again later), this kind of identification through pattern recognition works with most large social networks, like Xing, Linkedin, Facebook etc. They used a webcrawler to collect all those group membership information from the social network (they ran their proof of concept against Xing.com). Here is a link where you can find out wether this very simple browser history exploit works for you: http://www.iseclab.org/people/gilbert/experiment/.

Iseclab is the first entity to publish about such pattern recognition using browser history information. Let´s hope, that it hasn´t been secretly in use at other places, although I fear that exactly this is the case.

Recently I came across YubiKey, which is a hardware token generator from a young Swedisch comapny called Yubico. YubiKey is a small and slim USB device with just one button. If you push it, the device produces a 1-time password and sends it to the server. Compared to token generators in card format, you don´t need to manually enter your 1-time password anymore through a computer keyboard, which makes YubiKey unreachable for trojans directly listening to keyboard entries. One more remarkable thing is, that Yubico offer an identity platform for their device, which already contains an OpenID Server.

If this device holds it´s promise, there should be reason to worry for the other players in the strong authentication market. I wrote a mail to Yubico´s CEO Stina Ehrensvärd, asking for some background and a sample device, and got an answer within minutes. So I´now waiting for the YubiKey and will keep you informed.

I´m definately amongst the last ones to join the crowd blaming German Universities to lag behind international standards with regards to their educational program, especially in the fields of technology and computer sciences. But reading this press release, issued by the Faculty of Network and Data Security at University Bochum (sorry, the English version of their website seems to not work), makes me think.

The press release says, that two students of said faculty “broke” Microsoft´s CardSpace through some kind of man-in-the-middle-attack, where they took over an existing session between a user authenticated with an InformationCard and Microsoft´s InfoCard sandbox in manipulating a DNS server. Reading through the description of this “attack” shows, that the sophisticated part of their work was to manually change the DNS settings of their client computer in a way, that it resolved webadresses through an internal DNS service within their institute (where they have admin access to) which they had manipulated before in adding a round robin entry for the sandbox server, redirecting every second client request to an evil system, which then stole the session token.

So, what are the learnings from this intended act of creative distruction? Yes, once again we learn (what we have known for decades now), that without a proper client certificate, man-in-the-middle-attacks are possible, independently from the authentication methods and tools used, and that SSL/TLS provide means to avoid the risk of such attacks, as well independently from the authentication methods and tools in place.

It is great that University Bochum is teaching their students how these things work and eventually, we may have a generation of well educated IT experts knowing how to make corporate IT infrastructures and the Internet more secure. Maybe, they should add some HTML training courses to their timetable as well. If you look at this description of a “hacker course” that university is offering, some nice error messages coming from malformed HTML are displayed, like this one:

System Message: WARNING/2 (<string>, line 11)
Block quote ends without a blank line; unexpected unindent.

But what is the message behind that press release saying that University Bochum students broke “Microsoft´s Identity Metasystem CardSpace”? Just to feed some outdated opinion about Microsoft producing error-prawn and insecure Software? To my opinion, this is not enough for some productive discussion on how to increase security.

Today I listened to a podcast where Kevin Cunningham and Darran Rolls from Sailpoint Software talk in an interview with Jackie Gilbert about their impressions they brought back home from EIC 2008. Besides describing EIC as an event not to miss next year (thanks!), they compare the US and European identity management markets and agree that there are more similarities than differences when it comes to GRC. Yes, compliance requirements are increasing everywhere in the world and SOX is not the only framework responsible for this increase.

I think it was Kevin who mentionned one important difference: Privacy and data protection for employees seem to be stronger regulated here in Europe than it is in the US. This may be true, although they don´t really play a role in reality, as recent espionage cases like the one within Deutsche Telekom impressively show.

It is absolutely impossible, that somebody in a position like Jerome Kerviel can hold trading positions for 50 bn Euros and burn 10% of that amount. It is impossible, because

• banks nowadays would never rely on simple password protection for their trading systems.
• they all have state-of-the-art identity management in place and manage business roles in a way that one single trader could not crash the whole bank
• such big deals would always be routed through acknowledgement processes where duties are segregated
• Strong Authentication techniques and strict authorization would let all employees of a bank feel, that it is impossible to operate with multiple identities falsifying acqunowledgement processes
• risk dashboards would turn red and start screaming long before such a damage occurs

And, just to be complete: no, it is not possible to attack PIN/TAN online banking transactions, ATM Cards cannot be falsified and it never rains in Hamburg.

In a recent post, I  wrote about those 25 Million British people, whose bank information had been “lost”. Jeremy Clarkson, a British TV presenter, wrote in his Sun newspaper column, that such a loss is of no value for somebody who may now own this data. To proof this, he published his own Barclays Bank account information. He now had to admit, that somebody exploited this information and transferred 500 GBP from his account to some welfare organization. So he either was lucky or didn´t have more on his account, I suppose.

Today, I had to put an end to a story lasting for months now, where I tried to change my mobile phone contract I have had at Vodafone since 1996, through cancelling any contract which may exist under my name/my address/my bank account number/my customer number(s).  It all started, when my employer was generous enough to take over my phone contract. Therefore, invoice address and bank account information had to be changed. I wanted to take this occasion and get rid of some add-ons I had been chased to subscribe to through aggressive telemarketing, which I actually never used and did not miss. And I wanted to change from one flatrated type to another one suiting better my phone habits.

As telcos in general may not be too famous in terms of customer service quality, I did not expect it to be easy.  But what happened was far beyond my imagination:

The first trial (phone, eMail) did not have any effect.
After the second trial, my contract had been changed, add-ons were not cancelled, bank account information was not changed, invoice adress was not changed.

Next attempt: they still cash my bank account with a rising amount of money. But I don´t get any invoices any more. When I phone them, they cannot trace any changes in their CRM database Everything up to now seems to have reached at some wrong place. They then sent me a form by post where I have to apply for bank account and invoice address change. Several days after I did so, I received a written confirmation to my private address, that

• They do not have a mobile phone contract under my customer number
• I signed the mobile phone contract in August 2003
• My bank information is (private bank account)
• My invoice address is (private address)

They enclosed a photocopy of my non-existent contract which they say was dated August 2003, but in fact contains August 1996 as contracting date. This photocopy is the only piece of correct information I received. Which does not help me too much, as I have it myself.

Today I received a call from a person from Vodafone service or telemarketing (I don´t know, and I don´t care anymore) who tried to explain, why invoices do not reach me anymore. The person phoning me did not know, that bank account information and invoice address had changed or should have been changed. Nor did that person know anything about contract changes. He then said, that he will call Vodafone and ask about the status. Hä?

I hope for the future of that company, that I am a grand exception.