![]()
1
Espionage
An underestimated matter
It is part of human nature to inadequately assess risks. Whole groups of hazards are systematically underestimated and others greatly overestimated. A prime example of an overestimated threat is the perception of the risk involved in being injured by a shark. The threat appears enormous and the summer headlines of large popular newspapers cannot be imagined without reports of shark attacks.
On looking closely, however, it becomes apparent that only 70 to 100 shark attacks take place per year worldwide with 5 to 15 deaths. This semi-official documentation of such incidents by the International Shark Attack File (ISAF) of the University of Florida supplies the hard facts (ISAF 2016). Whether and how many British or American nationals are injured by shark attacks is not known in detail. But it can safely be assumed that at least the Brits are rather underrepresented since sharks do not normally occur along British coastlines.
If the fear of sharks was regarded as rational and consequently used as a measure of risks to life, one would rather have cause to worry about choking on swallowed food at every meal; 615 people died in such a manner in Germany – a country with a population of 80 million people – in one year alone (CHOKE 2010). However, nothing is known of the existence of huge fears within large sections of the population of having an accident during meals.
Human fears and worries are seldom rational. The risk of being run over whilst popping down to the bakers’ shop before breakfast is probably higher than becoming a shark victim whilst on holiday. The risk of becoming a victim of identity theft online is also seriously higher – whereby it is hardly possible for people to estimate such “invisible” risks. At least with the shark, we have a graphic picture of the danger in our mind’s eye ever since Jaws came out.
Generations of psychologists have already considered the question of why people who otherwise behave extremely prosaically and are very statistically focussed react so irrationally when assessing risks. Researchers at the University of Dartmouth and other behavioural scientists see our subconscious at work here and point out the proven usefulness of our intuitive assessment of risks in former millennia, which consequently also leads to diffuse fears of hazards caused by humans. It’s just too bad that our modern world has so far been too ephemeral to change perceptions shaped over a long period of time.
It is not only we as private persons who are confronted with the problem of an inadequate ability for assessing risks but also equally responsible persons in companies. Perception is often the cause of worries specifically in the field of company security. The same goes for carelessness. IT security specialists know a thing or two about that. Regardless of whether it’s down to the head of IT or the company security department or even management itself, the job of being responsible for computer security is regarded, not without reason, as one of the most thankless tasks within a company – a view which I found confirmed time and again during the years I worked on building up secure IT and telecommunications infrastructures. No praise is to be expected because it is taken for granted that everything should work as it should. If something goes wrong and a security-related incident happens, the head of security is held responsible – and can sometimes find themselves looking for another job.
Even in “times of peace” the task is not a trivial one, as resources for necessary investments in security products are often not regarded as being especially important by management; after all, no return on investment (RoI) can be calculated here. This RoI is a key income figure which denotes the economic success of an investment measure. At first glance, calculating an RoI appears to be a good idea here, but with investments in company security the RoI is inappropriate because at best the result of this key figure is future savings – if everything goes well. Due to this dilemma, only a few companies are as well positioned regarding security as they should be.
Yesterday’s paranoia is tomorrow’s threat
It took the revelations of Edward Snowden about the activities of the US National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) and the media’s indignation about German chancellor Angela Merkel’s mobile phone being bugged to create awareness amongst the general public for one of the most important issues of our age: espionage. However, the fact that national intelligence services also spy on “friendly countries” is the wrong reason for the public debate because we can safely assume that it is the task of any intelligence service to know the political state of its own allies. But it is also the task of the counterintelligence of any given country to keep the other side’s spies at arm’s length. Awkward intimacies between the services – as they have come to light in the course of the revelations – should be prohibited as a matter of course.
What is really worrying about the documents published by Edward Snowden from 2013 on is the large amount of detailed technical information which shows the vulnerability of our economic and social exchanges based on information and telecommunications to unauthorised access by third parties.
The same applies to the information about the US Central Intelligence Agency (CIA) hacking targets published years later – in 2017. The latter even included TVs and cars. One concrete example showed how to use a Samsung TV as an audio bug by updating its firmware so that the attacker could listen to everything that was spoken in this room. In this case the software even allowed one to switch the power indicator of the TV to off so nobody would take notice. Since TV usage is not limited to the private setting of your living room, and TVs can be found in hotel rooms, lobbies, bars and conference centres, the potential reach of this attack vector is larger than one might think at first.
Following these revelations, in February 2017, security research from Swiss security consulting company Oneconsult presented a way to remotely take over smart TVs by manipulating the broadcast signal to the European Broadcasting Union. As Oneconsult found out, more than 90 percent of all smart TVs are vulnerable to these kinds of attacks.
In 2015 security researchers managed to hack a Fiat Chrysler Grand Cherokee SUV via the remote connectivity option of its Uconnect infotainment system. The attackers were able to control the brakes, disengage the transmission and change the settings of the climate controls as well as the radio stations. Fiat Chrysler fixed the vulnerability with a security patch after the story went public and made big headlines. The patch needs to be installed at the dealer or via a USB drive – there is no way to update the car over the air so one should expect that a high percentage of the Grand Cherokee cars with this special version of the Uconnect infotainment system currently on the road are still vulnerable to the very same attack. It is not known whether the attack would allow eavesdropping on the conversations between the driver and the passengers via the built-in microphone of the hands-free module included in Uconnect, but one should expect so, since the researcher successfully gained access to several critical vehicle functions. Your car is also at risk of being hijacked if you do not own a car equipped with Uconnect. Several aftermarket dongles that attach to the OBD-2 port, which is standard in all cars built since the 1990s, are also vulnerable to access. These dongles typically allow vehicle tracking or fleet management functions to be added to cars. Since they connect to the main data bus in the car (the CAN bus) they also potentially can be used to hack the vehicle in similar ways to those shown with Fiat Chrysler. Consequently researches found a security hole in a dongle provided by Bosch for their fleet management solution, which can be exploited via Bluetooth, which means you have to be nearby (e.g. following the car with another car). Bosch already provided a security update for this problem, but the next vulnerability is just around the corner.
Of course, these are just examples. But hopefully they will open our eyes to an unbelievable variety of technical aids and processes which permit individuals and companies to be spied on and which we can assume the use of which is not limited to the intelligence services.
If one deals with the security of organisations professionally, one is not infrequently suspected of being a doomsayer and conspiracy theorist oneself. The revelations on the machinations of the intelligence services have, above all, achieved one thing, namely bringing things out into the open which have long been discussed in specialist circles – for example the possibility of building back doors into hardware and software. Whether smartphones, drones or autonomous vehicles, every new development brings new possibilities but also new security risks. In addition, new security holes are discovered in technologies already in use every day. The question as to the security situation of an organisation or a company must therefore be asked anew every day.
In a discussion on technical security, the topic has by now developed into such an important one that there is a tendency to differentiate between a time before and a time after Snowden. As a security expert, you are no longer automatically regarded as the weirdo that you were put down as until recently but are suddenly being listened to – at least occasionally. And just as the “Snowden effect” begins to wear down, new revelations add fuel to the flames. Regarding this development neutrally and without emotion, it must be said that yesterday’s paranoia has become tomorrow’s security threat.
Digital transformation and espionage
Whether we like it or not, we are all in the middle of a huge transformation, the scope of which can only be compared to the Industrial Revolution. The consensus is that so-called digital transformation has changed our lives and the way we work in the second decade of the 21st century. In just a few decades, almost everything to do with private and professional communication has changed.
The beginnings were fairly unspectacular: in the mid-1990s, the Internet wave washed over the edge of the academic world and initially conquered technically oriented parts of the population. “Are you connected?”, a phrase from an advert for an online service provider, became a familiar expression. But the Internet has long ceased just to be the playground of a few technology freaks. A business card without an email address has now become just as unimaginable as a company without a website – the Internet has become a fixed part of our lives and working environment.
Official figures speak a clear language. From data provided by the Office of National Statistics (ONS), 87.9 percent of adults in the United Kingdom (45.9 million) had recently (within a three-month time frame) used the Internet (ONS 2016). The Internet penetration rate of the United States in 2016 is up to similar levels: 88.5 percent (LIVESTAT 2016). Comparable numbers exist throughout the developed world. Equally impressive is the time spent using the Internet. Typically it adds up to several hours a day, especially for younger users.
The penetration of mobile phone connections is significantly above 100 percent in the Western world. Even more important is that most mobile phone users are smartphone users now. UK numbers for 2016 show that more than 80 percent of all mobile phone users are smartphone users. A press release by Ofcom – the United Kingdom’s national communication regulator – in 2015 mentioned an important point of inflection. At that time, the primary means of Internet access changed from the PC to the smartphone. Thanks to Internet and mobile phones we are always online nowadays – always in contact.
The so-called smartphone has had a major share in increasing online use in private and professional life in recent years. Mobile phone technology was first introduced in the summer of 1992 as the so-called D network based on the widespread Global System for Mobile Communication (GSM) standard and was consequently affordable for everyone. Since then, the mobile phone has experienced unprecedented success. In 2002, there were already more mobile phones worldwide than fixed-line phone connections according to the International Telecommunication Union (ITU), and since 2006, the ITU has even observed a reduction in the number of fixed-land phone connections.
The relatively young category of smartphones is playing a special role in this as their prevalence and use are growing rapidly. According to figures by Gartner, a market research institute, around 1.5 billion units were sold in 2016 alone. Beyond telephone functionality, smartphone users have the option of sending and receiving e-mails, using further Internet services and installing applications like on a computer. These programmes, known as apps, not only provide functions for casual users, from video games to fitness trackers, torches to navigation systems, but also increasingly provide business applications such as access to company-specific software, internal company calendars and other company databases.
The smartphone became a success story with the advent of the iPhone, which was introduced by Apple in 2007. Its intuitive operation via touchscreen – and later also voice control – facilitated the breakthrough of the concept of the mobile phone with added value and thus also mobile Internet use. The Android operating system initiated by Google started up in its wake and became a global success – thanks to the support of many manufacturers. The device type was complemented by tablets, which started their triumphal march initially in private households and are meanwhile also indispensable in professional life.
Access to company data is clearly at the forefront of benefit models – even if a lot of “business” iPads meanwhile seen in trains and airport lounges are rather being used for online games or videos. In practise, business and private use intermingle with this very personal piece of technology – whether smart-phone or tablet – something which will play an important role in the course of this book.
Security risks included
If the promises of IT providers are to be believed, every company which is mainly controlled from on the road and the home office becomes a mobile enterprise. The omnipresent connection via Internet and mobile telecommunications permits the dissolution of the spatial limits of what used to be a company campus. Some companies already only exist as so-called virtual organisations, which de facto consist of a network, the ends of which are determined by the respective locations of the employees – and these can also just as well be a coffee shop, an intercity train or an airport lounge.
However, this beautiful new world of work is potentially also a beautiful new world of espionage. Why smuggle in an extra employee to secretly copy important design documents when an attack “from the comfort of your own home” via the Internet is much easier? Thinking the possibilities of these new worlds of communication through to the end, it is possible to imagine totally new patterns of attack which presumably have already been tried, for the main lesson of technical history so far is that everything that can be done has been done.
The core problem of our current situation is simple: the standardised Internet-based processes for communication, so-called Internet protocols, are not designed for secure communication. The popular notion that an e-mail is as secure against being read by unwanted eyes as a postcard is not just idle talk. In fact, things are even worse: you can’t even trust the sender. There are e-mail encryption processes, but they are so complex to use their acceptance in private life and in business is low. People have simply come to accept the situation and sometimes bypass the problem by at least sending the attachment in encrypted form.
The same applies to using the World Wide Web for transactions: there are additional security mechanisms but until recently they were extremely problematic to implement from a technical point of view. A vulnerability in OpenSSL, which was christened “Heartbleed”, which could crack open the encryption of Internet connections important for e-commerce in many application cases, was discovered in April 2014 (OPENSSL 2014). The most shocking thing was that it was a programming error by one single developer in an open source project which had caused this dangerous security vulnerability. Nobody had checked the programme code – but the software was deployed many times. In the end, the error remained undiscovered for more than two years. The statistics provider Netcraft assumes that half a million websites were affected by this error (NETCRAFT 2014).
It should also not be forgotten that no guarantees of quality and availability are given for normal use of the Internet, that is to say, without any additional technical measures. An expert calls this “best effort”, meaning that if it works it works and that you just have to put up with it if it only works slowly and maybe even not at all for certain applications. But what if a competitor decides to slow down your company communication to such an extent that it is impossible to work? You think something like that never happens and that it’s just a theoretical problem? Unfortunately, the reality of the 21st century is different.
The inadequacies of the Internet infrastructure are so great that researchers are seriously considering starting again from scratch and redeveloping it – with built-in security features. But the chances of this clean-slate approach being realised appear to be minimal – the power of the installed base is too great. Security within mobile phone networks is also lagging a long way behind what is technically possible. Here, however, the starting conditions are different: the GSM standard and the encryption used are less secure than they could have been when they were introduced. State intelligence services allegedly had an influence on them – a fact which I have had confirmed to me by a former high-level GSM standard developer.
Added to this are further security risks. Even though Linux and Mac OS do crop up occasionally, our computer landscape is dominated by Microsoft operating systems. Similar to monocultures in agriculture and forestry, this makes structures especially susceptible to infestation. As a result, we have had a dramatic increase in the incidence of computer infestations such as viruses, worms and Trojans alongside the rise of the Internet. Although malware for computers is by no means an invention of the network age, in the past the main means of distribution was limited to floppy disks. This meant that the means and speed of distribution of an infection were severely limited, whereas nowadays, in extreme cases, thousands of computers can be infected with a new security threat within just a few hours.
There is less of a monoculture with smartphones. Regarding distribution, Google’s Android operating system, which is deployed by a wide number of manufacturers, dominates here. The big problem with this is the almost uncontrollable growth of different devices with dif...
