Siemens Worldwide

Pictures of the Future


Contact Sebastian Webel
Mr. Sebastian Webel


Tel: +49 (89) 636-32221

Fax: +49 89 636-35292

Werner-von-Siemens-Straße 1
80333 Munich

Pictures of the Future
The Magazine for Research and Innovation

IT Security

Software that Outsmarts Cyber Criminals

Professor Claudia Eckert is Director of the Fraunhofer Institute for Applied and Integrated Security (AISEC) in Munich and Chair for IT Security in the Computer Science Department of the Technical University of Munich. Image: Leibniz Supercomputing Centre (LRZ) of the Bavarian Academy of Sciences and Humanities in Garching, Munich.

IT security expert Professor Claudia Eckert discusses the growth and dangers of cyber crime. She also addresses how security consciousness and some high-tech companies are helping to minimize risks from the Internet.

Professor Eckert, as information and network technologies continue to spread, they are simplifying our personal lives and increasing the competitiveness of companies. But security threats from cyber attacks are increasing too. Can we still trust the Internet and our communication media?

Prof. Dr. Claudia Eckert: It’s true that cyber attacks are increasing at a tremendous rate in aggregate terms. And that’s not all; their focus is changing as well. Instead of being relatively indiscriminate in their targeting, they’re now more focused on individual companies or even individuals. According to an analysis conducted by the German Engineering Association (VDMA), the damages incurred by companies whose know-how was siphoned off or whose products were copied, for example — amounts to more than eight billion euros per year for German engineering firms alone. Other studies estimate the damage from cyber attacks, such as identity theft, theft of information, manipulation, etc., to be at least 575 billion dollars worldwide, with the number of unreported cases believed to be very large. Cyber crime is now thought to be more profitable than the international narcotics trade.

How do cyber criminals generally operate, and what is their objective?*

Eckert: In addition to pilfering information, cyber intruders from the sphere of organized crime often try to blackmail their victims. For example, the purpose of an attack may be to encrypt local, internal company databases, and the key to decrypt them will only be given in exchange for a ransom. Another common type of attack is an “advanced persistent threat” or APT. An APT is malware that is specifically tailored to the system it attacks. It generally contains complex malware features and embeds itself deep inside the compromised system. An APT usually uses a known vulnerability as its point of entry and penetrates deeper from that point. It typically conceals its presence from known methods of detection. An APT can therefore often be active in a system for very long periods of time, for months or even years, before the malicious code is uncovered. Advanced persistent threats usually scout out data and send it to special servers, but they can also deliberately manipulate systems. In addition, there is identity theft, i.e., stealing passwords or other credentials. Another common problem is that the level of security consciousness among company staff and the general public is low or nonexistent.

"Cyber crime is now thought to be more profitable than the international narcotics trade."

What can companies do to maximize protection of their data?

Eckert: A comprehensive system of security management should be part of every company’s strategy. For example, data in the cloud can now be protected by a service provider in the framework of a contractually defined relationship of trust supplemented by technical measures, with auditing also available. In the case of security-critical applications in network-connected production facilities, it could be helpful to implement techniques for reliable identification of components, services, and of course persons, along with restrictions regarding permitted actions. Other helpful measures include isolation techniques to limit the possible extent of damage, as well as the use of secure, hardware-based authentication techniques. When using encryption, companies should also give due regard to the generation, distribution, and storage of the key. For example, an unprotected key store – a repository of security certificates –could be read from the hard disc by a Trojan virus. Network-connected systems are subject to a highly dynamic environment, so their security status must be constantly monitored. These systems require advanced monitoring and control processes that are integrated into the security architecture in such a way that they can’t be circumvented. They need to be able to monitor security conditions autonomously and initiate countermeasures early on, such as by automatically reconfiguring themselves as needed, if there are signs of a possible attack. There are already individual solutions available for scenarios such as these, but not for a system with thousands or even millions of components communicating with one another.

Heartbleed, a flaw in SSL Internet access technology for Web sites, which was previously thought to be secure, has shown how vulnerable the Web can be with regard to security. How might it be possible to create secure software?

Eckert: First of all, there will never be a piece of software or a solution that provides 100-percent protection against cyber crime, and the Heartbleed case illustrated ” that. But we’re doing everything we can to minimize these risks. At the Fraunhofer Institute for Applied and Integrated Security (AISEC), for example, we’re developing automatic software-inspection programs that test codes for potential security vulnerabilities. To try to ensure that the software itself doesn’t have vulnerabilities, software developers need tools that can tell them right away, while they are programming, whether their code is violating any security guidelines. This is especially important for programmers working in industry, who are increasingly called on to develop software for embedded systems, i.e., the Internet of Things. AISEC also develops special tools and processes so that security is taken into account from start to finish in the development and implementation of digital business processes. This way, security is integrated into systems and business processes from the beginning, fulfilling the demand for security by design.

"Just as a person can be uniquely identified with biometric features such as fingerprints, there is also a sort of biometrics for objects."

What research objectives still have to be met in order to provide the best possible assurance of security, including for an Internet of intelligent systems?

Eckert: One important pillar of security is reliable identification and authentication of the entities involved, whether they are persons, objects, or services, for instance. A challenge with the Internet of Things is supplying practical and scalable identification processes that allow the untold thousands of network-connected objects in the Internet of Things to unambiguously identify one another, without having to exchange and store key material among themselves beforehand, since that is not feasible in many scenarios of the Internet of Things. At AISEC, we’re pursuing research on techniques for deriving object identities from characteristic physical properties of the materials making up the objects to be identified. Just as a person can be uniquely identified with biometric features such as fingerprints, there is also a sort of biometrics for objects. We’re looking into the development of what are called “physical unclonable functions” or PUFs, in which an identity is characterized based on physical, non-reproducible properties. We make a PUF, for example, by building special circuits with conductor paths whose signal transit times are determined randomly as a result of the production process.

When a voltage is applied — we call that the “challenge” — the signal will pass through the conductor paths and reach the output terminal slightly faster or slower. So there is always a unique identity. Another important property of a PUF is the ability to derive a cryptographic key from the material itself. There is then no need for a key store, because the material itself represents the key, so the key can’t be stolen. We’ve already built PUF prototypes for various applications, and in particular we’ve developed a new type of protective film for objects which is based on PUF properties. We hope to have that ready for commercial use in two or three years. In addition to that, researchers are also working on new encryption processes that are resistant to attacks by quantum computers.

Professor Claudia Eckert is the director of the Fraunhofer Institute for Applied and Integrated Security (AISEC) in Munich. She also a holds the Chair in IT Security in the faculty of computer science at the Technical University of Munich.  

As a member of various national and international industrial and scientific advisory committees she advises companies, trade associations and public authorities on all aspects of IT security. As a member of a number of expert committees, she is involved in shaping Germany’s technical and scientific environment and in the design of scientific programs on the EU level.

Interview by Harald Hassenmüller
Picture credits: all pictures: Astrid Eckert / TU München