Blog posts by Sebastian Rohr

#sapteched: too much twittering.. ;-) - but not enough on IAM & GRC

Did you find yourself adding hash-tags in emails or "old-fashioned" blog posts recently? Well, I think we are all tweeting quite a lot (except for me, I do not spend to much time on it) and organizing tweets that way is a good thing, for sure...

In between two Netweaver security tracks I just wanted to give you an update on the cool show, SAP put together once again! I already met so many friends and colleagues and usual suspects, I almost felt like visiting EIC ;-) in Munich. Novell made some great announcements recently and - to no surprise for me - their now combined SAP/Novell offering for end-to-end GRC does add a lot of value for customers of both companies. Just a few weeks ago, doing an invited talk at the SAP Partner Port in Waldorf with Loren Heilig, Managing Director of IBSolutions, I claimed that SAP does have a big advantage when it comes to Business GRC, while they really lack the depth needed to control everything down to the system-level, aka "more technically". As a complimentary solution vendor, I showed some Novell slides, and the reactions were pretty ... ambigious. While the customer audience seemed to like the idea, the vendor representatives seemed a bit uncomfortable. Today, I find my self to be proven by reality - my own little "analyst crystal ball" only had a "warning period" of roughly 4 month, though. Maybe I should get to London and place some bets, before making my next presentations... SAP and Novell: congratulations! You now offer the most complete GRC approach in the market today (at least from my humble perspective!)

Windows 7 and SmartCard removal behaviour... no system lock?

Ok, this should be a blog about insights to the general Identity & Access Management and Governance, Risk Management & Compliance Markets. Sorry to bother you guys with technology details (like the one about Win7 and 3G(UMTS) on netbooks, every once in a while, but I think one blog is enough to maintain and publish stuff to ;- ) So, who ever started using Win 7 in a secure environment may have come across the issue that smartcard log-in works like a breeze in these days, but you may be as puzzled as I was, when I pulled the card from the reader and the system did NOT lock itself... Well, as my friend Walter Hofer of IDpendant was kind enough to investigate the issue (and let me know right after he found out): Even with a corresponding GPO in the AD set, Win 7 will refuse to lock the computer after the smartcard has been removed from the reader as Microsoft chose to create a new system service called Smartcard Removal Policy - and it is set to MANUAL. Unless you look that service up in the "Services" menu and change its start behaviour to "Auto", you will not get the expected results--- Just to get you a faster solution if this should occur to you, too! Keep up the safe&secure computinge experience!

Vienna Calling

Well, unlike Falco in his famous hit single, this time it is SAP, who's calling the worlds'ERP elite to Austrias capital next week - and I am happy enough to participate in this one-in-a-thousand events that really stand out. My very high expectations regarding the expertise I am planning to meet is only paralleled by the curiousity if (and if yes, who) there is gonna be a star like Zucchero performing as part of the event :-) Ok, back to the real issues, because there is lot of work to be done while I am at the event. First of all, I will try to get as much in-depth technology insight as possible and my agenda is bustling with activity around Netweaver Identity Management and SAP security. Especially the second, more general topic has some relevance as I am looking into the SAP and 3rd party audit and compliance solutions available today. Besides SAP's own offering in the GRC arena, I am about to dive deeper into CheckAud of ibs Schreiber, a tool I came across in several Master's thesis I have been advisor for. Next is "mesaforte" of Swiss Wikima4 AG and last not least the SAST System Audit and Security Toolkit, of Akquinet, especially since they now co-operate with my valued friends at Virtual Forge (some of my former Fraunhofer SIT colleagues are the founders). Do you have expertise in one of those? Are you at TechEd in Vienna? Make sure to meet me over a cup of coffee or a Stiegl Bräu beer! Looking forward to meet you in Vienna!

Identity Management: Challenge Outsourcing

Outsourcing and offshoring are a fact of life in many companies, but for some, when it comes to managing user identities and access rights or enforcing rules on governance, risk management and compliance, these are still very early days indeed.

In fact there are a number of good reasons why you should think about IAM (Identity & Access Management) every time you think about GRC (Governance, Risk & Compliance). Despite all the efforts to secure externally managed services and applications through policies and technology, gaps in the safety nets set up by those in charge of GRC remain. Third-party access to outsourced data is a good example. Just take maintenance and management services: written agreements on security standards and policies notwithstanding, reality shows that controlling, audit trails and internal compliance assurance measures are often incapable of closing every loophole.

What are the real problems? Take as an example hosted applications operated by one service provider but originally developed by another. The company information being processed is probably both valuable and restricted. How do you ensure that it isn't compromised when the developer has to run an update? And how is the developer to perform the necessary tests to ensure that the application won't crash once the update has been performed? Finally, how do you ensure that neither service provider can access the confidential data in the system itself?

Again, the answer is IAM when the situation calls for managing access rights, persons and identities in cases where external identities (service personnel) come in contact with internal data. Solving these issues requires legal and contractual procedures on the one hand and technical measures on the other. Given that all this is happening outside the administrative jurisdiction of the company itself, ensuring central management of access rights may very well require an external operations service provider, too.

But what path to follow? For existing installations, technical auditing may be the right answer in order to determine the true current status of access rights and protections. Based on the results, appropriate measures can be decided on and taken. Technically, these may consist in implementing Identity Federation between the three parties involved so as to reduce administration overhead. In the case of new applications, the best strategy is probably to switch to claims-based rights management which does away with individual user and rights management, substituting one-time definition of access privileges for certain resources using challenge-response instead, thus enhancing the federation concept.

One thing is clear, however: In compliance, it never pays to underestimate the potential complexity. For instance, there are data protection issues and information leakage risks, as well as everyday garden-variety IT security problems. If you plan to outsource, these all need to be resolved. And while this may appear simple when dealing with a single outsourcing provider, it may prove a nightmare when a multiplicity of "cloud computing" providers are involved.

The blessings of 3G with Win 7

Asa tech savvy person and all-time traveller I recently acquired a mobile network data flat of one of the local German and international providers - the one with pink logo. For every contract/subscription you sign, you usually get some perks, extra stuff, a mobile handset or - in my case - one of those netbooks. The Acer Aspire One 531 I was sent does feature an integrated 3G modem by OPTION Wireless ad comes with Windows XP Hometo my demise. Failing in preparing a proper backup (Acer gives you a backup software to burn media - but a netbook does not have an optical drive, and maping the DVD burner in my home Vista machine is not acceptable use of the software - and thus deactivated) I killed XP home anyway and installed Win 7 fresh of a 8 GB USB flash (see here for a geek howto, or here for the DAU help with prepping the USB stick). All worked well - even a complete Office 2007 and Visio2007 found its way on the device - no driver problems, except... for the 3G!

I spent way too much time to figure this out, so here are the resources needed: Driver handling & tweaking plus driver links http://www.itgrl.de/2009/03/31/aspire-one-3g-treiber-fur-umts-modem/ Driver Links Acer http://global-download.acer.com/GDFiles/Driver/3G/3G_Option_5.0.12.0_XPx86_A.zip?acerid=633776034442008284&Step1=Netbook&Step2=Aspire One&Step3=AO531h&OS=X01&LC=de&SC=EMEA_8 Driver Links Option (IMEI required!) http://www.option.com/en/support/software-download/product-list/

After trying desperately to use the T-Mobile web'n'walk software for a while (even the EMBEDDED Version taken from the mysterious FTP server in Czech Republic) did always UNINSTALL the Option drivers leaving my netbook without connectivity. Using the ACER Software DOES the trick though, but yu have to tweak it: the Acer 3G Connection wil fail to connect (it finds the device, SIM is entered, network is acquired) but the it get stucks while "connecting" aka "Verbinden...". Again, calling the friendly mobile provider support, we quickly analyzed that we are only one step away. Simple solution: create a new modem connection with *99# as the number to be dialed and all works well suddenly!

Now, back to real work... message me if you have a working setup with w'n'w software on Win 7 and internal Option MOx40 cards... or actual stand alone drivers for Win 7 that are NOT deleted when installing w'n'w :-)

EIC09: ICF-German Chapter Gründung

Dear readers, the following post is provided bi-lingual but does not represent a one-to-one translation. Most information is for German speaking readers, so the English version is comparably short! Still, there is some general info in the English part, so please make sure you read both parts… The ICF German Chapter Inauguration Meeting www.informationcard.de Participants: Corisecio, Fraunhofer FOKUS, Deutsche Telekom, Oracle, Novell, Arcot, Microsoft, Siemens, fun Communications, Hasso-Plattner-Institut, Azigo, KuppingerCole and MANY more!

Initiated by Jens Fromm of Fraunhofer FOKUS in cooperation with Axel Nennker, Deutsche Telekom Labs, a local German speaking chapter of http://informationcard.net/ was established. The founding members and supports of www.informationcard.de will try to align their efforts as much as possible to establish an interoperable and easily to adopt exchange network, where not only cross-testing but also fully operational systems can be deployed. Goal: to foster the adoption and usage of infocards in the German speaking countries by bringing together stakeholders such as card-providers, infrastructure providers, service providers and possibly providing info to consumers. A number of member presentations on technology, background, usage-scenarios and development provided a deeper insight to what is happening in the ICF and between partners. In brief, there where presentations of Deutsche Telekom of a mWallet with Nokia Symbian (NFC, functional) or Apple iPhone (just a UI, not yet fully functional) that showed a P2P (mobile2mobile two Nokias, touching…). Other use-cases besides money transfer comprise cinema ticketing and POS payment in a canteen. There also was a demo on hotel booking again with Nokia/iPhone, that visualized the goal of having the same look & feel on all devices. Additional (and excellent!) demos where provided by Corisicio and fun Communications, showing different ways and methods to access the KuppingerCole Site with IdentityCards. Microsoft rounded it up with showing how to authenticate to special online workspaces using Windows 7 and IE8. The next month will show how the participants will create their network and infrastructure that will provide a continually usable test-bed and also an environment for real applications. Especially, it will be interesting how removing the language barrier will contribute to creating best-practices that can be handed back to larger InformationCard Community in the ICF. KuppingerCole supports these efforts by serving as a live-site to authenticate with IdentityCards as well as promoting the use of IdentityCards in a broader, more open and public community.

DE Eine der ersten großen Teilsessions auf der European Identity Confernce in München war das Treffen der deutschsprachigen Abteilung der InformationCard Foundation http://informationcard.net/, das weit über 20 Teilnehmer bewegt hat, sich schon vor den Keynotes am Vormittag des ersten Konferenztages zusammen zu finden. Unter Mitwirkung einiger amerikanischer Vertreter haben sich Mitarbeiter von Corisecio, Fraunhofer FOKUS, Deutsche Telekom, Oracle, Novell, Arcot, Microsoft, Siemens, fun Communications, Hasso-Plattner-Institut, Azigo und von KuppingerCole getroffen, um den derzeitigen Stand der Entwicklung zu zeigen. Wichtigster Punkt war die voll-funktionale Demonstration der Anmeldung an der KuppingerCole Site mit einer InformationCard. Das Ziel des Treffens war es, alle Beteiligten und Interessierten zusammen zu bringen, die entweder aktiv an der Entwicklung von InformationCard Technologien, Kartenselektoren oder Anwendungsszenarien arbeiten. Neben der bereits angesprochenen live-Demonstration der KCP-Anmeldung wurden mehrere Ansätze zur Verwendung auf Mobiltelefonen (iPhone und Nokia Symbian) mit NFC Anbindung vorgestellt, die insbesondere dem Anwender viele Möglichkeiten zur Mehrfachnutzung bieten. Die Teilnehmer waren sich einig, dass das allgemeine Problem die bisher fehlende Adaption durch die Anwender sei – ein Weg diese Adaption zu verbessern ist eine möglichst niedrige Einstiegshürde. Im Detail bedeutet dies, ein weit reichender Support diverser Endgeräte, eine möglichst einfache Installation und Konfiguration der notwenigen Software auf den Endgeräten und eine ebenfalls möglichst hohe Portabilität bzw. Nutzbarkeit in vielen Anwendungsszenarien. Exzellente Live-Demonstrationen von fun Communications und Corisecio (ebenfalls Anmeldung an der KCP Site, jedoch über Mobiltelefone) untermauerten den hohen Anspruch, den Gruppe an sich selbst stellt. Die kommende Monate werden zeigen, wie sich die deutschsprachige entwickelt und welche speziell auf den zentraleuropäischen Wirtschaftsraum abgestimmten Konzepte und Lösungen als best-practise an die Mutterorganisation weiter gegeben werden können. KuppingerCole unterstützt die Initiative nach Kräften - unter anderem mit der Möglichkeit zur Anmeldung an der KCP Site mit IdentityCard und natürlich mit allen zur Verfügung stehenden Mitteln um Anwender für die Technologie zu begeistern.

Deep dive into unknown depth (of PKI and HyperV technology)

Recently, we announced that a report on strong authentication with tokens would be released. The response to that was tremendous - from either side of the market. Some (customer) companies pre-registered to get it, some vendors called back to make sure their products were included, and guess what: NOT all of them were included. This led to two things: me going back to square one and getting briefings with all "new" vendors" and rewriting some portion of the report as well as me tinking: "if I do not know these vendors try to get into the market - how should the market (aka customers) know?". Looks like some vendors did invest a lot in product engineering, such as AXSionics e.g., but a lot of those at the same time did not invest much into developing their go-to market strategies and a marketing plan. There are a number of sayings arounds marketing (such as that 50% of the budget is wasted, one just does not know which half this is) but let me get that straight: a complex service or solution such as strong authentication does not sell by itself. You need to analyse the market, identify your tagert customer base and address these possible customers as directly as possibly. I do not judge print media here, but simply advertising in a trade magazine will hardly work... We as analysts have to serve both sides of the market, thus granting us a very special position that allows us to gain deep insight into customer needs as well as into current market situations. We certainly are no "know-it-alls" as the above introduction reflects, but we certainly can add valuable information to either authentication strategies or marketing plans! Ok, enough shameless self-marketing at this point and back to the deep dive: I guess one thing that sets KuppingerCole apart from other analysts is the technological background of the analysts. Most of us are or have been IAM practioners before switching to "critize mode". This background makes us TEST what vendors tell us - in my personal situation that means: drowning in cards, tokens, readers and software for strong authentication. I really love this retreat to "playing" with technology - at least as long as it works! My test stopped working last week, when I tried to use a Microsoft PKI to issue certificates for my Vista laptop. Little did I know what horrors the switch from XP to Vista on my test client would bring... I used to run a pretty straight forward test environment for certificates, namely a Win2k3 Enterprise Edition server mit Certificate Services. All was well with the usual XP clients and users receiving certificates, using smartcards and tokens of all types to do the SC-login. Well, Vista and W2k3 Certificates Services do not work together that easily, namely some components that allow the certificate enrollment procedures via browser. Ok, testing certificates and cards in a productive environment is not the best idea anyway, so I decided to give Server 2008 a shot, using virtual machines on 2008 HyperV as the basis for my lab. Being a strong user of VMware before, HyperV set some traps for me: storing the virtual machines in a subdirectory of the "public" user directory of the system drive was one. Saving the machine state in a similar location AFTER I had re-routed the location of the images to D: drive was even more nuisance. Not being able to "import" such an image if it had not been "exported" before almost drove me crazy. I ended up with some 100 Gigabytes of mostly useless images and wasted tremendous amounts of time with this... Oh, did I mention networking? Have you ever tried to setup a Win2k8 domain with DHCP in the virtual realm and then have DHCP clients (aka, my Vista laptop) receive their IP info over the physical interface of the host machine? Fun stuff to do - works (sometimes), unless you try to join the domain with this client (networking to/from the virtual realm stopped working after reboot of the newly joined client). A "restart" of the network interfaces at the host machine worked, allthough I still do not know why... Anyway, now I am set to create myself multi-tiered (or teared?) PKI environments comprising a W2K8 based PKI, some EJBCA and all the paraphernalia one has to gather... Only thing I miss yet, is a decent Hardware Security Module (HSM) for my EJBCA to recover encryption certificates not created with SC-based key material. I certainly grew some extra grey hair with this, but at least I am up-to-date with my PKI infrastructure! Looking forward to your responses, inquiries and "didn't you know..." comments... Sebastian

eGovernment and eID in Europe

Ever since the infamous “Signaturgesetz” (law for the regulation of electronic signatures) had passed the Bundestag (parliament) in Germany, the industry moaned about the “signature inhibition effect” this law had and still has. Attending the not so obviously related event on the “Industrialization of Cybercrime” some weeks ago, organized by Bitkom and the Ministry of Economics in Berlin, I finally heard one of the well-known lawyers, Mr. Harder from Munich, admit, that the lawyers might have “over - engineered” the whole thing! Well, the next sentence was Mr. Harders' attempt to put that into perspective, claiming that at least: “it's very secure” (sic!).

Why do I molest you with this, on your journey to broaden your knowledge about ID management? Let me explain: a good portion of the attendees of that event at the BMWi also turned out to be attending the well-known OmniCard conference here in Berlin.

While on that event representatives of BKA (FBI-like law enforcement) and Ministries tried to convince the audience that we need yet tighter control (compare: Patriot Act in the US, I disagree!) and more multi-national cooperation (to help more efficient law enforcement action against (cyber-)terrorists (which I agree with), the representatives of the BSI (Federal Office for Information Security) and academia tried to promote the advantages of the up and coming electronic ID card (ePA, elektronischer Personalausweis), scheduled for autumn 2010.

This new national ID card will contain a contact-less (similar to, but not really RFID) smartcard chip that contains your personal information. This “electronic ID” card shall resemble the same benefits and use-cases online, that are prevalent “in real life”, aka in the liquor store, hotel reception desk or the like it will enable you to reveal/prove just what you want to prove: your age, your name, your address, simply all attributes available on the eID you wish to reveal.

The BSI, in close cooperation with several German companies and universities, is developing a trust infrastructure that allows the average citizen to “identify” himself to a service offered on the internet. This includes the distribution of certificates to the service´ webserver in advance, which will allow the citizen to do what the internet society yet failed to provide: mutual, trustworthy authentication! No more “green bars”, no more phishing … you get the point (and hopefully the slightly sarcastic tone of my words…).

Undisputed, the idea behind the architecture is great. Not only shall it prove the authenticity of an online service to the user (and its right to access the required portion of the eID info stored inside the ePA), it will also improve trustworthiness of users / consumers to the vendor (aka, relying party).

I was kindly informed that the "eCardAPI" in fact is broadly based on accepted standard technology, as can be seen by browsing the respective documents HERE: http://www.bsi.bund.de/literat/tr/tr03112/index.htm

What I wanted to express, though, is that the proposed usage of the technology in the field will comprise rather complex and not "well-established" processes and standards with regard to mutual authentication! Especially, the proposed usage as onlineID for citizens does give me a headache: if a user wants to use a certain a service online, the SP must present a government issued certificate as access credential to read the citizens´ ID info from the card (and to authenticate himself to the user). This process IS based on standard certificates, granted! But we have been using certificates (or NOT using!) certificates for quite a while now...

What makes the industry and politicians think, that this pretty gift-wrapped PKI monster will be accepted by citizens, let alone online-users? Every time I check for a XXX-site that wants to validate my age, Mr. Schäuble gets an update of my misdemeanor? Oh yes, national security...

I guess when it comes to National Security, we Germans are no more and no less suspicious about letting others peek into our cards as the US guys (or any other nation)…

Or is this just another case of engineering hybris, the kind that led to the TollCollect disaster and billions of Euro of toll not being collected due to “engineering problems” with the now famous OBU (on-board units) for the trucks rolling on our highways?

Sometimes I wonder, if this “protection of national interest” really helps to stay ahead of things, security wise. Ok, the tremendous amount of money spend INSIDE our borders helps our security industry – but with re-inventing the wheel over and over again?  Well, before my writing becomes too cynical to have this published and before any federal agents “make a house call”

I better get this off my chest: the ePA will not only contain the (mandatory) eID functionality, but will also provide you with a (opt-in!) personal digital certificate (yeah, right, one of those supporting the most successful legislation on electronic signatures I ranted about earlier). This is really a big advantage: 15 years after “riding a dead horse” (promoting qualified electronic signatures, QES) became en-vogue in Germany, a new bright and shiny saddle and some silver spores (aka, indirectly Government issued digital ID certificates) shall help us ride that dead horse more efficiently. It looks like I fail miserably in turning this post into something positive.

Oh, wait! There is hope! I will be able to use my cool new ePA with its eID to digitally issue my income-tax reimbursement (ELSTER, Elektronische Steuererklärung). And the federal as well as state governments are looking into setting up a bunch of publicly available services, which I can authenticate to with my ePA.

Hopefully, I am not the only technology craving analyst to check these services out as this little my example helps to understand my concerns: one of the more senior and tech-savvy OmniCard attendees told me, that he was very happy to be able to access his pension/retirement fund info with his QES card. He was recently asked to decide within weeks notice, if would like to participate in a partial retirement plan his company offered. The paper-inquiry to get the latest pension statements and extrapolation of his future retirement funds would have taken 2-3 weeks – thus the secure electronic access helped to save his day – and provide him with early retirement! He was curious how many people actually use this service and the quick answer he received was a bit scary. Only a hand full of people had ever used this way of secure access. My tax euros at work!

Anyway, the accompanying technology fair had some very interesting tokens to check out, and I brought some home for further evaluation. Especially a “ready-to-deploy” secure mobile banking solution from SIZ using a CertGate microSD with JCOP chip raised my interest. A very close second place goes to Gieseke+Devrient for their secure mail+surf stick based on Firefox and Thunderbird with a (comparable) secureID card, but using an USB-stick as interface. I will dive a little deeper with samples I acquired - prepare yourself for the strong-auth/token report, that we are compiling this quarter – some shiny new toys might find the way to your desk for evaluation soon - either as a consumer or as employee!

Authentication 2.0 - Beyond username and passwords

More and more organizations –driven by the vast amount of media coverage on data loss incidents –realize that the increased security requirements can not to be met by making password policies more complex. Users are already overwhelmed by the sheer number of password they have to memorize, and HelpDesks are flooded by the amount of password related calls.

Besides establishing strategic authorization management projects (see Felix´ blog for more on that), organizations tend to rid themselves of ancient UID/password schemes turning towards modern, flexible and – above all – user-friendly technologies. As the plethora of alternatives to chose from slowly became a “unübersichtlich” and a mine-field of non-interoperable point-solutions, Kuppinger Cole decided to provide insight and overview by analyzing and organizing methods, technologies and concepts into a easy-to-digest report, serving as a map to tokens and authentication technology as well as a guide what to include into a corporate authentication strategy.

The best way to tackle a subject as diverse as the authentication market is to provide a definition and classification that brings the components into order. While doing so, it quickly becomes obvious that authentication today is far more than just tokens and smartcards. Authentication has many facets, a few of which are:

Hardware:

  1. SmartCards and tokens for authentication including special soft-tokens
  2. Card readers for contactless and contact cards

Client-Software:

  • Middleware in the sense of software that provides access of the client to different smartcard-OS functions
  • Management software: adding specific functionality to manage tokens, (de-)activate, reset/unlock, etc.

Centralized or server software:

  • Versatile Authentication Platforms (VAP). Combination of different strong and weaker authentication methods, providing an easy migration path and vendor-independence
  • Interfaces for VAP integration of target or source systems (such as  Windows, WebAccess, MainFrame etc.)
  • Context-based/Risk-based systems, automatically envoking VAPs to add/change authentication methods if fraud is suspecting (so-called step-up authentication)
  • Centrally managed SSO-mechanisms (with VAP support)

This compilation is neither complete nor sufficient to establish an authentication strategy but merely serves as a short glimpse of the depth and breadth of the analysis for the report, currently under way. In addition to the above mentioned topics, the increasing importance of user centric identity management schemes requires the inclusion of OpenID and CardSpace as means for authentication primarily targeted at web(-applications). These will extend their importance with the further adoption of federation technologies and the increasing numbers of managed external IDs, be it in a b2b or b2c context. If information cards close the gap and are integrated with PKI technology, this will boost the importance even more.

PKI and the certificates managed therein are experiencing a renaissance as PKI is no longer a strategic project but integrated part of the infrastructure, enabling important systems like service-oriented architectures (SOA), Information Rights Management (IRM) and Data Leakage Prevention (DLP) to be operated efficiently and in a secure manner. By including PKI into the discussion, process management and support need to be included also. Especially token lifecycle management processes and the combined issuing & management of single-token solutions for physical/logical convergence are core topics to be addressed in comprehensive authentication strategies.

Overall, each authentication strategy shall allow for simple, flexible and as secure as possible means for reaching the goals set for user and machine authentication – a task not easily solved, if user- and administrator experience are to be improved and no technology overkill is expected. The upcoming report will provide insight and orientation to properly address the obviously divergent goals of an authentication strategy.

Meet local - act global: CAST eV on Internet Crime

Yesterday I had the pleasure to attend this year's last CAST workshop in Darmstadt, Germany. CAST, Competence Center for Applied Security Technology, is a non-profit organization that provides security information for its members as well as the broader public. CAST is led by representatives of academia (Technical University of Darmstadt) and applied research (Fraunhofer SIT and IGD) as well as corporate and SME members. Yesterdays' event had "cybercrime and forensics" as headlines and the keynote was delivered by the famous president of the Federal Policy of Germany, Joerg Zierke (who attracted quite a number of additional participants, obsviously). Zierke talked a lot about why Germany is very special with regard to cybercrime: on the one hand, internet safety and security is quite mature here, compared with the UK, US or other leading countries. On the other hand, criminal activity also is very elaborate and specialized individuals co-operate in ever changing teams - cross-border and and cross-competence. The president brought lots of evidence for his claims, especially regarding trojans "hand-crafted" to target German banks, browser data-manipulation and online-fraud in general. While creating giggles and smirks when claiming DDoS attacks were executed with emails (aka using smtp), he showed substantial knowledge of the threats and attacks currently seen. Zierke went on to showcase cases of child-pornography and "real" terrorist activity and explained communication schemes of these cells. Impressive, scary and at the same time disturbingly "close"... Anyway, he lost my support (and I guess most of the others as well) when he drew the conclusion that all this could only be tackled, handled and investigated, if the much-discussed BKA-law (comparable to the patriot-act in the US) would be set into place. From this rather general talk, the topics went into more and more detail, ranging from judicial analysis of new cyber-laws, a presentation about their use in jurisdiction across business-related fraud detection (impressive presentation by PwC!) up to forensic analysic of digital photography. All in all the event covered a breadth of topics I rarely see anywhere else. All that I missed was the INTERnational perspective, hence the topic of my post :-) I can only urge lawyers, forensic specialists, cryptanalysts and politicians/judges/law enforcement (LE) to work closer together. Especially expert advice of all of the former groups to the latter three is needed. LE is usually drowning in open cases, judges have no clue what goes on "in the internets" and politicians are seldomly aware of what evil might lurk behind that link (or what good can be created through others). Experts of all cyber-related technologies are needed as advisors and subject matter experts! Do not ask what this community can do for you (e.g. tax-cuts ;-) ) - ask your judges, police-officers and politicians what you can do for them! WARNING: you might end up explaining to your "senator-of-choice" how to send email...lets' not talk about using S/MIME or PGP here ;-)

Discover KuppingerCole

KuppingerCole PLUS

Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

AI for the Future of Your Business Learn more

AI for the Future of Your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00