Category Archives: Opinion

Critical Wormable Vulnerability CVE-2019-0708 patched. Is the world a safer place now?

19 May 2019

Microsoft released (1) a patch for the critical Remote Code Execution vulnerability CVE-2019-0708 (2) in Remote Desktop Services on May 14th, 2019. The vulnerability is wormable. A malware that exploits the vulnerability can spread from vulnerable computer to vulnerable computer in a way WannaCry did in 2017. Fortunately, only Windows XP, Windows 2003 Server, Windows 7 and Windows 2008 Server are impacted.

How big is the problem?

A Shodan search shows that about 30% of the Windows 2008 server systems directly connected to the internet are impacted. The Windows 2003 problem is much larger although Microsoft stopped the extended support for this version in July 2015.

Table 1: CVE-2019-0708 Impacted Systems. Source: Shodan. Data generated: 5/19/2019 7:30 pm

How to mitigate?

Since CVE-2019-0708 is a remote code execution vulnerability patches or other mitigating measures should be applied directly.

Microsoft provided patches with the May 2019 patch set, even for Windows 2003 Server and Windows XP, to prevent similar effects to that of WannaCry on the global economy. As an immediate step, Microsoft recommends deactivating RDP access to the impacted systems.

Is the world a safer place now?

Far from it. A brief analysis shows that many of the impacted systems provide applications based on a WAMP technology stack (Windows, Apache, MySQL, PHP). And in many cases remote code execution vulnerabilities in Apache or PHP are not patched. With this, the overall security level remains as bad as before Microsoft released the patches.

Without vulnerability and application life cycle management such problems cannot be solved. Apache, MySQL and PHP can be operated on top of an outdated Windows OS, but critical vulnerabilities in these components must be patched directly to avoid a large financial impact in the worst case.

The Equifax data breach from 2017 is just one example. In this case an unpatched remote code execution vulnerability in the Apache Struts framework opened the door for the attackers. Equifax (3) estimates that it has spent $1.4 billion so far to recover from the breach.

Have a great week.


  1. MSRC Team. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) – MSRC [Internet]. 2019 [cited 2019 May 19]. Available from:
  2. NIST NVD. NVD – CVE-2019-0708 [Internet]. 2019 [cited 2019 May 19]. Available from:
  3. Olenick D. Equifax data breach recovery costs pass $1 billion [Internet]. SC Media. 2019 [cited 2019 May 19]. Available from:

The Costs of Doing Application Life Cycle Management Not Right

12 May 2019

For the following text, let us assume that we created a fictional application named Our Awesome App (OAA) on the basis of the Microsoft technology stack. OOA runs on top of the Windows 2008 R2 Server OS. Microsoft stops the support for this version in January 2020, thus we may have some migrations to do.

What is application lifecycle management?

Application lifecycle management (ALM) is a continuous process of managing the life of an application through governance, development and maintenance.”(1)

I prefer this brief definition of ALM of 2010 although the current Wikipedia definition(2) is more comprehensive.

It is the restriction to applications that creates the trouble in both definitions because applications are bound to a Web or Technology Stack.(3)

Technology Stack

Technology Stack

Each product in the technology stack has a life cycle, usually independent of the life cycle of the other layers and of OAA. With this, application life cycle management cannot be considered independently from the technology stack. Even if no development takes place on the application layer, changes in the technology stack might demand changes in the application.

Usually, ALM deals with Layers 1 to 4 of the technology stack. Neither the database nor the server is in focus of ALM. For the LAMP (Linux, Apache, MySQL, PHP) stack, this creates no big trouble because the middleware (Apache) and the database (MySQL) are largely immune to changes in the Linux OS.

Microsoft Technology Stack

Microsoft Technology Stack

But in the case of OAA we face some trouble because the Internet Information Server (IIS 7.5) is a component of the Windows 2008 R2 Server OS. A change in the server OS might have a great impact on the application.

What’s the trouble with the Windows 2008 R2 Server end of life?

Every day new vulnerabilities in IT products are published. All layers in the technology stack are impacted. The Windows update service takes care that newly detected vulnerabilities on layers 2 – 5 are automatically patched because we built OAA on top of the Microsoft technology stack. So, the application manager has to deal only with vulnerabilities in OAA.

Microsoft provides no longer patches once a product goes beyond the end of its life. But new vulnerabilities for such products are still discovered and published. This increases the number of unpatched vulnerabilities on the server and middleware layer. With this, the security level of the whole network is lowered because unpatched Windows systems facilitate, in the worst case, the propagation of malware like WannaCry or NotPetya.

What’s the trouble with application life cycle management?

ALM is a tedious and costly task. Getting ALM right requires continuous study of the life cycle of all products on the technology stack and continuous planning, development, integration and testing across all layers of the application stack. Therefore, application managers care often only of the first layer. Developers are responsible for the second, the third and to some extend also for the fourth layer. Someone from IT operations takes care of layers 4 to 6, but no one cares of the entire technology stack.

Eventually, someone realises that some hundred Windows 2008 R2 Servers are still in operation, and only few months left for migration. Migration of applications including the middleware is a lengthy process. Thus, it is obvious to spend some money for extended support, just to buy time to get the migrations done.

What are the costs for extended support?

For the following calculation, let us assume that 20 Windows 2008 R2 servers running the Datacenter Edition and 400 servers running the Standard Edition are still in use. The price for extended on-premise support is at 75% annually of the full license price of the latest Windows server version, provided either software assurance or a subscription is available.(4) Let us assume that the IT team works hard on the migrations and the number of servers to go is reduced every year.

A brief sample calculation based on the regular price sheet(5) shows that a large amount of money is spent just for some security patches.

Sample Windows 2008 Server Extended Support Calculation

Sample Windows 2008 Server Extended Support Calculation

It is very important to note that these expenses are unplanned costs. They reduce the company’s earnings. Fortunately, this cost can be avoided if ALM is extended to the whole technology stack.

How to tackle the application life cycle management challenge?

(1) Move the accountability for ALM to the board.

The board is accountable for revenues and earnings. Since unplanned expenses for ALM lower the earnings the CFO should take control.

(2) Embed ALM in your daily business.

ALM is no project. It is a continuous activity that requires coordinated planning across all stakeholders in the business and IT groups. The application development budget should be extended to cover cost caused by changes in the technology stack.

(3) Start early, at least 2 years before the end of life of a product.

Minimize down times to keep the users happy.

(4) Set up and maintain an asset repository.

The asset repository should provide details on the technology stack of each application and the interfaces between applications. Is the repository up-to-date it takes only few minutes to become an idea of the effort related with the next life cycle change.

(5) Develop a concept for applications that cannot be migrated.

In some application areas, such as manufacturing, it is often not possible to migrate to newer versions in due time, for example due to technical restrictions by the vendor. For these applications, concepts must be developed to ensure secure operations beyond the end of life of tech stack components.

(6) Develop an application design guide to simplify ALM and security operations.

Applications should be developed such that they are to a large extent immune against changes in the technology stack. Procurement should take care that off-the-shelf solutions comply to the guidelines.

(7) Foster the change towards DevOps in the IT organisation.

DevOps teams should be responsible for the entire technology stack. At least the testing process should be automated. This will speed-up the roll out of security patches as well.

By the way, Microsoft announced the end of life of Windows 2012 R2 Server for 2023. This change will also affect the whole technology stack, thus start at least in 2021 with preparations.

Have a great week.


1. Appelo J. Agile Application Lifecycle Management (ALM) [Internet]. Business presented at; 2010 Nov 22 [cited 2019 May 7]. Available from:

2. Application lifecycle management. In: Wikipedia [Internet]. 2019 [cited 2019 May 7]. Available from:

3. Rouse M. What is Web stack? – Definition from [Internet]. 2012 [cited 2019 Apr 29]. Available from:

4. Microsoft. Extended Security Updates for Windows Server 2008 and SQL Server 2008 End of Service FAQ [Internet]. 2019. Available from:

5. Microsoft. Windows Server 2019 Licensing & Pricing | Microsoft [Internet]. Microsoft Cloud-Platform – US (English). [cited 2019 Apr 29]. Available from:

Petition 89913: Generelles Tempolimit von 130 km/h auf deutschen Autobahnen

17. März 2019

Im WEF Global Risk Report 2019 wird das Risiko Failure of climate-change mitigation and adaption unter den Top 5 Risiken sowohl bei Eintrittswahrscheinlichheit als auch bei Auswirkung an Position 2 gesehen, vor dem Risiko Cyber-Attacks.

We need change!

We need change!

Tempo 130 auf deutschen Autobahnen kann einen Beitrag zur Erreichung der CO2-Einsparungsziele Deutschlands leisten. Diese Maßnahme ist sofort wirksam, mit geringen Implementierungskosten verbunden und hat keine Auswirkungen auf die vernetzte Logistik in Deutschland und Europa. Wer kann das von einer Maßnahme im IT-Security Umfeld sagen?

Bitte helfen Sie mit. Unterstützen Sie die Petition 89913: Straßenverkehrs-Ordnung – Generelles Tempolimit von 130 km/h auf deutschen Autobahnen. Details hier:

Vielen Dank!

The 5G security debate in Germany gains momentum

2 February 2019

Report ‘Deutsche Telekom proposes steps to make 5G safe as Huawei debate rages’ (1) published on January 30, 2019 by Reuters Technology News makes clear that at least the German government and the Deutsche Telekom started to discuss 5G security issues.

“Deutsche Telekom takes the global debate on the security of network equipment from Chinese providers very seriously,” the company said in a statement that spelled out three confidence-building measures.

The company, which is nearly one-third state owned, proposed that all critical infrastructure should be independently certified before deployment by an independent laboratory under state oversight.”

That sounds good.

“It also called for network equipment makers to submit the source code that runs their equipment to a trusted third party. Under certain circumstances, an operator would be able to gain access to address any security vulnerabilities.”

From my point of view, this is not sufficient to increase trust in Huawei’s hard- and software. Moreover, it is also not enough to investigate Huawei hardware and software only. If it comes to matters of national security we should trust no network equipment supplier.

Hardware and source code of all vendors must be verified by an independent organization. Only verified hard and software versions are approved for installation and operations. In addition, a technical testing organization must oversee the installation of hardware and software to make sure that only verified components are installed.

I strongly recommend that the German government should found an independent firm for certifying the software and hardware of any network equipment supplier involved. A trusted German partner should hold a share of at least 51% in this company. Goal of this company is not spying on the suppliers know how, but to create trust in a critical infrastructure.

View on Saargau

View on Saargau from 49.596700, 6.618173

Without trust in the 5G network infrastructure, service providers will not take full advantage of the technology. This will throw back the digitalization in Germany, and thus the German economics, by years. Internet access with 2 MBit/s, the standard in the rural German area Saargau, is definitely not enough to be competitive in the long-term, not to mention for self-driving cars or remote surgery.

Enjoy the view on Saargau.


1. Busvine D, Rinke A. Deutsche Telekom proposes steps to make 5G safe as Huawei debate rages. Reuters [Internet]. 2019 Jan 30 [cited 2019 Feb 2]; Available from:

Sorge um Datensicherheit im 5G-Mobilfunknetz– Berlin erwägt Huawei beim Netzausbau auszusperren

20. Januar 2019

Seit einigen Wochen häufen sich die Berichte in der Presse über Zweifel an der Vertrauenswürdigkeit des chinesischen 5G-Technologielieferanten Huawei. Australien(1) und Neuseeland(2) haben Huawei bereits als Technologielieferant ausgeschlossen, Großbritannien(3) hat erhebliche Zweifel an der Datensicherheit der Huawei Technologie.

Auch in Deutschland wird diskutiert, Huawei vom 5G-Mobilfunknetzausbau auszuschließen. Friedolin Strack, Sprecher der Geschäftsführung des Asien-Pazifik-Ausschusses der Deutschen Wirtschaft, stellt in einem Interview mit Felix Rohrbeck in der Zeit Nr. 1/2019(4) die Vertrauensfrage: „Es wäre Quatsch, Unternehmen wie Huawei grundsätzlich von europäischen Aufträgen auszuschließen. Aber im besonders sensiblen Bereich der neuen Mobilfunk-Infrastruktur muss man sich schon fragen, welchen Partnern man vertrauen kann.“

Friedolin Strack liefert im Interview Lösungsansätze für die Schaffung sicherer Kommunikationsnetze: “Konkret gibt es zwei Möglichkeiten, sichere Telekommunikationsnetze in Deutschland zu gewährleisten: zum einen über die Gestaltung der Ausschreibungen für die Vergabe der 5G-Frequenzen. Oder man passt einfach das Telekommunikationsgesetz an und verpflichtet die Betreiber auf Technologien, die Datensicherheit gewährleisten. So hat das beispielsweise Australien gelöst.”

“Technologien die Datensicherheit gewährleisten” – das klingt vielversprechend, ist jedoch nicht “einfach” per Gesetz zu erzielen. Zudem ist nicht klar, was im Umfeld der 5G-Plattform unter Datensicherheit zu verstehen ist.

Das BSI Glossar der Cyber-Sicherheit definiert Datensicherheit(5) wie folgt:

“Mit Datensicherheit wird der Schutz von Daten hinsichtlich gegebener Anforderungen an deren Vertraulichkeit, Verfügbarkeit und Integrität bezeichnet. Ein modernerer Begriff dafür ist Informationssicherheit.”

Friedolin Strack reduziert Datensicherheit auf Vertraulichkeit. Aus Sicht der deutschen Wirtschaft ist dies nachvollziehbar. Der Schutz von geistigem Eigentum ist die Grundlage für den Erfolg der deutschen Unternehmen auf dem Weltmarkt.

Im Umfeld der 5G Plattform ist Vertraulichkeit hauptsächlich auf 2 Ebenen relevant:

  1. Gewährleistung der Vertraulichkeit der Teilnehmerdaten.
  2. Gewährleistung der Vertraulichkeit der Nutzdaten, die Teilnehmer über die Plattform mit anderen Teilnehmern oder Diensteanbietern austauschen.

Die Vertraulichkeit der Teilnehmerdaten ist von den Serviceprovidern zu gewährleisten. Der Lieferant der Plattformtechnologie sollte im Idealfall nicht auf Teilnehmerdaten zugreifen müssen.

Technologien zur Sicherung der Vertraulichkeit der Nutzdaten sind bekannt und unabhängig von der Plattform umsetzbar. Die Ende-zu-Ende Verschlüsselung(6) ist die bevorzugte Lösung. Hier erfolgt die Ver- und Entschlüsselung der Informationen auf den Endgeräten der Teilnehmer. Solange der Plattformbetreiber keinen Zugriff auf die Schlüssel hat ist die Vertraulichkeit gewährleistet.

Voraussetzung für die Ende-zu-Ende Verschlüsselung ist die Bereitstellung einer sicheren Schlüsselverwaltungsstelle, die die Online-Identitätsprüfung der Teilnehmer ermöglicht und die öffentlichen Schlüssel der Teilnehmer für die Verschlüsselung bereitstellt.

Schneller, flächendeckender Internetzugriff ist die Voraussetzung für die erfolgreiche Digitalisierung und die Umsetzung von Industrie 4.0 in der deutschen Wirtschaft. Daneben stellt die 5G-Plattform die Infrastruktur für Smart-Grid Anwendungen im Energiesektor, Smart- und Connected-Car Anwendungen und selbstfahrende Kraftfahrzeuge im Transportsektor, e-Health Anwendungen im Gesundheitswesen, usw. bereit.

5G Security

In diesem Umfeld sind Datenintegrität und Verfügbarkeit der Plattform von größter Wichtigkeit, da deren Verlust zum Verlust der funktionalen Sicherheit führen kann. Verfälschte Energieverbrauchsdaten aus dem Smart-Grid können zu großräumigen und langandauernden Stromausfällen führen wenn die Stromnetzbetreiber falsche Entscheidungen auf Grundlage dieser Daten treffen. Der Ausfall der Plattform kann zum Stillstand der gesamten selbstfahrenden Transportflotte führen, etc. In letzter Konsequenz gefährdet der Verlust der Datensicherheit der 5G-Plattform die nationale Sicherheit Deutschlands.

Die 5G-Plattform und sämtliche Services sind kritische Infrastrukturen (KRITIS) und unterliegen damit den Regelungen des IT-Sicherheitsgesetzes. Sind die Vorgaben des IT-Sicherheitsgesetzes ausreichend, wenn es um Fragen der nationalen Sicherheit geht?

Die Überlegung, Huawei als Technologielieferant für die 5G-Plattform auszuschließen ist also berechtigt. Wir müssen diese Frage jedoch auch bei amerikanischen oder europäischen Technologielieferanten stellen – wenn es um Fragen der nationalen Sicherheit geht dürfen wir keinem Lieferanten vertrauen.

Aus meiner Sicht sind weder die Gestaltung der Ausschreibungen für die Vergabe der 5G-Frequenzen noch eine Anpassung des Telekommunikationsgesetzes ausreichend um die Datensicherheit zu gewährleisten. Die Vorgehensweise der chinesischen Regierung zur Sicherung ausländischen Knowhows ist der dritte, erfolgversprechende Weg:

  1. Jeder Technologielieferant muss mit einem deutschen Unternehmen eine Partnerschaft eingehen, an der das deutsche Unternehmen 51% der Anteile hält. Ziel der Partnerschaft ist nicht der Transfer des Knowhows auf den deutschen Partner, sondern die Gewährleistung der Datensicherheit der 5G-Plattform.
  2. Der Technologielieferant bringt alle Software mit Quellcode und Hardware in das Unternehmen ein.
  3. Die besten IT-Spezialisten Deutschlands zertifizieren die Hard- und Software, erstellen das Konzept für den sicheren Betrieb der 5G-Plattform und verifizieren dessen Implementierung.
  4. Der Technologielieferant nutzt ausschließlich die zertifizierte Hard- und Software zum Aufbau der 5G-Infrastruktur in Deutschland.

Das verzögert die Einführung der 5G-Plattform etwas, reduziert jedoch die Wahrscheinlichkeit des Verlustes der Datensicherheit drastisch.

Parallel zum Aufbau der 5G Infrastruktur ist die Schlüsselverwaltungsstelle bereitzustellen. Damit ist gewährleistet, dass die Nutzer unabhängig von der Plattform (3G, LTE, 4G, etc.) sicher kommunizieren können. Werden zudem alle E-Mails digital signiert so sind Passwort Phishing Attacken nicht mehr möglich.

Zudem muss die Forschung in neue kryptographische Methoden umgehend intensiviert werden. Die heute genutzten Public-Key-Verfahren sind im Zeitalter von Quantencomputern nicht mehr sicher.


  1. ITV News. Australia bans Huawei from 5G network over security concerns [Internet]. ITV News. 2018 [zitiert 20. Januar 2019]. Verfügbar unter:

  2. Jolly J. New Zealand blocks Huawei imports over ‘significant security risk’. The Guardian [Internet]. 28. November 2018 [zitiert 20. Januar 2019]; Verfügbar unter:

  3. Taylor C. UK defense minister admits „grave concerns“ over Huawei 5G equipment [Internet]. 2018 [zitiert 20. Januar 2019]. Verfügbar unter:

  4. Rohrbeck F. China: „Das ist ein gehöriges Sicherheitsrisiko“. Die Zeit [Internet]. 29. Dezember 2018 [zitiert 29. Dezember 2018]; Verfügbar unter:

  5. Bundesamt für Sicherheit in der Informationstechnik. BSI – Glossar der Cyber-Sicherheit [Internet]. Glossar der Cyber-Sicherheit. [zitiert 6. Januar 2019]. Verfügbar unter:

  6. Ende-zu-Ende-Verschlüsselung. In: Wikipedia [Internet]. 2018 [zitiert 6. Januar 2019]. Verfügbar unter:

Windows Applocker – The almost forgotten IT security workbench

5 January 2019

Dridex[1], Emotet[2], Locky[3], Destover[4], Petya[5], NotPetya, etc. share one feature: They are droppers[6]. A dropper installs malware to a target system and executes it then.

Droppers are delivered mainly by e-mail through phishing or spear phishing attacks. Since they are continuously refined to undergo malware detection the fight against droppers never stops.

The Achilles heel of droppers is that they are executed in the context of the current user during delivery. With this the dropped malware can only be stored in locations where the user has modify privileges, e.g. the user’s home directory.

Seven Phases Cyber Kill Chain

Seven Phases Cyber Kill Chain

If we can prevent the execution of objects from e.g. the user’s home directory the dropper can never execute the installed malware. With this we can block the malware during the delivery / exploitation phase of the Cyber Kill Chain, before the attacker becomes persistent in our network.

That is the idea behind Windows Applocker[7]. The Applocker default rules allow the execution of programs, scripts and dlls only from trusted directory systems, e.g. c:\Program Files, C:\Progam Files (X86), or c:\Windows. If activated, Applocker stops the execution of programs and scripts outside these trusted directories and thus Dridex, Emotet, Locky, Destover, etc.

But Applocker does more than blocking droppers. DLL injection is prevented if DLL rules are enforced. I strongly recommend to enforce the DLL rules from the start. Drive-by downloads, PuA, PuP  and Adware are blocked. Even the exploitation of zero-days like the latest Adobe pdf security flaw, CVE-2018-16011[8], can be mitigated. The entire network becomes more resilient against cyber attacks.

Applocker is perfectly suited to enhance the resilience against cyber attacks in production networks and critical infrastructures. In particular in GxP regulated industries Applocker is worth to be looked at. Since Applocker is integrated in the Windows OS a validation of a third party white-listing application is not required.

Applocker can be enforced on Windows Enterprise Edition installations (starting with Windows 7) with local group policies. To lower the administrative effort it is recommended to join the computers to a domain and enforce the Applocker rules through group policies.

Unfortunately, Microsoft compromises the Applocker approach by tools like Teams and OneDrive. Both are installed in user context, thus will be blocked by Applocker. Since  Applocker allows the definition of exceptions and their roll out with group policies such applications can be handled with manageable effort.

Besides modern applications at least two cyber security sins reduce the effectiveness of Applocker.

  • Users work with permanent admin privileges.

In this case the dropper can install the malware in trusted directories. Working with permanent admin privileges is one of the IT security deadly sins, thus should be avoided anyway.

  • Users have modify access to trusted directories and files.

Check trusted directories and files with AccessEnum. If objects can be modified by users either change the ACLs or define an Applocker exception for them.

Applocker provides great capabilities to enhance the resilience of organizations against cyber attacks. Just give it a try in 2019.

Have a great weekend.


  1. Proofpoint Threat Insight. High-Volume Dridex Banking Trojan Campaigns Return [Internet]. 2017 [cited 2018 Dec 29]. Available from:
  2. Villaroman BC. Spoofed Banking Emails Arrive with EMOTET Malware [Internet]. TrendMicro Threat Encyclopedia. 2018 [cited 2019 Jan 4]. Available from:
  3. Avast Threat Intelligence Team. A closer look at the Locky ransomware [Internet]. Avast Blog. 2016 [cited 2018 Dec 29]. Available from:
  4. Gallagher S. Inside the “wiper” malware that brought Sony Pictures to its knees [Update] [Internet]. Ars Technica. 2014 [cited 2018 Dec 29]. Available from:
  5. Malwarebytes Labs. Keeping up with the Petyas: Demystifying the malware family [Internet]. Malwarebytes Labs. 2017 [cited 2018 Dec 29]. Available from:
  6. Rouse M. What is dropper? – Definition from [Internet]. 2015 [cited 2019 Jan 5]. Available from:
  7. Lich B, Poggemeyer L, Justinha. AppLocker (Windows 10) [Internet]. WIidows IT Pro Center. 2017 [cited 2019 Jan 5]. Available from:
  8. The Hacker News. Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader [Internet]. Vulners Database. 2019 [cited 2019 Jan 4]. Available from: