Monthly Archives: August 2016

Security by Design

21 August 2016

Friday afternoon I participated in a really interesting meeting. Some application managers got a request from researchers to implement a new application to support pharmacological studies. The new application collects information from some business critical application. The researchers combine and enrich the information, evaluate the new information with numerical models and, if the results are promising, it is transferred back to the source systems.

With this, it is very likely that the new application will create and store business critical information, even if the information collected from the source systems may not be critical.

The application managers were particularly concerned about the impact of the security requirements on the usability and the development and operation costs of the application. Thus they decided to start the security discussion as early as during the development of the project proposal.

Great! That is the best phase to start with application security, indeed. Security by Design is the key to sustainable and cost-effective security. We had a very fruitful discussion about role concepts, clearance of users and encryption.

The application managers were actually surprised when I began talking about the solution life cycle. To talk about the solution life cycle during the development of the project proposal sounds really strange, but the architecture of a solution has a major impact on the security and the operation costs.

In R&D we talk about application lifetimes of 10 or more years. With this we have to change applications just because application components are discontinued by the suppliers and need to be replaced by either newer versions of the same component or, in the worst case, by components of other suppliers. In addition, we have to apply an endless stream of security patches to all components which leads to high effort in application operations.

If the application architecture does not support the easy replacement or patching of components we have to apply additional technical measures to secure the application, which leads to increased operation costs and complexity. Thus it makes sense to start talking about the solution life cycle as early as possible.

That reminds me of Dan Lohrmann’s post “Idea to retire: Cybersecurity kills innovation”, which was published in the Brookings TECHTANK blog some month ago:

Security is a necessary enabler of opportunity and innovation. Improved cybersecurity enhances innovative projects and is a core requirement for their success.

Now we have to convince the research department to spend some additional effort and time during the development of the project proposal to build a really innovative application.

Have a good weekend.

France says fight against messaging encryption needs worldwide initiative

13 August 2016

The report “France says fight against messaging encryption needs worldwide initiative“, published on Reuters technology news last Thursday, is truly worrying.

“Messaging encryption, widely used by Islamist extremists to plan attacks, needs to be fought at international level, French Interior Minister Bernard Cazeneuve said on Thursday, and he wants Germany to help him promote a global initiative.”

I can, of course, understand the motivation of the French Interior Minister. He must do his utmost to protect France from further terrorist attacks.

“French intelligence services are struggling to intercept messages from Islamist extremists who increasingly switch from mainstream social media to encrypted messaging services, with Islamic State being a big user of such apps, including Telegram.”

Although the French Interior Minister has not requested decryption options from service providers yet, the direction of a Franco-German initiative is from my point of view clear: Service providers shall make decryption options available to national police and intelligence and security services.

With this, some attacks can certainly be prevented, but on the other hand, it puts many innocent people, which care of civil rights in authoritarian regimes, at risk.

In “Exclusive: Hackers accessed Telegram messaging accounts in Iran – researchers“, published in Reuters CYBERSECURITY at 2 August 2016, Joseph Menn and Yeganeh Torbati reported, that Iranian hackers compromised accounts on Telegram.

The security researchers who researched the attack said that “… the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.”

“We see instances in which people … are targeted prior to their arrest,” Anderson said. “We see a continuous alignment across these actions.”

That is precisely the problem when national security services demand decryption options from service providers: The information can be used to prevent terrorist attacks, as well as for violent actions against dissidents among the citizens. Hopefully the German Interior Minister will remember the recent German history (Stasi) and reject those demands once and for all.

By the way, end-to-end encryption is the just the comfortable way of secure communications. Terrorist can turn to less comfortable, but high secure encryption options like PGP. With this the French initiative makes no longer sense because the messages are encrypted before the transport to the service provider. Even end-to-end encryption is not required.

Even though it is apparent from the context, Benjamin Franklin’s quote about liberty and safety fits very well here:

Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.

Have a good weekend.

O2 not hacked – O2 customers victims of cybercrime

6 August 2016

On 26 July, the Register reported that “Hackers have gained access to customer data on UK telco O2 – and put it up for sale on the dark web.” The BBC Victoria Derbyshire Programme and Graham Clueley brought similar reports.

All reports made clear that O2 has not been hacked. BBC reports that “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data in a process known as “credential stuffing”.

Poor user habits, like recycling of usernames and passwords, are indeed a major problem. But in my opinion many service providers are at least co-responsible because they do not sufficiently protect their customer’s account details.

Many service providers still have not enforced Two-Factor Authentication (TFA), although this technology is easy to implement and to use, in particular for high-tech businesses like O2. Even if account details are stolen, the likelihood of cyber-crime is dramatically reduced because the cyber-criminals have no access to the second factor.

From my point of view it is time that the regulatory authorities finally do their job and protect the citizens and businesses from cyber-crime. We need a European regulation which makes the use of TFA compulsory for all service providers. Unfortunately, this will not have any impact on the O2 customers because of the Brexit …

Have a good weekend.