Security by Design

21 August 2016

Friday afternoon I participated in a really interesting meeting. Some application managers got a request from researchers to implement a new application to support pharmacological studies. The new application collects information from some business critical application. The researchers combine and enrich the information, evaluate the new information with numerical models and, if the results are promising, it is transferred back to the source systems.

With this, it is very likely that the new application will create and store business critical information, even if the information collected from the source systems may not be critical.

The application managers were particularly concerned about the impact of the security requirements on the usability and the development and operation costs of the application. Thus they decided to start the security discussion as early as during the development of the project proposal.

Great! That is the best phase to start with application security, indeed. Security by Design is the key to sustainable and cost-effective security. We had a very fruitful discussion about role concepts, clearance of users and encryption.

The application managers were actually surprised when I began talking about the solution life cycle. To talk about the solution life cycle during the development of the project proposal sounds really strange, but the architecture of a solution has a major impact on the security and the operation costs.

In R&D we talk about application lifetimes of 10 or more years. With this we have to change applications just because application components are discontinued by the suppliers and need to be replaced by either newer versions of the same component or, in the worst case, by components of other suppliers. In addition, we have to apply an endless stream of security patches to all components which leads to high effort in application operations.

If the application architecture does not support the easy replacement or patching of components we have to apply additional technical measures to secure the application, which leads to increased operation costs and complexity. Thus it makes sense to start talking about the solution life cycle as early as possible.

That reminds me of Dan Lohrmann’s post “Idea to retire: Cybersecurity kills innovation”, which was published in the Brookings TECHTANK blog some month ago:

Security is a necessary enabler of opportunity and innovation. Improved cybersecurity enhances innovative projects and is a core requirement for their success.

Now we have to convince the research department to spend some additional effort and time during the development of the project proposal to build a really innovative application.

Have a good weekend.

France says fight against messaging encryption needs worldwide initiative

13 August 2016

The report “France says fight against messaging encryption needs worldwide initiative“, published on Reuters technology news last Thursday, is truly worrying.

“Messaging encryption, widely used by Islamist extremists to plan attacks, needs to be fought at international level, French Interior Minister Bernard Cazeneuve said on Thursday, and he wants Germany to help him promote a global initiative.”

I can, of course, understand the motivation of the French Interior Minister. He must do his utmost to protect France from further terrorist attacks.

“French intelligence services are struggling to intercept messages from Islamist extremists who increasingly switch from mainstream social media to encrypted messaging services, with Islamic State being a big user of such apps, including Telegram.”

Although the French Interior Minister has not requested decryption options from service providers yet, the direction of a Franco-German initiative is from my point of view clear: Service providers shall make decryption options available to national police and intelligence and security services.

With this, some attacks can certainly be prevented, but on the other hand, it puts many innocent people, which care of civil rights in authoritarian regimes, at risk.

In “Exclusive: Hackers accessed Telegram messaging accounts in Iran – researchers“, published in Reuters CYBERSECURITY at 2 August 2016, Joseph Menn and Yeganeh Torbati reported, that Iranian hackers compromised accounts on Telegram.

The security researchers who researched the attack said that “… the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.”

“We see instances in which people … are targeted prior to their arrest,” Anderson said. “We see a continuous alignment across these actions.”

That is precisely the problem when national security services demand decryption options from service providers: The information can be used to prevent terrorist attacks, as well as for violent actions against dissidents among the citizens. Hopefully the German Interior Minister will remember the recent German history (Stasi) and reject those demands once and for all.

By the way, end-to-end encryption is the just the comfortable way of secure communications. Terrorist can turn to less comfortable, but high secure encryption options like PGP. With this the French initiative makes no longer sense because the messages are encrypted before the transport to the service provider. Even end-to-end encryption is not required.

Even though it is apparent from the context, Benjamin Franklin’s quote about liberty and safety fits very well here:

Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.

Have a good weekend.

O2 not hacked – O2 customers victims of cybercrime

6 August 2016

On 26 July, the Register reported that “Hackers have gained access to customer data on UK telco O2 – and put it up for sale on the dark web.” The BBC Victoria Derbyshire Programme and Graham Clueley brought similar reports.

All reports made clear that O2 has not been hacked. BBC reports that “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data in a process known as “credential stuffing”.

Poor user habits, like recycling of usernames and passwords, are indeed a major problem. But in my opinion many service providers are at least co-responsible because they do not sufficiently protect their customer’s account details.

Many service providers still have not enforced Two-Factor Authentication (TFA), although this technology is easy to implement and to use, in particular for high-tech businesses like O2. Even if account details are stolen, the likelihood of cyber-crime is dramatically reduced because the cyber-criminals have no access to the second factor.

From my point of view it is time that the regulatory authorities finally do their job and protect the citizens and businesses from cyber-crime. We need a European regulation which makes the use of TFA compulsory for all service providers. Unfortunately, this will not have any impact on the O2 customers because of the Brexit …

Have a good weekend.

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.

Webinar Digital Extortion: Will you pay the ransom?

27 July 2016

I attended the IBM Security Webinar “Digital Extortion: Will you pay the ransom?” this evening. Limor Kessem talked about the history of and the latest trends in ransomware. Robert Lelewski provides an overview of the means to guard against and to recover from ransomware attacks.

Robert Lelewski showed a really remarkable slide:

Train users to beware of threats

Train users to beware of threats

The message is simple: Your users are the first line of defense. User training is the most effective means of combating cyber-attacks.

For more details, see the IBM ransomware landing page.

Have a good day.

Ten things every Airman must know

23 July 2016

This was a really exciting week. I got lots of phishing and spear phishing mails. Attached at the spear phishing mails were Trojan downloaders disguised as invoices. All downloaders were programmed in JavaScript, and as always, the actual download commands and URLs were hidden in a haystack of JavaScript function definitions. And the scripts were all zero-days! It seems as if the cyber criminals are back from a relaxing holiday.

Yesterday evening, I started reading the Air Force Doctrine Document 3-12, Cyberspace Operations. The doctrine documents are definitely worth reading, in particular if one develops a cyber defense strategy for a company or a governmental organization. Appendix A states the 10 Commandments of Cyber Security which everyone should know:


  1. The United States is vulnerable to cyberspace attacks by relentless adversaries attempting to infiltrate our networks at work and at home – millions of times a day, 24/7.
  2. Our adversaries plant malicious code, worms, botnets, and hooks in common websites, software, and hardware such as thumbdrives, printers, etc.
  3. Once implanted, this code begins to distort, destroy, and manipulate information, or “phone” it home. Certain code allows our adversaries to obtain higher levels of credentials to access highly sensitive information.
  4. The adversary attacks your computers at work and at home knowing you communicate with the Air Force network by email or by transferring information from one system to another.
  5. As cyber wingmen, you have a critical role in defending your networks, your information, your security, your teammates, and your country.
  6. You significantly decrease our adversaries’ access to our networks, critical Air Force information, and even your personal identity by taking simple action.
  7. Do not open attachments or click on links unless the email is digitally signed, or you can directly verify the source—even if it appears to be from someone you know.
  8. Do not connect any hardware or download any software, applications, music, or information onto our networks without approval.
  9. Encrypt sensitive but unclassified and/or critical information. Ask your computer security administrator for more information.
  10. Install the free Department of Defense anti-virus software on your home computer. Your computer security administrator can provide you with your free copy.

Gen Norton A. Schwartz, Chief of Staff, US Air Force

“Defending Our Networks and Our Country”

If your company hasn’t communicated the 10 Commandments of Cyber Security to the employees yet, just adapt the above rules and off you go!

Have a good weekend.