EDITH #DigiTalk „CVD – Embracing Ethical Hackers”

So we are from Edith. Edith is a European project. Ah, lovely. That's our genius. And from Frankfurt, our project as a European project of the European Union community, European Union, they are opening 150 EDIH, European digital innovation hubs and these innovation hubs. Next slide please. I'll do it here. Oops. Okay, just take this window. These European hubs are organized to help small and medium sized companies and small mid-caps and public service entities to increase their degree of digitization. So that's a funding we received. These ED IHS are all over Europe, 551 of them. They are in Spain, they are in in France and in Italy. And we are in Hesi, Germany. And our ED is called Edith with AT like the female first name Edith. And we have to provide several services to these small caps and the small medium-sized enterprises as there are artificial intelligence, cybersecurity, high performance computing.
And the one you don't see is advanced digital tools and we are not working alone. Well yeah, that's one missing. We are okay, brilliant. And next time is then fully to be seen. Lovely. This is Edith. So we are a consortia led by house of digital Transformation. This is my organization. We are a platform in Hesher to link science, economy and politics. And we are the consortial leader. So we are membership organization, you come become member with us. But state he is member with us, Fran North Institute, the Ian Universities and Universities of Applied Science and mainly it's companies from the private industry. We have as partners, GSI Helm Holds, which is a partner for high performance computing. They're building the Hydrogen Collider in in DDA and they have a a data center, a lower emission high performing data center. We have the hash ai, that's the hian Center for Artificial Intelligence being member in that consortia. We have the PTW, which is a unit of the University of Darmstadt. They are specialized in digitization and industrial production. We have a tech, the tech quarter, first tech quarter in Frankfurt is an ecosystem for founding companies and startups. And we have of course FHO for SIT, which is the Institute for Cybersecurity in connection with Athena, A project run by the University of Stead.
So now I'm leaning over to Steven s. Dr. Steven S is head of software security engineering and he will deliver a presentation on vulnerability reports. Thanks a lot. Okay, thank you for
The kind introduction. Ker, the
Screen is closed not before.
Okay. Thank you for the kite introduction. Ker, I hope you can hear me. Can you gimme just a quick feedback that you can hear me?
Okay. So let's just start with the talk. Sorry for the technical hiccups I would've loved to present in person, but this is unfortunately not possible today. So my topic is vulnerability reports as a chance embrace the vulnerability report. So in software we of course do our very best to reduce the number of software vulnerabilities that we have every year. However, we kind of fail miserably on that one. This is not because we perform poorly, but because software becomes more and more complex and larger and larger by the years. So even if we reduce the number of vulnerabilities that we have per 1000 lines of code, we're just writing so much code that in the end we get more and more vulnerabilities. Now if we look at the publicly known vulnerabilities, so the entries in the CVE database coordinated vulnerability enumeration, which is kind of the database of what is going wrong in software, then you can see that this is a trend that's clearly pointing upwards.
We don't have the 2023 numbers because the year isn't over yet. There's still more stuff to come, but it's pretty obvious that you can just extrapolate the graph. So no matter what we do, there will be vulnerabilities. There's no way around it. Now the question is how do we deal with that? Of course we can just run away, but this is not a solution. Instead we have to find a way if something is detected as a vulnerability, how to take it from there. So unfortunately the old method doesn't really work anymore, which is hopefully nobody sees my vulnerabilities. People will see your vulnerabilities and if you then try to keep this under the covers, it will just explode. So to say. So for example, there have been political parties that got reports about, hey, we found a vulnerability in your app for the election campaigns and the party said Please don't talk about it, we will sue you.
And so on. Of course this got caught up by the media and they received very bad press. Another company for example, they ran a software that connected several services for transmitting data in the, in the widest sense. And someone told them, I found a vulnerability in your stuff, please go ahead and fix this. And the company, they just sued him. Why are you looking for vulnerabilities in our products? We had several issues with other companies. For example, on your trustworthiness score for taking up loans for example, that would've normally been very small change, just fix the vulnerability and that's it. But since they also tried to keep it under covers, try to silence the reporter, it again got big news. It was in large newspapers. So this is not the way to go. And the question is what can we do instead? There is a vulnerability, people will talk about it and in a best case people will tell us that there is a vulnerability and there are other areas that already have a very modern approach to it and they have had it for decades.
Now let's have a look at the aviation industry. If there is a plane crash like in the top left picture and the plane is stuck in a house, they don't say there is no plane you, you don't see that move along. They instead say, okay, it has happened, we can't take it back anyway, the plane is in the house but we can learn from the future and this is something that we also need to pick up in it. So if someone gives us hints about there might be a security issue, there is a software vulnerability, there might be data leaks and so on, we should take this seriously and say okay, we need to learn from it, we need to fix it. Which is obviously the first step. And then we need to ensure that this does not happen again. And this is what this air traffic investigate or air crash investigation has been all about all the time.
You can't resurrect the people that have died from the plane crash, but you can make sure that planes get safer and safer. And if we're able to do this for it to make sure that the next version of the software is more secure, that the next configuration that we put to our network is more secure, then we have a chance to keep up with the higher number of vulnerabilities because then those people who tell us, Hey, you've got a problem, they are not our enemies. They are our partners in trying to keep a system secure. And this is not just a call for action from the ivory tower of academia. This is something that is happening. It's not happening everywhere. It's happening much too slowly. But there are not only companies who do it, this has also attracted traction in the government. For example, on the right side you see the vulnerability reporting policy of the German army.
So if you find a vulnerability in a website or a service run by the army, then they say, good that you found it. These do not exploit it. Please do not tell other countries or or the like please tell us and here is the list of how to proceed. And this is obvious because they rather have some guy telling them fix it and it's done than have some other country extract sensitive army information because nobody bothered to fix it. And this is not only a German thing. For example, the US they had a campaign called Hack the Pentagon where they actively invited people. In that case it was limited to your citizens to conduct security tests and then say if you find something, tell us we want to fix it. Because to be honest, other actors that you might not entirely trust such as foreign nations, they will hack your or try to hack your systems anyway.
So why not get those people going that at least have an interest in helping you rather than just the bad guys. Were there anyway that you can't restrict from trying anyways. And this is especially important in an interconnected world because you remember the lock four J vulnerability. This was one software package but it affected almost everyone. So once this is known, this needs to be patched in the library and all the dependent systems need to be updated, which is only possible if the first guy who has the idea that there might be something wrong immediately rings the bell to get all of this started because it will nevertheless take month until the last dependency on in this case log four J is actually updated. And if you actually take the responsibility for reports that you get invite reports like Esba does, like the Pentagon does, then you also have another or a different security poster towards the outside world.
You're telling people, we're taking security seriously. We're not just here and hoping that nothing happens. We are proactively trying to get to know where we can do better. And you can also steer communication unlike the news reports that we saw on the earlier slide where people are trying to cover up and then everybody's pointing their fingers at them. Or another example, this is another vulnerability disclosure policy from the US government as outside of this special event hack the Pentagon. So this is kind of normal operations and they actually do a pretty good job on on having these policies. And my suggestion here is as banks, as companies also pick this up and learn from the vulnerabilities that get reported. And it's important to notice that this is not only relevant for software companies. Even if you're for example, a bank and you're just using the software developer.
Other companies, if you get the vulnerability report, you can go to your software developer and tell them, okay, this needs to be fixed even if it's a different company. Because in the end, if you tell your customer, ah, we are secure, nothing happens, go away with your vulnerability report and something happens, you get a data leak, then GDPR is on you. It's not on the developer who messed up in the subcontractor of the subcontractor of the subcontractor. So this is why this is also important on the top level. And then everything is a computer right now, even if you're a phone manufacturer, these things here, they are actually computers with a, with a receiver attached to them. This is from a security analysis we did in 2017, I think it was a bit old now, but we found vulnerabilities in all of those phones. So there must be a way to report this to phone manufacturers.
Even they would say we're not computer companies or this was a talk from course communication congress where they looked at fax machines, so integrated copy printing, fax, whatnot, machine scanning machines. You could attack them from the telephone line by sending malicious faxes and then you were suddenly in the internal network and could continue hacking from there. Even if you're just producing such machines, you need a program so that people who know something's going wrong can tell you, Hey, you should go about fixing this. Now how do you set up such a process? This needs to be tailored towards your own products and services of course. But the quick message is you need a way for people to report something to you. You need a way to collect the important data from this reporter then like which product is affected? How? How do you trigger the vulnerability and so on.
You need to report this to your correct internal teams as soon as possible. Check whether this is critical and tell them to fix it. If there are emergency measures required, like we need to take the system offline right now because data is stolen every minute do it. If there are ways to, for example, only take individual features offline, okay, maybe you need to report a data loss to the authorities according to GDPR or other regulations, this is what needs to be done as emergency measures. Then you can go about fix the rolling, changing the configuration. And in the very last step, now that you have the fix, you need to take it to your customer side. If you're a a software manufacturer or you need to deploy it on all the cloud systems that you have and orthogon to all of this is of course communication with the guy who reported, but also with your customers and the public to say there is something we are tackling it, you can feel safe because we know that there is a vulnerability and we're actively working on it. And this also shows even to customers who are not affected by the vulnerability, Hey, we're doing something.
One example of this is there are even companies who offer buck reporting as a service. Like they collect the buck reports of people who found security vulnerabilities consolidated and send it to you. This is just an example. For example, PayPal subscribed to such a company, this company's called HackerOne. I'm not doing any advertising here. This, there are several companies who do such services. This is just one example for even big companies who say, I don't want to run this in-house. There are other companies who specialize on this. Then how do you get people to tell you the vulnerabilities? Of course there are people who are just doing academic research for example, they will tell you however, for people who are like, well, I could have a look at company A or B, it's also good to have incentives to kind of get the vulnerability reports instead of people just looking other way.
This need not only be money, some companies are actually offering big money like Google, but others like the German army for example, they do acknowledgements. What you see on the left side, if you have more than three vulnerabilities that you reported, you get a a coin and a a and a nice certificate for example. This is what the, the man in the picture shows. And these are also incentives that security researchers and ethical hackers, they value because when they apply for their next job, they can say, I got the InfoSec coin from the German army for reporting vulnerabilities, which is a proof like I can find vulnerabilities, which gets them more money in the next job. So this is just a, a small excursion by saying, okay, why should I pay someone, even if it's just a report on my website for telling me about my vulnerabilities?
The thing is, there are other people who are more than happy to pay on the gray market. And if you look at these numbers, if you have, for example, a vulnerability in Android, then there are gray market guys who are giving you two and a half million. So it's only reasonable that if Google says, okay, tell it to us so that we can fix it, you at least get some T-shirt or something. I'm not saying that people are only reporting if they get something, but you see it's a, it's a nice gesture for not leaving the field to to the gray market. Steven, one minute
Left. Including Q and A.
Okay then I think we can cut this short on governmental disclosure because there are ways to disclose vulnerabilities not to a manufacturer but to the government who then gives it to the manufacturer. But this is only a last resort in case the manufacturer doesn't have a reporting possibility on their own. And as I already talked about emergency measures, taking it seriously may also mean on the next day you also have to start acting for example, due to the requirements that you have from GDPR. And as I said, you have to customize this entire process to your respective services and products. And if you have any questions on that, we as F Grapher are happy to help with that. This talk is more about raising awareness about this topic and that's it from my side. So I think I've finished on time. If you have any questions, feel free to ask or contact me afterwards.