Security - Data Networks
Viruses, Worms & Hackers
The convergence of telephony and the Internet is creating major new security challenges. Ultimately, the only protection against attacks by hackers is a comprehensive security architecture and a high level of employee awareness.
Reiner Schmidt* could hardly believe his eyes: "...I would therefore like to thank you for your commitment and outstanding work," the e-mail said. The signature at the bottom: Heinrich v. Pierer. Schmidt was all smiles, happy to know that his work was finally being really appreciatedand from the Siemens CEO in person. Schmidt therefore sent a thank-you e-mail to the Siemens CEO in reply. However, nobody at v, Pierer's office knew what Schmidt's e-mail was referring to, as no such expression of gratitude had ever been sent to him by the CEO.
Today, Dr. Johann Fichtner can only chuckle about this incident, as his Computer Emergency Response Team (CERT) managed to quickly find out who was responsible for the joke. The culpritone of Schmidt's colleagueswas given a warning. In most cases, however, Fichtner's team has to deal with far more serious incidents. Siemens' CERT has been protecting the company's networks around the clock for the past five years. It's a tough job, as the company has 300,000 computers, which are subject to thousands of largely automated hacker attacks each day.
Number of hacker attacks reported to the independent CERT coordination center
Meanwhile, in Pittsburgh, Pennsylvania, an independent CERT Coordination Center that collects information on all attacks worldwide, has registered a dramatic increase in cyber assaults in recent years. Unfortunately, however, only large companies such as Siemens can afford to have their own CERTs.
Security experts and hackers are now involved in a feverish "arms race." On occasion, one of the wrongdoers repents and switches sides. That was the case, for example, with world-famous hacker Kevin Mitnick, who spent nearly five years in American prisons for his attacks. In his book "The Art of Deception," Mitnick explains that you don't have to be a computer wiz to gain access to confidential information. In fact, it is often just a simple case of tricking gullible workers with clever lies. Security experts call this approach "social engineering."
Attacks on U.S. companies & government agencies
"If you call up 100 people at a company and claim to be an employee at the computer center, you'll always find somebody who will give you his password," says Fichtner. His main job is therefore instructing the company's employees. "Awareness helps ensure greater security," says Fichtner in describing his philosophy of making all Siemens employees aware of security risks and encouraging them to protect their e-mails with a public-key encryption system. In addition, the CERT staff uses special algorithms to check the quality of passwords and internally developed software that launches attacks against the company's network in the search for weak points. Information that at first glance might appear inconsequential, such as the type of computer or operating system used, often provides hackers with invaluable clues on how to circumvent security systems.
If everything goes as it should, intrusion detection systems at the interfaces between the Internet and a company's intranet set off an alarm when an attack occurs and temporarily block all data exchanges. One of the tasks of these automated watchdogs is to monitor the server log files that register which data was accessed by whom at what times. If these files show a sudden increase in size, it could indicate an attack. Kevin Mitnick's legendary trick of simply cutting the logging files back down to size would no longer be possible today, as modern intrusion detection systems would immediately notice it. The same system also helps to prevent so-called denial-of-service attacks, which hackers launch by manipulating thousands of computers via the Internet to send millions of data packets to a specific address at the same time, thus causing the recipient's server to collapse. Hartmut Pohl, professor for information security at Bonn-Rhein-Sieg College knows of a company that lost a contract worth billions because it was unable to submit its bid in time due to computer failure. As it later turned out, the breakdown was caused by sabotage.
"We have viruses well under control at Siemens," says Fichtner. The multi-level virus protection system, which also protects against self-replicating programs known as "worms," can be upgraded several times a day if need be. In addition, the computer "fire brigade" prevents Website defacements, in which hackers attempt to replace official websites with alternate ones containing offensive remarks.
Quantifiable losses in 2001 (U.S.A.)
Squeaky Clean Spin-Off. "Keep your Web clean" is the philosophy followed by webwasher.com AG of Paderborn, Germany. Established as a Siemens spin-off three years ago, webwasher offers an integrated security solution for all business processes. The system blocks all virus attacks, prevents employees from accessing sites with pornographic or extremist content, and monitors e-mail correspondence in accordance with legal provisions. Such content security management is a major business segment, and IDC market researchers estimate that global sales of such products will reach $4.2 billion in 2005.
In spite of such security precautions, hackers are hardly a disappearing species. The expansion of Internet telephony (Voice over IP, see Pictures of the Future, Fall 2002, article Building the Unlimited Expressway) will provide them with new opportunities for attacking networks. In conventional telephone networks it is almost impossible to paralyze the infrastructure or deceive service providers by manipulating switching processors via the Internet. In the Internet, however, many services use the same transmission channels. Voice over IP (VoIP) data is, for example, transmitted across network boundaries along with e-mail data packets and router control data.
The war on mobile networks
A WarChalker marks open W-LAN access points
A map of downtown Munich shows many black dots concentrated around the city's biggest park. "They signify open W-LAN access points," says Johann Fichtner from the Siemens Computer Emergency Response Team. At each of these entry points to the increasingly popular wireless local area networks (W-LANs), hackers can access the Internet by simply clicking a mouse. They don't even need to crack a password. It is something so-called WarDrivers and WarChalkers do regularly for fun. In London and other major cities, WarChalkers search for unprotected wireless access points and mark these locations on house exteriors or sidewalks with chalk so that other hackers can go online at the expense of network owners.
At Siemens, the job of ensuring wireless network security is shouldered by mathematician Dirk Kröselberg at Siemens Corporate Technology in Munich. The focus of Kröselberg's work is the future UMTS mobile communications standard. According to Kröselberg, the symbiosis of UMTS and W-LAN poses a particular security risk, as both of the standards will probably exist in parallel in the future (see Pictures of the Future, Spring 2002, article UMTS and More). UMTS users who are accustomed to very high security standards might, for example, want to call up their e-mails risk-free via a W-LAN hotspot at a hotel or an airport or take advantage of the services provided by their UMTS network operators without having to log on more than once. "It's quite a serious issue," says Kröselberg.
And a complicated one as well, due to a tremendous need for teamwork. The trend toward also using Internet protocols in mobile communications is creating new security problems. "Many hacker attacks which today are launched against PCs will soon be directed at cell phones as well," says Kröselberg. Siemens is therefore involved in the Liberty Alliance, an association of several different providers. Their solution to the problem is to have users get an access code from the provider of their choice, which they can then also use to log on to any other network or service provider. Unlike Microsoft's universal electronic ID system Passport, the Liberty Alliance's solution would not require personal data to be centrally stored at a single company.
A particular challenge is posed by mobile ad-hoc network users that do not use a fixed network infrastructure, but can instead access the Internet from the neighbor's laptop on a bus, for example, or from a car that happens to drive by. A third party is therefore needed to administer the key and ensure that every user knows who he or she is interacting with. This problem is usually solved by introducing various certification levels. Each level certifies the one below it, thus verifying the authenticity of the user.
A new approach, which is currently being discussed for UMTS mobile communications networks, involves so-called subscriber certificates. In this system, the network operator issues certificates that can be used to digitally sign sales contracts by verifying the authenticity of the signature. These certificates are only generated via the Internet when needed and expire after one or two days. "Such ad-hoc certificates are cheaper than ones that are valid for many years and that are mostly not even needed," explains Kröselberg.
Conventional firewalls, which are supposed to block suspicious data from entering company networks, are useless in this context because the sound quality of VoIP is dependent on the data packets arriving without delay and in the right order. E-mail transmission times, on the other hand, are not noticeably affected by encryption delays.
Safe Internet Telephony. To help solve this problem, Dr. Wolfgang Klasen and his team from Siemens' Security competence center in Munich are working on comprehensive security architectures that meet the real-time demands of multimedia applications. As a result, Siemens is currently the only manufacturer to make the logs in all of the components in its VoIP products intrusion-proof. Corresponding standards have now been drawn up and other manufacturers are planning to follow suit. "Although hackers will be looking for opportunities to have fun in the future as well," says Klasen, "we will be able to make life difficult for them."
But security solutions that provide perfect protection today offer no insurance against tomorrow's hackers. A case in point is asymmetrical data encryption, which Klasen describes with the help of some sketches on a piece of paper. In his example, Alice and Bob want to send each other confidential information with the help of a private and public key. But what happens when there are many Alices and Bobsfor example, during a videoconference or in a knowledge management workflow? In such cases, all authorized users have to possess the corresponding key, which results in more work and poses additional risks. According to Klasen, security must be integrated in as user-friendly a manner as possible, so that operation and data access are not interfered with.
With the help of so-called DirX solutions products, Siemens has created directory services that assign access authorization for all systems in a simple manner. This allows hundreds of millions of entries to be managed, which is of crucial importance for providing all kinds of personalized Internet services, regardless of whether the provider is a mobile communications network operator, a bank, a power utility or an insurance company.
E-government creates additional challenges, as contracts and documents have to be archived in encrypted form. In addition, they will still have to be readable in 30 years even though it is unlikely that anyone will be using the original system by then.
Mathematical Proofs. According to Volkmar Lotz, a security officer at Siemens CT in Munich, even if an algorithm is considered to be secure, things can still go wrong. As an example, Lotz points to the Needham-Schröder public-key protocol for verifying the identity of correspondents. Seventeen years went by before a mathematical technique helped uncover a security gap in the system. The gap was so well hidden that even hackers had failed to discover it. Lotz uses mathematical systems to check algorithms and their application before software is introduced to the market in a new product. His three-member team is one of not more than 20 such groups worldwide that use mathematical models to evaluate the capabilities of encryption systems and the effects of hacker attacks.
Types of attacks or misuse (in %)
Lotz's field is still in its infancy, however, and increasingly complex Internet protocols are still unmanageable with formal proofs. To help change this, Lotz and his team are now working with a number of European research institutes. His work is not only making the company's networks more secure, it also provides Siemens with a competitive edge.
His team participated, for example, in checking the security of a smartcard processor for Infineon Technologies. The processor was the first piece of hardware to meet the requirements of the initial version of the German Signature Law, which regulates the basic principles of electronic signatures. Although the requirements of the Signature Law have meanwhile been somewhat eased, Infineon is still applying the older, more stringent criteria on a voluntary basis. "Customers are aware of the increase in quality and have great faith in the products," says Lotz. As a result, Infineon is the market leader in high-security certified smartcard processors.
Mathematical systems are particularly difficult to develop for applications that have to get by with little computing power and inexpensive hardware. Examples of such systems are the security algorithms that Lotz's team is developing for the remote checking of electricity meters and for vehicle applications. Electronic keys are increasingly being used to open car doors and start engines. Some of the computing done to authenticate a user takes place in the key, which nevertheless has to be small and inexpensive.
The same applies to electronic trip recorders in trucks, for which Lotz is also developing secure algorithms. All of these applications require special solutions. Says Lotz: "It's always a challenge to maintain high security standards despite the limitations of the hardware."
Bernd Müller