One thing that I’m quite often astonished about is how low awareness is when it comes to risk management and where risk management can and should be applied. So reading an interview with Thomas Djurling, FRA (the National Defence Radio Establishment) in Computer Sweden where he says that Swedish companies are naive when it comes to industrial espionage and I couldn’t agree more. But, I clearly don’t agree with that Swedish governmental organisation such as FRA, SÄPO (Swedish Security Service) and SITIC (Sitic is a part of the National Post and Telecom Agency, PTS) should offer the services to the public due to that there are quite a few other security vendors on the Swedish marked that have the proper knowledge.

This problem is rather that knowledge and awareness regarding how to handle risk management is quite low and if either FRA, SÄPO or SITIC should offer their services the suggestion would be to focus within their own domains, i.e. governmental institutions. For example to quote FRA’s own home page it also clearly describes their mission:

“FRA is also engaged in information assurance. On demand, we support government authorities and state owned companies regarding current IT threats as well as general advice to improve security. ”

The problem is that it says on-demand; what about a mandatory security audit once or every second year? Currently today it’s up to the local authorities if they want to perform a security audit or not and the audit material I’ve seen are often focused on technical aspects. What should be said is that I’ve also seen great efforts of implementing security standards; but the difference between governmental organisations is way too big.

I’ve seen many government authorities and state owned companies that lack a proper implemented awareness program. Risk can’t be eliminated, but it can be minimized to a level where the organisation can accept it. It’s all about how much resource you’re willing to put in. When speaking about risks most people think security and if speaking about IT-security most people think firewall, anti virus and so on. Also when speaking about changes within an organisation, for example changing a procedure or implementation of a new process, it’s quite common that no kind of risk analyse is done to see how a failure to implement the change will affect the organisation. The failure itself can be that the procedure is badly documented and by that the users or the employees don’t know how to act up on in a certain situation. This it self can then lead to that the employees can’t fulfil the duties and by that we have a monetary loss. Of course it’s not always about monetary losses since risk also includes for example negative publicity in media or employees losing the faith on the company - try defining the monetary value for that!

It’s all about identifying, minimizing and accepting risk that can be found in all activities and assets in an organisation; if this can’t be accepted; there is a serious problem.

Kim Haverblad

Note: For more reading about this topic, please check the article at Computer Sweden (Swedish).

Bookmark to:

Quite recently there have been a number of articles talking about how the KeeLoq cipher encryption has been cracked and this by using a new method to speed up the processing to crack a key 500 times. Basically what Eli Biham, Orr Dunkelman, Sebastiaan Indesteege, Nathan Keller and Bart Preneel has proven is that by sniffing the communication between the remote key and the car they can collect the needed data to crack the cipher. In their case all the need is access to the key token for one hour to send challenge/response question to it and with the collected data it took them around one day to crack the key.

KeeLoq is a cipher used in several cars manufactures anti-theft mechanisms distributed by Microchip Technology Inc. It may still protect your car if you own a Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or Jaguar. The cipher it self is included in the remote key control for the car and similar solutions can be found as well in garage ports and security gates, etc. It has been used quite widely due to that the needed hardware to produce this kind of key token is really cheap.

The biggest issue here is also that when finding one KeeLoq key it also leaks the master key and by that this cipher is now damaged severely due to that sooner or later there will be code in the public to perform this kind of trick yourself. Microchip Technology has so far not chosen to comment on this yet and the team behind the discovery will not release the full report before they’ve talked to Microchip.

I wonder what the car insurance companies has to say about this if the car gets stolen without any trace (I’m already smelling car fraud attempts).

Kim Haverblad

Note: For more readings there are several sources to download papers from so here is a range of suggestions: www.cosic.esat.kuleuven.be/keeloq/ and cryptanalysis by Andrey Bogdanov and Nicolas Courtois.

Bookmark to:

Dagens Nyheter has a quite interesting article about the Swedish Department of Justice has received a report from a one man committee where it’s suggested that ISP’s should either close down broadband subscription for an individual or be forced to pay the fine for copyright infraction.

According to an interview with Cecilia Renfors who wrote the document and quoted by Dagens Nyheter, this won’t lead to that Swedish ISP’s are forced to participate in the hunt for broadband customers who downloads music or films ; but if the ISP don’t act up on an indication from the copyright holder, they would then stand responsible and will be taken to court. This would then mean that local Swedish ISP can actually be taken to court on behalf of how their customers use their product? Does this mean that we will have future similar laws for:

• Car industry so that they can be charged if their cars has been used in a bank robbery?
• Telecom industry since their phone lines could be used to fraud or threaten people?

And finally; should a person actually be able to be pre-convicted without taken to court? File sharing itself isn’t illegal as long you share legal material. But there is a high risk that this suggestion would have negative impact on privacy.

Kim Haverblad

Bookmark to:

It’s seems that Germany are willing to legalize malicious software such as spyware and trojan horses according to an article posted by Herald Tribune as a necessary measure against terrorism. Question is just who will define what and when a crime would fall under terrorism and since this could eventually be hard to guarantee that it won’t be potential invasion of citizens’ privacy if this bill is passed. Interior Minister Wolfgang Schaeuble defended the tactic in an interview with n-tv television, calling the ongoing debate “completely exaggerated,” underlining that judicial approval would be required before the measures could be used. “It’s about a few isolated cases”.

Further more a verdict from Hamburg regional court, Germany last year stated that as an individual you have full responsibility for the activities going on via your wireless network that you have at home. Fair enough - but is it also fair that I have to be responsible for other peoples activities that goes on via my wireless network or my local network as well? That’s a really good question, in most cases I think that we all agrees to that one has the responsibility for ones own actions as a private person and when it comes to a company the company has to take responsibility for it’s employees. But what if some one downloads for example mp3 files via my network; would I still be responsible for this 3rd persons activities? Well, in Germany you would. According to German magazine Heise who had a story about this case the verdict from 2006.07.26 is built up around that approximately 244 mp3 files was downloaded during the end of 2005 via Gnutella peer network. This was obviously noticed by a music company who took the case to court and where the judge verdict was in favour for the music company. The judges states that as an individual is responsible and has to take legal measures to make sure that personal wireless access point is password protected and by that then make use of some kind of encryption to secure it.

So the big question now is when is an access point secured? Quite few users are still running with equipment that only supports WEP (Wired Equivalent Privacy or Wireless Encryption Protocol) encryption and this has been proved to be cracked in matter of minutes. Based on that, would the verdict still be the same if they’ve been using WEP-encryption to protect their network? Hopefully not, but quite a few would state that WEP encryption isn’t secure enough any more and since of that shouldn’t be used. To what extend do have to go to protect our self before we can feel safe against the law?

Using utilities to check the security status on it’s on network and from the outside would for the most people be recommended action. Problem is that Germany recently passed a law that defines this kind of activities as hacking and by that definition it’s not legal to use any kind of tools to scan for vulnerabilities and analyse system for weaknesses. Hacking has and is criminalized by the most countries one way or another; the definition might distinguish from country to country. But as Germany passed the law to avoid hacking attempts my humble question is then to German authorities and the people who wrote the bill; how do you plan to secure your own IT-infrastructure? German Chaos Computer Club says in an article published by IDG.se that this new law makes it really problematic on how to define what is a hacking tool or not; the ping command for some is a great tool to check if there is a system in the other end when scanning a network segment and for other it’s just a tool to ping local system. So where do we draw the line for what is hacking tools?

What Germany ends up with is a catch 22 when it comes to security; you have to secure you own network, but your not able to use any utilities to check the security status. And about the suggested law regarding legalizing virus and trojan horses for spying on terror suspects - isn’t that a violation to the earlier passed laws - that it’s illegal to hack system?

Kim Haverblad

Note: Also Sweden has similar plans (Swedish article) to criminalise denial of service attacks. The bill that was issued by Swedish Department of Justice and was released March 2005 for circulation for comments. The bill was forwarded March 2007 as a proposition to the Swedish government for decision and this hasn’t been taken yet.

Bookmark to: