Issue 95, Feburary 2018
bullet Data Security
bullet Interview with Prof. Dr. Jörn Müller-Quade
bullet Hornetsecurity
bullet CodeInspect
bullet Innovation: VATICAN
Data Security
Using smart devices in our homes, for communication and a broad variety of transactions is compelling and convenient. But it also exposes individuals and companies alike to an invisible threat. The danger of being hacked or mislead to expose personal or collective data is imminent. And even if data is offered voluntarily, e.g. through personal social media accounts one cannot be sure who is using this information and to what end.

To strengthen data protection for citizen and residents in the European Union, Europe's General Data Protection Regulation is set to take effect on May 25, 2018. Among the regulations are restrictions on what type of personal data companies can collect, store and use, as well as the so called "right to be forgotten", which entitles people to ask companies to remove certain data containing their personal information indefinitely.

"The value of privacy is vastly underestimated," states this month's interview partner Prof. Dr. M üller-Quade, head of the research group "Cryptography and Security" at the Karlsruhe Institute of Technology. He underlines the importance of being able to erase one's digital fingerprint, while highlighting that putting technical means in place to protect data is just as important.

All our contributors share one common mission: to detect and protect from cybercrimes. Hornetsecurity offers advanced threat protection from targeted attacks for companies. Fraunhofer SIT developed CodeInspect to support analysts in recognizing malware in mobile applications. While the Social Engineering Academy offers protection by teaching individuals how to recognize manipulation through social engineering,  CISPA's (a future Helmholtz Center) software VATICAN guards activities controlled through the electronic systems in today's smart vehicles from being fatally compromised.

Interview with Prof. Dr. J örn M üller-Quade 
Cryptography and Security, Karlsruhe Institute of Technology  Interview2018

Prof. Dr. Müller-Quade is the head of the research group "Cryptography and Security" at the Karlsruhe Institute of Technology (KIT) and director at the Research Center for Information Technology (FZI). Furthermore, he is spokesperson and initiator of the KASTEL competence center.

His research interests include secure cloud computing, secure multi-party computing, hardware trust anchors and security definitions and models. He received the German IT security prize in 2008 and 2014.

In this month's interview, Prof. Dr. J örn M üller-Quade, focuses on the risks and benefits of Big Data and the value of privacy. Furthermore he makes suggestions on how to securing one's personal data in smart environments and social networks. 

To read the full interview, click here.

Image: Karlsruhe Institute of Technology

Email is the number one communication channel in a business environment. Companies rely heavily on smooth and flawless email traffic despite the fact that it remains the main gateway for cyber criminals.

To protect the integrity of email traffic while filtering out all malicious mail, Hornetsecurity from Hannover, Germany has developed a spam filter service. Containing a series of screening rules and analysis engines this filter reaches detection rates of 99.9% of spam messages and even 99.99% of viruses. Hornetsecurity's advanced threat protection eliminates highly sophisticated attacks that bypass regular defense programs by closing all possible ways of intrusion for attackers. Additionally, Hornetsecurity archives and encrypts email traffic, if needed.

Hornetsecurity uses cloud computing; therefore, customers do not have to install any software or purchase hardware. Implementation only takes minutes and the services can easily be managed through a central control panel. Several redundant data centers make sure that the downtime is kept to an absolute minimum and the highest level of availability is guaranteed.

Over the past ten years, Hornetsecurity (called "antispameurope" until 2015) has grown into an international company. Recently, Hornetsecurity opened its first office in the United States (in Pittsburgh, PA) to expand its security solution to the American market.

Source & Image: Hornetsecurity GmbH

"Is my personal information securely stored in this mobile app? How can I tell if the app is malware?" These are legitimate questions for companies and individuals alike. Many applications suffer from security vulnerabilities, as users are threatened by both unintentional vulnerabilities and calculated malicious behavior.
To identify the malware's behavior in mobile applications and Java programs, and find information about its author, an expert has to take several extensive steps in reverse engineering and analysis. To simplify this process the Secure Software Engineering Group (SSE) at the Fraunhofer Institute for Secure Information Technology's (SIT) developed CodeInspect.

CodeInspect is a single tool that simplifies an app analyst's work by reducing the mechanical efforts of a malware investigation and vulnerability discovery. Tasks like manual reverse engineering are executed in a straightforward and efficient way.
The team at SIT based the design and implementation of this algorithm, which features high precision and a low false-positive rate, on active research in code analysis.
Currently, an extension to automatically detect security weaknesses in mobile applications and Windows programs is being developed. This extension will feature machine-learning techniques combined with code analysis. So far, the prototype has already helped identify hundreds of vulnerabilities in Android applications installed on millions of smartphones.
CodeInspect is a recipient of various prizes, including the German Prize for IT-Security 2016.

Source & Image: CodeInspect 

Social Engineering Academy (SEA)  Beitrag3

Social engineering poses a viable threat to data security. Targeting people, this type of manipulation is used to illegally acquire classified information through non-technical means. Even if the technical security of a system is ensured a network can remain highly vulnerable to attacks from social engineers, e.g. through phishing, by exploiting human behavioral patterns to obtain information.
In order to protect company information, training employees to recognize these attacks is mandatory in some companies. Not only is learning how to defend oneself very difficult because social engineering is based on manipulation, most training strategies are also generic, boring, and without conclusive long-term effects. When trying to find human weaknesses, such as through penetration testing for social engineering, employers have to be cautious about employees becoming frustrated and feeling helpless because it could further deteriorate any training's potency for a corporation. Lastly, such unwarranted manipulation can even violate privacy laws and regulations.

Fortunately, the Social Engineering Academy has created an enjoyable training program that can combat these very issues with an innovative approach. The core of their training is the card game HATCH (Hack and Trick Capricious Humans). The game teaches how to recognize and prevent social engineering attacks in an entertaining way, as players learn how to detect attacks, identify vulnerabilities, and respond to both when they occur. Since the training is indeed a game, players can only discuss expectations and infer assumptions - thus, nobody can mistakenly reveal actual weaknesses. Social Engineering Academy's approach has been evaluated by several groups of researchers, IT administrators, and professionals from the telecommunications industry, whose feedback improved the game's real-life accuracy.
The Horst Görtz Foundation awarded HATCH with the third place at the sixth German IT-Security Price (Deutscher IT-Sicherheitspreis) in October 2016. A jury of IT-security experts from industry and academia chose HATCH (known as "SocialSec" at the time) among its forty-five contenders as one of the most market-relevant innovations for IT-Security.

Not too long ago, a car used to be made up of mostly mechanical parts bolted and welded together. Today, software defines what a car is and does: systems like Electronic Stability Control (ESC) measure wheel slip hundreds of times a second to keep the vehicle on the road - even under extreme conditions. Airbags, lane departure warnings and autonomous emergency braking as well as comfort functions like GPS navigation all need computers that control vital parts of a car. Simply the fact that a driver can control the rear windows necessitates communication between many computers.
This is the same communication that makes desktop computers and smartphones vulnerable to attacks now posing a viable threat to the no longer sacred passenger compartment. The fact that computers control the brakes, throttle, and steering wheel makes digital exploits life-threatening.
This has led the team of scientists at CISPA (Center for IT Security, Privacy & Accountability), a future Helmholtz Center, to develop a solution that protects cars from those attacks. VATICAN (Vetted AuthenTIcated Controller Area Network) was designed to be a software-only update that does not require any hardware changes and can therefore be applied to cars already in use. VATICAN protects the communication of controllers by applying cryptographic authentication codes, allowing for robust defense against unforeseeable future attacks. Applied by an OEM (Original Equipment Manufacturer), CISPA's solution is a cost-effective approach to demonstrating safety and security in the digital age of cars. In the future, regulation will require digital penetration testing in addition to physical crash tests. Supporting this evolutionary roll out, VATICAN can already protect the digital components of modern vehicles due to its compatibility with components that do not yet speak its language.

Source &  Image: Stefan Nürnberger