Blog posts by Joerg Resch

Blog

Data Leakage Prevention - Something (not only) Swiss Banks Should have a Closer Look Into

It has been in the press and Martin already wrote something in his blog about it -German tax authorities have been approached by various individuals who want to sell information about Germans who hold bank accounts at some Swiss Banks, like Credit Suisse and UBS. I don't want to go into the discussion, wether such a deal, where the government buys "stolen" data (I put it into brackets, because over here, data are not a thing and only things can be stolen) from somebody, is immoral or not. But it certainly is pushing the market for customer information, if it's value becomes as visible as...

Blog

"Our Systemes are Secure"

I love this kind of statement. It contains total ignorance of the fact, that security is not an absolute value and that it should take into account the actions of people attempting to cause damage. This time it was Hans-Jürgen Nantke, head of the German governmental trading platform for CO2 emission permits (DeHSt - Deutsche Emissionshandelsstelle), who said this, after a successful phishing attack had caused a damage of 3 Million Euros to some of the companies using this platform to trade their emission permits. Imagine - a trading platform where "real" money is being moved - with just...

Blog

Is History-Stealing a Crime?

In my previous posts I described iSec Lab's de-anonymizer, which combines a browser's history with data from a social network (in this case Xing) to find out who is sitting behind a computer surfing the Internet. Just imagine how attractive it would be for many website owners to exactly know who is visiting their site. As it seems to be pretty simple to create such a de-anonymizer, there we might soon see broad use. Therefore the question: is it allowed to run such a de-anonymizer? Well, I'm not a lawyer, but in the German Criminal Law (§ 202a StGB, Ausspähen von Daten), data theft is a...

Blog

De-Anonymizer Self-Test

Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I'm a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That's weird! [caption id="attachment_23" align="alignnone" width="382" caption="De-Anonymizer Test Result"] [/caption]

Blog

Identification through "Social Pattern Recognition"

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network. The combination of memberships to different groups seems to be  nearly as unique as a...

Blog

1-day eema-Workshop: Role Life Cycle Management and IAM - 5 March 2009

This meeting is a one-day event aimed at Ascure, Belgium and is organized in cooperation with Kuppinger Cole and EEMA. This workshop will discuss the approach and importance for setting up Role Life Cycle Management in your IAM Program. Currently many enterprises are investing in having a dynamic RBAC-Role Model but do forget to organize them selves by setting in place a framework for their role model. Role Life Cycle Management has all to do with vision and strategy and is closely related to GRC issues. In this workshop our customers are centralized and we will focus on their issues,...

Blog

Yubikey - New Hardware for Strong Authentication

Recently I came across YubiKey, which is a hardware token generator from a young Swedisch comapny called Yubico . YubiKey is a small and slim USB device with just one button. If you push it, the device produces a 1-time password and sends it to the server. Compared to token generators in card format, you don't need to manually enter your 1-time password anymore through a computer keyboard, which makes YubiKey unreachable for trojans directly listening to keyboard entries. One more remarkable thing is, that Yubico offer an identity platform for their device, which already contains an...

Blog

CardSpace "hacked"?

I'm definately amongst the last ones to join the crowd blaming German Universities to lag behind international standards with regards to their educational program, especially in the fields of technology and computer sciences. But reading this press release , issued by the Faculty of Network and Data Security at University Bochum (sorry, the English version of their website seems to not work), makes me think. The press release says, that two students of said faculty "broke" Microsoft's CardSpace through some kind of man-in-the-middle-attack, where they took over an existing session...

Blog

Is GRC something different in Europe than it is in the US?

Today I listened to a podcast where Kevin Cunningham and Darran Rolls from Sailpoint Software talk in an interview with Jackie Gilbert about their impressions they brought back home from EIC 2008 . Besides describing EIC as an event not to miss next year (thanks!), they compare the US and European identity management markets and agree that there are more similarities than differences when it comes to GRC. Yes, compliance requirements are increasing everywhere in the world and SOX is not the only framework responsible for this increase. I think it was Kevin who mentionned one...

Blog

Mike Small's Keynote at EIC 2008

If you put together 40 years of experience in computer industry, an extra portion of extra-dry British humor and excellent thought leadership, you'll get the right mix to really understand, wether Security, Privacy and Trust are a mission impossible. Thank you Mike Small (CA) for this great keynote.


KuppingerCole PLUS

Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year

Stay Connected

KuppingerCole on social media

Subscribe to our Podcasts

KuppingerCole Podcasts - listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00