Voices from it-sa

I was at the biggest German Security Expo and Congress it-sa last week. One of the highlights was definitely the speech of Edward Snowden (German report) in particular because the European Court of Justice declared Safe Harbor invalid two days earlier. I had a presentation about the OWASP Top 10 Privacy Risks and gave a radio interview for Deutschlandfunk about the importance of a holistic approach for information security. Furthermore heise TechConsult published an interesting study with 5 Steps for IT Security (in German) and recommends companies to spend 1% of their turnover for information security.

Do Not Track Blog & Linkography

German and French TV channels founded Do Not Track – a very informative blog about privacy and big data with the goal to raise awareness and provide transparency. They call themselves “A personalized documentary series about privacy and the web economy”. The latest article is about Apple and Google participating in a confidential spy summit in a remote English mansion. They also published some hints on how to protect privacy on your smartphone.

I case you are further interested in trustful mobile Apps for users and related instructions for developers the Guardian Project is a good source.

Encryption not sufficient to protect personal data

I could hardly believe it when I read the latest developments on the negotiations of the EU Data Protection Regulation in an article on the German heise news site. Of course it is nice to hear that there is progress at all, but the suggestion to skip noticing the authorities in case of an incident if the data has been stored encrypted is nonsense. Encryption is an important bit in the puzzle, but it does not protect against many threats. It mainly helps if the device (server) is turned off or during data transfer. It does not help against most common problems like application vulnerabilities, unpatched servers, weak authentication or insecure passwords. A device might be easily hacked even though the data is encrypted. Trusting in encryption alone is like trusting in your car’s security systems like the airbag only and not caring about traffic rules or speed limits: it won’t function.

Hopefully data protection experts do not let them influence too much by lobbyists and listen a bit more to people understanding how personal data is protected in real-life scenarios by a comprehensive approach supported by technology and processes.

OWASP Top 10 Privacy Risks

I started the OWASP Top 10 Privacy Risks project together with a colleague. Its goal is to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. The list will cover technological and organizational aspects like missing data encryption or the lack of transparency. The project is open source and non-profit. Feel free to contribute!

Tips against governmental surveillance

Many people currently ask what to do against governmental surveillance (NSA spying) and some managers even think that standard security measures are useless because “the NSA has access to everything anyway”. But there are other attackers besides secret services and there are also things you can do against governmental surveillance. Here is my list of the most important things to consider:

  • Use encryption. The NSA is not able to read all encrypted data with reasonable effort and if you use the algorithms and key sizes recommended by ENISA you are quite secure. Furthermore there are tools for anonymized internet browsing like Tor and JonDo.
  • Choose European IT companies instead of US IT companies. It will not only help to lower the likelihood that your data leaks to the NSA, but also to put some economic pressure on US companies. US companies themselves will demand to restrict governmental spying if they lose a significant number of customers or users.
  • Blow the whistle if you are aware of governmental back-doors in products or systems, unlawful eavesdropping or even attempted blackmailing. Media companies like the German SPIEGEL have set up guidelines for informants and sometimes whistle-blowing is the only way to point out serious deficits. But prepare to run and leave your family 😉
  • Request independent audits and product certifications that prove the absence of data leaks for governmental bodies. Choose trusted auditors.
  • Continue securing your assets because as a security consultant or manager you are mainly defending the reputation of your company. The NSA would not publish that they hacked your company. But if your customer data gets published or sold by cyber criminals, you will get huge media attention and this will damage your reputation and possibly your shareholder value. Furthermore you also have to comply with laws and regulations.

Note: There are governments from other countries besides the USA that have powerful secret services and support spying on private and company data and internet traffic without providing transparency. One self has to decide whom he or she trusts, and in how far eavesdropping is acceptable and helpful to fight terrorism.

False Risk Perception

I recently read an article about eight people having died in a medium German city last year because they walked over red traffic lights and have been hit by a car. They apparently had the feeling they had everything under control, but they underestimated the risk. The story reminded me about the daily business of information security people having to deal with risk perception of their managers and employees – luckily without casualty. But in a much more complex environment that is hard to oversee. False risk perception is typical for human beings. There are studies saying that the number of deaths of the 9/11 attacks was exceeded by the number of deaths caused by additional car accidents because people chose to drive instead of flying and driving is much more dangerous than flying.

As it seems there is also a false risk perception about terror attacks and the NSA spying. The NSA only contributed to the prevention of 4 out of 225 terror cases since 9/11 according to a study of the New America Foundation. The rest was prevented by the police etc. If there is only a small number of suicides because people are identified as terrorists by mistake because of misleading correlation results of the NSA, the spying would not only help to save lives, but even “kill” additional people. But I doubt there are public reports on the impact of such false positives.