Blog posts by Joerg Resch

Blog

"Our Systemes are Secure"

I love this kind of statement. It contains total ignorance of the fact, that security is not an absolute value and that it should take into account the actions of people attempting to cause damage. This time it was Hans-Jürgen Nantke, head of the German governmental trading platform for CO2 emission permits (DeHSt - Deutsche Emissionshandelsstelle), who said this, after a successful phishing attack had caused a damage of 3 Million Euros to some of the companies using this platform to trade their emission permits. Imagine - a trading platform where "real" money is being moved - with just...

Blog

Is History-Stealing a Crime?

In my previous posts I described iSec Lab's de-anonymizer, which combines a browser's history with data from a social network (in this case Xing) to find out who is sitting behind a computer surfing the Internet. Just imagine how attractive it would be for many website owners to exactly know who is visiting their site. As it seems to be pretty simple to create such a de-anonymizer, there we might soon see broad use. Therefore the question: is it allowed to run such a de-anonymizer? Well, I'm not a lawyer, but in the German Criminal Law (§ 202a StGB, Ausspähen von Daten), data theft is a...

Blog

De-Anonymizer Self-Test

Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I'm a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That's weird! [caption id="attachment_23" align="alignnone" width="382" caption="De-Anonymizer Test Result"] [/caption]

Blog

Identification through "Social Pattern Recognition"

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network. The combination of memberships to different groups seems to be  nearly as unique as a...

Blog

1-day eema-Workshop: Role Life Cycle Management and IAM - 5 March 2009

This meeting is a one-day event aimed at Ascure, Belgium and is organized in cooperation with Kuppinger Cole and EEMA. This workshop will discuss the approach and importance for setting up Role Life Cycle Management in your IAM Program. Currently many enterprises are investing in having a dynamic RBAC-Role Model but do forget to organize them selves by setting in place a framework for their role model. Role Life Cycle Management has all to do with vision and strategy and is closely related to GRC issues. In this workshop our customers are centralized and we will focus on their issues,...

Blog

Yubikey - New Hardware for Strong Authentication

Recently I came across YubiKey, which is a hardware token generator from a young Swedisch comapny called Yubico . YubiKey is a small and slim USB device with just one button. If you push it, the device produces a 1-time password and sends it to the server. Compared to token generators in card format, you don't need to manually enter your 1-time password anymore through a computer keyboard, which makes YubiKey unreachable for trojans directly listening to keyboard entries. One more remarkable thing is, that Yubico offer an identity platform for their device, which already contains an...

Blog

CardSpace "hacked"?

I'm definately amongst the last ones to join the crowd blaming German Universities to lag behind international standards with regards to their educational program, especially in the fields of technology and computer sciences. But reading this press release , issued by the Faculty of Network and Data Security at University Bochum (sorry, the English version of their website seems to not work), makes me think. The press release says, that two students of said faculty "broke" Microsoft's CardSpace through some kind of man-in-the-middle-attack, where they took over an existing session...

Blog

Is GRC something different in Europe than it is in the US?

Today I listened to a podcast where Kevin Cunningham and Darran Rolls from Sailpoint Software talk in an interview with Jackie Gilbert about their impressions they brought back home from EIC 2008 . Besides describing EIC as an event not to miss next year (thanks!), they compare the US and European identity management markets and agree that there are more similarities than differences when it comes to GRC. Yes, compliance requirements are increasing everywhere in the world and SOX is not the only framework responsible for this increase. I think it was Kevin who mentionned one...

Blog

Mike Small's Keynote at EIC 2008

If you put together 40 years of experience in computer industry, an extra portion of extra-dry British humor and excellent thought leadership, you'll get the right mix to really understand, wether Security, Privacy and Trust are a mission impossible. Thank you Mike Small (CA) for this great keynote.

Blog

Marne Gordan's Keynote at EIC 2008

Marne's brilliant keynote on the 32 Billion $ (2008) GRC Market. Talking about some famous examples in finance and health industries, she reminds us, that it is all about human behavior, when it gets down to the question, why GRC is so important.


KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

KuppingerCole on social media

Subscribe to our Podcasts

KuppingerCole Podcasts - listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00