After 22 years of work, Mozambique was declared as free of land mine peril. During this long timespan over 200’000 land mines from a legacy of wars were one by one removed and destroyed in tedious and dangerous work. I am especially happy about this landmark in the global fight against landmines as I have a personal connection to this and want to use this occasion to look back.
Some of you might know that in an earlier role I was the program manager for the development and integration of the Information Management System for Mine Action IMSMA. Back in 1998, the Swiss Government wanted to support the United Nations Mine Action Service (UNMAS) in the fight against landmines and sponsored the development and integration of what in essence turned out to be a decision support system combined with an enterprise resource planning system that had a uniquely powerful integrated GIS component and was especially developed for supporting humanitarian demining. I had the opportunity to lead that program that found a home at the Center for Security Studies and Conflict Research at the Swiss Federal Institute of Technology where we worked on behalf of the United Nations.
At that time there existed a few databases that supported demining in different countries but nobody had yet attempted to standardize the datasets and create a system that could be used across different theaters of operation. Starting out from a green field, I was lucky to hire Thomas Schürpf and Beat Schoch and the three of us started working on a system that later became the standard application for Mine Action (another broader term for humanitarian demining). With the success in the field my team grew and in addition to software development we added training and integration specialists that helped the local mine action centers setting the system up, consulted them in how to best use and adapt it, and trained other organizations in performing IMSMA trainings. At some point the Swiss Government established the Geneva International Centre for Humanitarian Demining and from there on we developed the system on behalf of that Centre. In the end we had an install base in 41 countries worldwide, the system became the standard system for the United Nations, the European Union, the Organization of American States and we won the ESRI special achievement in GIS award in 2001. And to come back to the introduction – Mozambique was one of the countries that used the IMSMA system and where my team supported the center and Halo trust on-site.
Mozambique is now the second country that has been declared landmine free where IMSMA was used. The first one was Kosovo which was also the testbed for IMSMA and where we spent a lot of time on the ground and learned what it means to clear landmines and where the dangers lay. I will never forget the flight into Prishtina in a British Airforce CH-47 Chinook helicopter escorted by AH-64 Apache attack helicopters and looking out the semi-lowered loading ramp where the helicopter crew was spotting for surface to air missiles as the Kosovo conflict was only just spinning down. As the security situation was still critical, the initial work took place in the Kosovo Force (KFOR) Headquarters overlooking Prishtina without showers, sleeping in tents and working side-by-side with UK Army engineer officers to start the humantiarian demining work. The pictures on the left show a view into our initial set-up and how the landmine situation in Kosovo changed from 1999 to 2001. After the initial period the United Nations took over the mine action work and John Flanagan, the program manager of the United Nations Mission in Kosovo Mine Action Coordination Center, described the use of information and IMSMA the following way: “Information is a vital component of mine action. During the successful clearance operation in Kosovo, IMSMA enabled us to rapidly collate and analyze an enormous amount of data. This in turn helped us to plan and priooritize clearance efforts, and assisted with the integration of other activities such as mine awareness education. Throughout the entire mine action program in Kosovo, IMSMA was constantly used to manage the ongoing operational activities, and without it, our task would have been much more difficult.”
Obviously the main work has been done by the women and men on the ground who were doing the actual mine clearance. I have an enormous amount of respect for these people as I know out of experience that even with protective equipment to walk in mine infected areas is dangerous. Many that were doing that work got hurt, maimed and killed and even after this time I think of their sacrifices and of the impact they had on many lives saved. Thank you everybody that is involved in this line of work.
Thinking back also makes me proud. With my team we were – and after all this time still are as some of our original systems are still being used – part of eradicating landmines and contributed to reducing the amount of landmine victims by giving the tools and training for better awareness and improved priorization of clearance activities. This is probably one of the most meaningful things that I have so far done in my professional life and I am especially proud and grateful of the team that I was being able to build and lead. At this time I would like to thank them all for all their work, late nights and weekends. For their long hours abroad, in planes and in some “not so” comfortable and plain dangerous locations they went. Thank you especially Thomas Schürpf who started this with me and was leading the development, Beat Schoch who joined only a bit later and led the implementation and consulting team and Ralf Hug who led a development team. Also thank you to the the whole team that consisted of Armin Fessler, Christian Schluep, Emanuel Mahler, Maria Schabel, Mark Yarmoshuk, Martin Hochstrasser, Maurizio Bianchi, Nicolas Jene, Nicole Allet, Oliver Muff, Patrick Lombardi, Ralf Hug and Reto Schöning. And thanks to the many people that supported and helped us. We could have never done it without you. You all have my deep respect and gratitude.
Information on Cybersecurity is becoming almost overwhelming. Here you will find a few articles that I found noteworthy during last week. Happy reading!
A bit on what we are doing providing transparency to our customers and partners. Microsoft and NATO (North Atlantic Treaty Organization) have agreed to renew their partnership where NATO receives access to source code for key Microsoft products including Windows and Office, information about Microsoft’s cloud services, and intelligence about cybersecurity threats.
China Tries to Extract Pledge of Compliance from U.S. Tech Firms
The New York Times
A worrysome but not really surprising push. The Chinese government is asking some tech firms to pledge their commitment to policies that could require them to turn over user data and intellectual property.
White House Urged to Support Encryption
I believe encryption is one of the main ways to keep our data secured also in the future. Unfortunately many governments see it more as a threat. US President Obama reportedly is being urged to support encryption and shun legislation that would force companies to unlock customers’ smartphones and apps when presented with a court order. This raises the question what they then do if they actually don’t hold the encryption keys and cannot unlock them?
This was a disapointing article. Vodafone has admitted that it improperly accessed the phone of a reporter — who was writing an article about the online accessibility of personal information of millions of Vodafone customers — in an effort to find the reporter’s source.
As you can see I like Wired a lot. University researchers in 2010 privately disclosed their ability to hack into a car to the US National Highway Traffic and Safety Administration and also shared their exploit code with General Motors. However, the vulnerability was not patched until 2015. Vulnerabilities will continue existing but the key is to address them swiftly once they are discovered. 5 years is NOT swiftly! Google 90 days disclosure policywith exceptions if it is highly complicated.
Back from vacation I read an article on vice about how a cybercriminal sent a woman pictures of herself that he took with her own webcam. The whole story is available here. Unfortunately it is in many cases trivial to take over a computer (regardless if Mac OS X, iOS or Windows or anything really) and have control over what is stored on it and track what is done with it or turn things on and off. The camera is just one of the many aspects that can be misused if the device is not adequately protected. However, an approach against the camera misuse is so trivial that I briefly wanted to share a 30 second hands-on solution that I am using on my devices.
What you need for it is one of these small screen cleaners that are typically handed out as a gift. They stick to the back of your phone and you can use them to clean the screen of it when needed. However, they are ideal to also cover the camera on your tablet, PC, Mac, phone and also TV if you have one of these smart TVs that have a built-in camera. The approach is simple and you just cut the screen cleaner sticky to a size that fits over the camera that you want to cover up. It can be taken away and re-attached many times and barely adds to the thickness of the device. And as an additional benefit you always have a screen cleaner with you and it is free. A win-win-win situation really.
Below two pictures showing one of these cleaner pads and how it looks on my Surface computer.
I am quite a big fan of Verizon’s data breach investigations reports and am using their analysis regularly in security discussions. Verizon publishes these reports every spring since 2008 and I see them as especially valuable as they are pulling data from 70 contributing organizations covering over 79’000 security incidents, over 2’100 confirmed breaches and from over 60 countries.
The 2015 report was published recently (available here: 2015 Verizon DBIR) and while it isn’t exactly an easy read I agree with Rapid7’s marketing video that credential theft is the biggest takeaway. Patching is another highlight (or rather lowlight) and that detecting breaches still takes much too long (205 days). The latter is something that I can confirm from the experiences of our incedent response and recovery teams and it is very worrying to think what attackers have time to do for such a long time in an ICT infrastructure.
On the patching topic. A colleague of mine – James Kavanagh, the National Security Officer of Microsoft Australia, wrote a good blog post on “If you do only one thing to reduce your cybersecurity risk…” that I recommend to read and further information is then available in the report “Security Patching in Complex Environments”.
Below Rapid7’s video with highlights from the Verizon DBIR
The US RSA conference is probably the world’s leading security conference with about 30’000 participants and took place last week in San Francisco. Scott Charney, Microsoft’s CVP Trustworthy Computing, gave a noteworthy keynote on Enhancing Cloud Trust that can be watched here. It is well worth the time.
The announcements made by us and the presence that Microsoft had at the conference was impressive. The main theme was very clearly that we truly live in a mobile first, cloud first world and that with the explosion of devices and apps come new challenges. Security has been a top priority for Microsoft for a long time already and Microsoft is committed to providing customers with transparency and control over their data in the cloud. Here are the highlights that we announced:
More information can be found on Scott Charney’s blog on “Enabling greater transparency and control” that also has further links to more in-detail information on the individual technologies mentioned above.
The European Union is quite active on security and especially cybersecurity issues but is less present in the media for it than for example the US. To raise awareness on current reports and recommendations that I see as relevent please find some links below. We can now debate if this is too much, just raight or not enough but for that discussion knowing more about what actually exists or is in process is a prerequisite of course.
Joint Supervision Tool for Telecom Security
On 9 April, ENISA published a joint framework to supervise the security of services and personal data processing by telecom providers in the EU in accordance with Article 13a and Article 4. Full report is available here.
Electronic Evidence – a Basic Guide for First Responders
On 25 March, ENISA published a report based on past work done in the field of good practices for CERTs and LEAs in the fight against cybercrime. The main aim of the report is to provide a guide for first responders with a special emphasis in evidence gathering.
National/Governmental CERTs – ENISA’s Recommendations on Baseline Capabilities
On 20 March, ENISA published recommendations on baseline capabilities. The document covers ENISA’s updated considerations for capabilities of so called national / governmental CERTs, thus teams who serve the government of a country to protect critical information infrastructure. The primary target audience of this document are these CERTs and those policy-making bodies in the European Union Member States that are responsible for initiating and planning the establishment and operation of a national / governmental CERT. Still quite an interesting reading.
Standardisation in the Field of Electronic Identities and Trust Service Providers
On 24 March, ENISA published a paper that explains why standards are important for cybersecurity, specifically in the area of electronic identification and trust services providers. Additionally, the paper also discusses concrete standardisation activities associated with electronic IDs and trust service providers, providing an overview of standards developed under the mandate from the European Commission and others, related to eIDAS Regulation. It concludes with a proposal of a standard on cryptographic suites for electronic signatures and infrastructures, put forward by ENISA and related to the ETSI TS 119 312. Full report is available here.
Motion for a European Parliament Resolution on Cybersecurity
On 30 March, Italian MEP Nicola Caputo published a motion for resolution on cybersecurity and calls on the Council and the European Commission to strengthen the EU’s response capability to this global threat, to strengthen network and information security and to support Member States in their research and innovation aimed at promoting public and private digital security. steps on the dossier were not disclosed. Interesting though that the security of IoT (Internet of Things) starts to become also a policy topic. I expect that we will see more to come and hope that it will help in addressing the real challenges that we face.
I recently gave two live webinars as part of a security webinar series of Microsoft Switzerland where I covered aspects of cloud resilience and achieving resilience against modern cyberthreats. The webinars are in German and if you are interested you can get access to the recording below.
Webinar 1: Schutz vor Gefahren aus dem Cyberspace
Die heutigen Gefahren aus dem Cyberspace sind immer grösser, Angriffe werden immer ausgefeilter, die Hacker selbst immer professioneller. Traditionelle Schutzmechanismen, wie beispielsweise Virenschutzprogramme und Firewalls, sind angesichts der neuen Entwicklungen nicht mehr ausreichend. Erfahren Sie in diesem Webinar alles über die Vorteile eines dynamischen Sicherheitskonzepts, das Ihre IT-Landschaft basierend auf den Prinzipien Protect – Detect – Respond effektiv vor modernen Cybergefahren schützen kann und für hohe Resilienz sorgt. Das Webinar ist hier verfügbar.
Webinar 2: Resilienz und Cloud Computing
Cloud Computing verändert und beschleunigt die Arbeitswelt; standardisierte Services aus der «Rechenzentrumswolke» entlasten Unternehmen von Investitionen in eigene, teure Server-Infrastrukturen. Dennoch bestehen grosse Vorbehalte hinsichtlich Verfügbarkeit, Sicherheit und Datenschutz – speziell in einem Umfeld, in dem Gefahren durch kriminelle Aktivitäten lauern und NSA-/PRISM-Aktivitäten für Rechtsunsicherheit sorgen. In diesem Webinar dreht sich daher alles um Fragen wie Resilienz mit der Cloud, Resilienz in der Cloud oder Resilienz trotz der Cloud. Das Webinar ist hier verfügbar
I am quite a fan of Lenovo devices mostly still from the time where they were IBM ThinkPads. However, when the discussion started on the “Superfish” adware they put onto some Lenovo devices I took a mental step back and asked myself how a company that develops and sells plenty of business devices could make such a bad decision.
There are some good descriptions on what “Superfish” does so I will not repeat that in detail. In the end it seems that the adware hijacks encrypted web sessions and it seems that it may make users vulnerable to https man -in-the-middle attacks that are simple for attackers to exploit. If you are interested in knowing more I recommend that you read the Arstechnica article on that topic.
Lenovo was slow to pick-up on this topic although by now they reacted and the Lenovo CTO said in an interview with the Wall Street Journal that “we didn’t do enough” due diligence before installing Superfish, but that the company doesn’t believe laptop owners were harmed by the app”. You can read here the full article on the WSJ blog.
Another interesting question on why Lenovo pre-loads any software and here is his response: “Hortensius: In general, we get pretty good feedback from users on what software we pre-install on computers. What we’re going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers’ computers. The outcome could be a clearer description of what software is on a user’s machine, and why it’s there.” It seems that I am clearly not their targeted audience if they say such things. When I get a new computer the first thing I do is to newly install Windows from scratch and with that get rid of any bloatware and adware that might be on there. Then install the necessary drivers (not many any more – Windows 8.1 or 10 is in the majority of cases (if not all) taking care of that) and apply all updates and the computer is running faster, more stable and the disk has quite some more space in most cases than before.
So what to do now if you have a Lenovo computer and are not sure if Superfish runs on there or you know and want to remove it? One way to address this is to run Microsoft’s security software which will detect and remove the Superfish software from the Lenovo device. If you have Windowws 8 or 8.1 on your computer Windows Defender is installed by default so you only need to let it update itself. If you have an older version of Windows you might already have the Security Essentials installed where the same applies to. And if you are not sure check out the website on our free security software that you can download and that will take care of Superfish.
The security snippets series highlights some articles that I read recently. I hope they help in keeping up with the raise of security incidents and trends which becomes more and more difficult with the increasing professionalism of cyber attacks.
Bank Hackers Steal Millions via Malware
as read in the New York Times
The New York Times writes based on Kaperski information that a group of attackers impersonated bank officers and took over cash machines and transferred millions of dollars from more than 100 banks in Russia, Japan, Switzerland, the United States, and the Netherlands into fake accounts set up in other countries. This brings a new scale to Cybercrime.
Evolution and Adaptation in the Security Jungle
as read in Threatpost
Enterprise security teams need to catch up on understanding the methods that modern attackers use. The article on Threatpost does a good job at giving an overview. Active defense is crucial in that aspect and I described that with the protect, detect, response framework also in my whitepaper on achieving resilience against modern cyberthreats.
Visa Wants to Track Your Smartphone to Prevent Credit Card Fraud
as read in the Hacker News
It seems that Visa plans to release a new location-based feature that will help cardholders update their location via smartphone. With credit card fraud still on the raise that could be a good way to fight that. I just hope that it will be clear to the user that another service performs location tracking.
PlugX Is RAT of Choice for Nation States
as read in eSecurity Planet
The “2014 CrowdStrike Global Threat Intel” report finds that the PlugX Remote Access Tool (RAT) is the most observed malware variant used by nation-state backed threat adversaries. I don’t think that this is necessarily so clear as in my view many nation states have more customized and elaborate capabilities but it shows how far such tools have come.
One Billion Data Records Compromised in 2014 Worldwide
as read in Softpedia
The article writes about a report from the Breach Level Index (BLI) which finds a 49 percent increase in data breaches and a 78 percent increase in number of records that were stolen or lost in 2014. While the absolute number might be even higher the massive increase is something that we observe as well.
Microsoft Achieves Globally Recognized ISO/IEC 27018 Privacy Standard
as read in the Microsoft Cyber Trust Blog
This more on privacy and trust than security although that also plays an important aspect. Microsoft on February 16, 2015, obtained the ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. Brad Smith’s blog has more information on that and is worthwhile reading in my view.
How to Keep Your Webcam Safe from Hackers [Video]
as read in We Live Security
If you follow the link you will see a video that covers five tips to prevent someone from spying on you through your webcam. Something becoming more important after an anonymous website began posting live streams of the world’s unprotected webcams.
I have written the whitepaper “Achieving resilience against modern cyberthreats” and looking at how the intensity of cyberattacks is again on the raise it is getting more important to implement a dynamic security framework.
As our use of mobile computing and social media technologies grows, so does our exposure to risk. On the one hand, the widespread adoption of new mobile, social media, cloud services and big data technologies creates unprecedented opportunities for productivity and flexibility. Yet without the right defenses in place, they can also open us to new kinds of vulnerabilities, as attacks that target devices operating outside the enterprise perimeter are quickly growing in volume and sophistication.
Passive protection is no longer sufficient for ensuring the security of information and IT infrastructures. My new Microsoft white paper, Achieving resilience against modern cyberthreats, explores the ways that governments and enterprises can protect their valuable information by creating a holistic security strategy, built on risk management, to achieve resilience against in an era of constant targeted attacks and determined adversaries.
The paper explores Microsoft’s holistic “Protect, Detect and Respond” approach to security strategy, including key principles for organizations, the importance of trustworthy cloud services, and the steps to take for securing an IT infrastructure in today’s threat landscape. This proactive strategy requires that an organization understand its assets and its exposure, and apply appropriate protection throughout the entire IT ecosystem in a continuous process. It also recognizes that enterprises must manage their inevitable risk – absolute security is not possible, so organizations must go beyond just protecting resources and also establish processes for detecting, responding and recovering from incidents when they occur.
If you are interested see my complet blog post, Achieving resilience against modern cyberthreats at Microsoft on Safety and Defense.