// archives


This category contains 40 posts


In favor of simplicity I started to consolidate my blogging onto LinkedIn. Please add me there to get updates on security related topics.


Fighting Dolphin talk – Cybersecurity and Privacy Hub

Broader Perspectives on SecurityI was invited to participate in a cybersecurity roundtable at the US Embassy in Bern to discuss best practices and experiences in cybersecurity policy. Participants were from private as well as public sector and the special guests were the US Ambassador to NATO, Douglas Lute and his wife Dr. Jane Holl Lute, CEO of the Center for Internet Security. At some point Dr. Jane Lute made a comment that too many IT leaders and executives still use dolphin talk. Not familiar with that language? You actually probably are because it is used quite widely by IT professionals. When “we” speak about a technology topic then the non-technology person understands about as much as when a dolphin is communicating with us.

I liked this comparison as much too often that is the reality and I am working on talking about technology and security in a more easily accessible way. One of the things I discovered in last week’s PwC EMEA Cybersecurity leadership meeting also works on improving that type of conversation. It is the PwC / WSJ Cybersecurity and Privacy Hub that you can find at www.pwc-broaderperspectives.com  This hub is sponsored by PwC and is created together with the Wall Street Journal custom studios. I like it especially as the articles aim at looking at cybersecurity and privacy in a broader fashion and use a vocabulary that does not require multiple classes in cryptography or equivalent. Why not check it out and let me know what you think?

New choices on cloud data location and welcome Secure Islands!

This week is pretty packed with security relevant Microsoft announcements and here a quick summary.

Satya Nadella was in the UK yesterday and in Germany today where he announced that Microsoft is expanding the cloud strategy in Europe with two new interesting offerings.

Firstly he disclosed yesterday November 10 the plans to offer commercial cloud services from the UK where Azure and Office 365 will be generally available from local UK-based data centers in late 2016 and Dynamics CRM following shortly thereafter. These services will offer customers data residency in the UK. You can read the blog post with more information here.

Secondly, and maybe more interesting from a Swiss perspective, he announced today November 11 plans to offer cloud services from German datacenters. The main difference between the UK announcement and the German one is that the second is using a trustee model. The services offered will comply with the Microsoft trusted cloud principles on security, privacy, control, compliance and transparency but is combined with a German data trustee model. That means concretely that access to customer data stored in the two new datacenters will be under the control of T-Systems which acts as a data trustee and Microsoft will have no access to this data independently. Cloud services will be made available to customers in the EU and the EFTA and roll-out is planned to begin in 2016. With this Microsoft has a new and unique solution for cuttomers in Germany and the wider Europe that want local control of their data. In my view an important next step in the discussion on data location. You can read more on today’s announcement here.

Independently from the two cloud announcements came the confirmation on Monday November 9 that Microsoft is acquiring Secure Islands. There were lately a few security acquisitions but I am especially excited about this one. I was working often with Secure Islands as their technology to protect customer data using Rights Management technology is second to none and widely adopted especially in the Swiss Financial Services Sector but also with other large customers. Microsoft will now integrate Secure Islands’ technology into Azure Rights Management Service to provide a flexible architecture to meet protetion and compliance requirements. Many of you know that I am a great supporter of Rights Management and this will give new possibilities on-premises, hybrid and cloud. Congratulations to Akie and Yuval Eldar who are the founders of Secure Islands and welcome to the Microsoft Family! You can read the announcement with more information here.


This weeks top of the news in Cybersecurity (week 45)

Information on Cybersecurity is becoming almost overwhelming. The series on “this weeks top of the news in Cybersecurity” is a collection of a few articles that I found noteworthy throughout the week. Perfect Friday or weekend reading to catch up on events if you have missed them or have been too preoccuppied or swamped with the Bond Spectre movies review!


Blackberry Priv. Can an awesome keyboard justify the Blackberry Priv?

It has been a (very) long time since I have used a Blackberry and frankly I am not missing it. I have also not tested the Blackberry Priv and will not do so but I still found the review interesting as I like some of the features that Blackberry built in it. For example I would like to have a notification if an app tries to access something and then bind it back if I don’t like it. But the more interesting and yet also more alarming part is that Blackberry will patch the Android OS on a monthly basis with security updates and in addition hotfixes when things cannot wait a month. More information can be found here but I ask myself if it really needs to be the phone vendor and not the OS vendor that should do that as this way we will never get to a better protected overall mobile phone base.


The Role of Machine Learning in Cyber Security
IT Pro Portal

 I believe that machine learning and big data will have a huge impact on cybersecurity and we will see impactful applications especially of machine learning more and more in the close future. With that in mind I found the Q&A with Garry Sidaway (SVP Security Strategy & Alliances at NTT Com Security) interesting. It is fairly short but gives a few ideas on the topic.


Security Tools’ Effectiveness Hampered by False Positives 

False positives are a significant problem at many enterprises and valuable events get burried under large amount of data. It goes so far that I have talked to large companies who invested substantial money into SIEM’s only to then turn them off again as they could not handle the amount of information. This article takes a look at the problem of false positives and how they distract companies from dealing with legitimate security alerts.


U.S. and U.K. Testing Response Scenarios for FinancialSector Cyberattacks
The Daily Dot

As cyberattacks don’t just target typically one country it makes sense to approach the defense against them with a wider view than most of today’s critical infrastructure protection efforts do. The U.S. and UK have scheduled test response scenarios that will take place later this month in an effort to mitigate the consequences of a large-scale cyberattack again their respective financial sectors.


More Companies Form Data Breach Response Plans  
Business Insurance

Being prepared for a data breach is critical today as realistically your company will be breached or has been breached and you may or may not know about it. A new study by the Ponemon Institute finds that although more companies are launching new data breach response plans (good!), relatively few have confidence in their effectiveness (bad). Talking to many CISO’s and CIO’s it seems to me that most companies just don’t have the resources for this and in my view will have to more and more use managed security services and work with retainers for such events.


U.S. Retailers Push Banks to Use PINs on Credit Cards as Confusion Reigns

From a european perspective this is just plain silly. I have a few credit cards and only my american one does not have a chip and pin. Looking around there seems to be no problem whatsoever to use pins with credit cards on a quite large scale throughout Europe. Now some US retailers are looking to use PINs (personal identification numbers) on their store-branded credit cards that are embedded with computer chips, but are getting resistance from the banking industry. Really?


SnowdenBlessed ‘Signal’ Encrypted Calling, Messaging App Comes to Android
NBC News

A new Android app is claimed to securely make phone calls and send messages , which Edward Snowden says he uses “every day.” I found that a bit a special statement and probably would touch that app even less if I would have an Android phone as now the attack motivation just skyrocketed and I have a hard time seeing how Edward Snowden would have the actual technical capabilities to verify the security of such an app.


ACSC Releases 2015 Threat Report  

I always like to look through the different threat reports so will include this one here in my recommended reading list. The Australian Cyber Security Centre (ACSC) has released its 2015 Threat Report. It provides information about threats that Australian organizations are facing, such as cyberespionage, cyberattacks, and cybercrime and conclusions towards other geographies are certainly realistic.


And that is it for today and best wishes for the weekend!

This weeks top of the news in Cybersecurity (week 42)

Information on Cybersecurity is becoming almost overwhelming. The series on “this weeks top of the news in Cybersecurity” is a collection of a few articles that I found noteworthy throughout the week. Perfect weekend reading to catch up on events if you have missed them!

A Second Snowden Has Leaked a Mother Lode of Drone Docs

Another leak of classified documents on the use of America’s unmanned vehicles. It is not the first release of sensitive documents (remember Snowden and Chelsea Manning of course) and most likely it will not be the last. Everybody involved in sensitive topics should have a very hard look into their Cybersecurity investments and also put Information Rights Management on the list.


CyberAttack Warning After Millions Stolen from UK Bank Accounts  
The Guardian

Law enforcement in the UK, U.S., as well as Interpol, are searching for cyberattackers who have stolen at least £20 million from British bank accounts through the Dridex malware. On the good news side is that with most security products (including Microsoft’s) the malware is detected now and removed.

Additional Information: The United States Computer Emergency Readiness Team (US-CERT) has released an alert to provide further information about the Dridex botnet.


Consumer Alert: Debit Card Fraud at Walmart Discovered in 16 States

There has been an increase in fraudulent purchases made at Walmart, most of which include charges that are US$50 and under. While this is US centric it serves as a warning to check your credit card statement diligently to detect such fraud activities. No credit card is safe today any more.


FBI Takes Down Alert on Chip Credit Cards After Bankers Complain
Network World

Wrong priorities in my view for the financial services institutions. A warning from the US Federal Bureau of Investigation (FBI) on October 8, 2015, was removed the next day. The announcement warned that chip-enabled credit cards should only be used with a PIN (personal identification number). The message was removed after there were complaints from banks that issue the credit cards. I know that many banks are very hesitant to talk about fraud and cyberrisks but if we want to make progress in this we need to be more open for information exchange.


87% of Android Devices Are Exposed to at Least One Critical Vulnerability

The University of Cambridge reports that 87 percent of Android devices are exposed to at least one known critical vulnerability. I know that it is not always easy or even possible to update Android devices but it is crucial to do it as quickly as possible once an update is available. The latest Android version is called Marshmallow right in time for making smores – yumm!


Amazon, Google Boost Cloud Security Efforts
eSecurity Planet

Kudos to Amazon and Google as they have announced new features to provide security safeguards on their cloud services. One of the areas where Microsoft’s cloud services are heavily investing and in my view market leaders. It is good to see Amazon and Google investing here too significantly.

Mozambique free of Landmines – looking back

After 22 years of work, Mozambique was declared as free of land mine peril. During this long timespan over 200’000 land mines from a legacy of wars were one by one removed and destroyed in tedious and dangerous work. I am especially happy about this landmark in the global fight against landmines as I have a personal connection to this and want to use this occasion to look back.

IMSMA website screenshot

IMSMA website screenshot from the webarchive

Some of you might know that in an earlier role I was the program manager for the development and integration of the Information Management System for Mine Action IMSMA. Back in 1998, the Swiss Government wanted to support the United Nations Mine Action Service (UNMAS) in the fight against landmines and sponsored the development and integration of what in essence turned out to be a decision support system combined with an enterprise resource planning system that had a uniquely powerful integrated GIS component and was especially developed for supporting humanitarian demining. I had the opportunity to lead that program that found a home at the Center for Security Studies and Conflict Research at the Swiss Federal Institute of Technology where we worked on behalf of the United Nations.

At that time there existed a few databases that supported demining in different countries but nobody had yet attempted to standardize the datasets and create a system that could be used across different theaters of operation. Starting out from a green field, I was lucky to hire Thomas Schürpf and Beat Schoch and the three of us started working on a system that later became the standard application for Mine Action (another broader term for humanitarian demining). With the success in the field my team grew and in addition to software development we added training and integration specialists that helped the local mine action centers setting the system up, consulted them in how to best use and adapt it, and trained other organizations in performing IMSMA trainings. At some point the Swiss Government established the Geneva International Centre for Humanitarian Demining and from there on we developed the system on behalf of that Centre. In the end we had an install base in 41 countries worldwide, the system became the standard system for the United Nations, the European Union, the Organization of American States and we won the ESRI special achievement in GIS award in 2001. And to come back to the introduction – Mozambique was one of the countries that used the IMSMA system and where my team supported the center and Halo trust on-site.


IMSMA at the KFOR HQ working side-by-side with UK Army Engineer officers

Mozambique is now the second country that has been declared landmine free where IMSMA was used. The first one was Kosovo which was also the testbed for IMSMA and where we spent a lot of time on the ground and learned what it means to clear landmines and where the dangers lay. I will never forget the flight into Prishtina in a British Airforce CH-47 Chinook helicopter escorted by AH-64 Apache attack helicopters and looking out the semi-lowered loading ramp where the helicopter crew was spotting for surface to air missiles as the Kosovo conflict was only just spinning down. As the security situation was still critical, the initial work took place in the Kosovo Force (KFOR) Headquarters overlooking Prishtina without showers, sleeping in tents and working side-by-side with UK Army engineer officers to start the humantiarian demining work. The pictures on the left show a view into our initial set-up and how the landmine situation in Kosovo changed from 1999 Kosovo Landmine Clearanceto 2001. After the initial period the United Nations took over the mine action work and John Flanagan, the program manager of the United Nations Mission in Kosovo Mine Action Coordination Center, described the use of information and IMSMA the following way: “Information is a vital component of mine action. During the successful clearance operation in Kosovo, IMSMA enabled us to rapidly collate and analyze an enormous amount of data. This in turn helped us to plan and priooritize clearance efforts, and assisted with the integration of other activities such as mine awareness education. Throughout the entire mine action program in Kosovo, IMSMA was constantly used to manage the ongoing operational activities, and without it, our task would have been much more difficult.”

Obviously the main work has been done by the women and men on the ground who were doing the actual mine clearance. I have an enormous amount of respect for these people as I know out of experience that even with protective equipment to walk in mine infected areas is dangerous. Many that were doing that work got hurt, maimed and killed and even after this time I think of their sacrifices and of the impact they had on many lives saved. Thank you everybody that is involved in this line of work.

Thinking back also makes me proud. With my team we were – and after all this time still are as some of our original systems are still being used – part of eradicating landmines and contributed to reducing the amount of landmine victims by giving the tools and training for better awareness and improved priorization of clearance activities. This is probably one of the most meaningful things that I have so far done in my professional life and I am especially proud and grateful of the team that I was being able to build and lead. At this time I would like to thank them all for all their work, late nights and weekends. For their long hours abroad, in planes and in some “not so” comfortable and plain dangerous locations they went. Thank you especially Thomas Schürpf who started this with me and was leading the development, Beat Schoch who joined only a bit later and led the implementation and consulting team and Ralf Hug who led a development team. Also thank you to the the whole team that consisted of Armin Fessler, Christian Schluep, Emanuel Mahler, Maria Schabel, Mark Yarmoshuk, Martin Hochstrasser, Maurizio Bianchi, Nicolas Jene, Nicole Allet, Oliver Muff, Patrick Lombardi, Ralf Hug and Reto Schöning. And thanks to the many people that supported and helped us. We could have never done it without you. You all have my deep respect and gratitude.


This weeks top of the news

Information on Cybersecurity is becoming almost overwhelming. Here you will find a few articles that I found noteworthy during last week. Happy reading!

Microsoft Renews InformationSharing Partnership with NATO

A bit on what we are doing providing transparency to our customers and partners. Microsoft and NATO (North Atlantic Treaty Organization) have agreed to renew their partnership where NATO receives access to source code for key Microsoft products including Windows and Office, information about Microsoft’s cloud services, and intelligence about cybersecurity threats.


China Tries to Extract Pledge of Compliance from U.S. Tech Firms
The New York Times

A worrysome but not really surprising push. The Chinese government is asking some tech firms to pledge their commitment to policies that could require them to turn over user data and intellectual property.


White House Urged to Support Encryption
SC Magazine

I believe encryption is one of the main ways to keep our data secured also in the future. Unfortunately many governments see it more as a threat. US President Obama reportedly is being urged to support encryption and shun legislation that would force companies to unlock customers’ smartphones and apps when presented with a court order. This raises the question what they then do if they actually don’t hold the encryption keys and cannot unlock them?

Related reading: Obama Advisors: Encryption Backdoors Would Hurt Cybersecurity, Net Infrastructure Vendors.


Vodafone Australia Admits to Hacking Journalist’s Phone in Public Statement

This was a disapointing article. Vodafone has admitted that it improperly accessed the phone of a reporter — who was writing an article about the online accessibility of personal information of millions of Vodafone customers — in an effort to find the reporter’s source.


GM Took 5 Years to Fix a FullTakeover Hack in Millions of OnStar Cars

As you can see I like Wired a lot. University researchers in 2010 privately disclosed their ability to hack into a car to the US National Highway Traffic and Safety Administration and also shared their exploit code with General Motors. However, the vulnerability was not patched until 2015. Vulnerabilities will continue existing but the key is to address them swiftly once they are discovered. 5 years is NOT swiftly! Google 90 days disclosure policywith exceptions if it is highly complicated.

Related reading: Automakers Asked to Explain CyberSecurity Protections, Your ‘Check Security’ Light Is on, and Intel Sets Up Talking Shop to Improve Automotive Security.

Cover up your webcam – hands on solution


Back from vacation I read an article on vice about how a cybercriminal sent a woman pictures of herself that he took with her own webcam. The whole story is available here. Unfortunately it is in many cases trivial to take over a computer (regardless if Mac OS X, iOS or Windows or anything really) and have control over what is stored on it and track what is done with it or turn things on and off. The camera is just one of the many aspects that can be misused if the device is not adequately protected. However, an approach against the camera misuse is so trivial that I briefly wanted to share a 30 second hands-on solution that I am using on my devices.

What you need for it is one of these small screen cleaners that are typically handed out as a gift. They stick to the back of your phone and you can use them to clean the screen of it when needed. However, they are ideal to also cover the camera on your tablet, PC, Mac, phone and also TV if you have one of these smart TVs that have a built-in camera. The approach is simple and you just cut the screen cleaner sticky to a size that fits over the camera that you want to cover up. It can be taken away and re-attached many times and barely adds to the thickness of the device. And as an additional benefit you always have a screen cleaner with you and it is free. A win-win-win situation really.

Below two pictures showing one of these cleaner pads and how it looks on my Surface computer.

step one WP_20150806_18_17_24_Pro

Verizon 2015 data breach investigations report


I am quite a big fan of Verizon’s data breach investigations reports and am using their analysis regularly in security discussions. Verizon publishes these reports every spring since 2008 and I see them as especially valuable as they are pulling data from 70 contributing organizations covering over 79’000 security incidents, over 2’100 confirmed breaches and from over 60 countries.

The 2015 report was published recently (available here: 2015 Verizon DBIR) and while it isn’t exactly an easy read I agree with Rapid7’s marketing video that credential theft is the biggest takeaway. Patching is another highlight (or rather lowlight) and that detecting breaches still takes much too long (205 days). The latter is something that I can confirm from the experiences of our incedent response and recovery teams and it is very worrying to think what attackers have time to do for such a long time in an ICT infrastructure.

On the patching topic. A colleague of mine – James Kavanagh, the National Security Officer of Microsoft Australia, wrote a good blog post on “If you do only one thing to reduce your cybersecurity risk…” that I recommend to read and further information is then available in the report “Security Patching in Complex Environments”.

Below Rapid7’s video with highlights from the Verizon DBIR

RSA 2015 – Microsoft Key Announcements in Security


The US RSA conference is probably the world’s leading security conference with about 30’000 participants and took place last week in San Francisco. Scott Charney, Microsoft’s CVP Trustworthy Computing, gave a noteworthy keynote on Enhancing Cloud Trust that can be watched here. It is well worth the time.

The announcements made by us and the presence that Microsoft had at the conference was impressive. The main theme was very clearly that we truly live in a mobile first, cloud first world and that with the explosion of devices and apps come new challenges. Security has been a top priority for Microsoft for a long time already and Microsoft is committed to providing customers with transparency and control over their data in the cloud. Here are the highlights that we announced:

  • New Security & Compliance signals and activity log APIs so that customers can access enhanced activity logs of user, admin and policy related actions through the new Office365 Management Activity API.
  • New customer Lockbox for O365 that brings the customer into the approval workflow if one of our service engineers would have to troubleshoot an issue that requires elevated access. With the customer lockbox the customer has the control to approve or reject that request.
  • Device guard is the evolution of our malware protection offering for Windows 10 and brings a new capability to completely lock down the Windows desktop such that it is incapable of running anything other than trusted apps on the machine.
  • Increasing levels of encryption where O365 will implement content level encryption for e-mail in addition to the BitLocker encryption we offer today (similar to OneDrive for Business’ per-file encryption). In addition we expect enabling the ability for customers to require Microsoft to use customer generated and controlled encryption keys to encrypt their content at rest.
  • Microsoft Passport is a new two factor authentication designed to help consumers and businesses securely log-in to applications, enterprise content and online experiences without a password.
  • Windows Hello which will provide that Microsoft Passport can be unlocked using biometric sensors on devices that support that (most notably iris and face unlock feature in addition to fingerprint).
  • Azure Key Vault which helps customers safeguard and control keys and secrets using FIPS 140-2 Level 2 certified Hardware Security Modules in the cloud with ease and at cloud scale and provides enhanced data protection and compliance and control.
  • New Virtual appliances in Azure where we work with industry leaders to enable a variety of appliances so that customers have greater flexibility in building applications and enabling among others network security appliances in Azure.
  • Enterprise Mobility where we have the Enterprise Mobility Suite (EMS) bringing customers enterprise grade cloud identity and access management, mobile device management and mobile app management and data protection (Reto’s comment: not new but worthy to call out having grown our install base by 6x just in the last year)

More information can be found on Scott Charney’s blog on “Enabling greater transparency and control” that also has further links to more in-detail information on the individual technologies mentioned above.

About the Author

Reto is partner at PwC focusing on Cybersecurity and has over 15 years work experience in an information security and risk focused IT environment. Prior to working at PwC he was Microsoft's Chief Security Officer for Western Europe and also has work experience as group CIO, Chief Risk Officer, Technical Director and Program Manager.

more about me and contact info


Chinese (Simplified)EnglishFrenchGermanItalianPortugueseRussianSpanish

replica Rolex