Editorial / The data disaster
Recent months have seen a major increase in cybercrime. But that’s not the only threat to our private information. Click on the picture to read more ▼
Freedom vs. security
These values may seem contradictory, but in today’s complicated world they both merit respect.
When apps like Telegram or WhatsApp encrypt messages to protect privacy, they are accused of also enabling criminals and terrorists. And when America’s spies and its European counterparts try to intercept encrypted communications, they are said to be trampling on individual liberties. Can free societies reconcile their need for security with the values they cherish?
Patch me if you can
To spread viruses and malware, hackers take advantage of loopholes in IT system. Vulnerability fixes exist, but users download them all too rarely.
As the Windows operating system starts up, a flashing image of a skull appears on the screen, together with a demand for $300 in ransom. This is not a scene from the latest spy movie, but rather an event experienced by thousands who fell prey to the malware GoldenEye (also called NotPetya) in June 2017. A few weeks earlier, another ransomware known as WannaCry infected 300,000 computers in 150 countries. The victims were well-known entities, including the UK’s public-health system, Germany’s railways, Spain’s Telefónica and the US’s FedEx. A complex international investigation will be necessary to identify the culprits. These cyber-attacks all have one thing in common: infection could have been avoided had more attention been paid to regular updating of operating systems. In other words, installing the latest security patches from OS and software providers, which contain additional lines of computer code to protect against flaws in their products. GoldenEye and WannaCry, for instance, exploit a feature in Windows called EternalBlue, a bug fixed by a Microsoft update in March 2017. “GoldenEye acts as a worm,” explains Bogdan Botezatu (@bbotezatu ), an expert in security for the Romanian company Bitdefender. “It is implanted through EternalBlue, which was not patched on many computers, and reproduced using a powerful propagation medium. The administrative tool lets malware hop from one computer connected to the internet to another, without any human help needed.” The attack mechanism is thus much more complex than an ordinary e-mail attachment.
The repercussions of these malware intrusions can be serious. In the case of GoldenEye, it was impossible to take public transport in Ukraine, enter the airport or withdraw money for an entire day. Some gas and heating was also cut-off for three to four days. In the event of data theft, the consequences can be even wider-reaching for companies and public organisations.
One hundred days
If these threats are known and increasingly present, why are companies and public entities not installing patches? “Patch management is often not handled internally,” explains Maxine Holt, main analyst for the Information Security Forum, an independent organisation based in London. “Too often institutions choose to allocate financial and human resources to other areas. A hospital will usually prefer to purchase a new machine rather than patch and conduct IT security evaluations, as this satisifes a more immediate interest.” Another problem is that some structures avoid computer-system downtime to install updates, as machines are running 24/7.
It takes about 100 days for developers to deploy a patch and for a company to apply it, according to Bitdefender. “Many companies have developed tailored applications internally to enable their products and services to work with earlier generations of operating systems,” Holt adds. “Maintaining systems on an earlier version saves money, as reconstructing, adapting, and testing applications could cost a lot. Even when the threat arrives, the IT infrastructure is not yet ready for the patch.”
Mass digitalisation also makes it more difficult to communicate when updates are ready to be installed. “Although updating a computer is fairly easy – a pop-up lets you know that updates need to be installed – this task is more difficult with a connected object which is part of an Internet-of-Things infrastructure,” explains Christian W. Probst, head of the cybersecurity division of the Technical University of Denmark. “How will a system notify me that a patch needs to be installed for my refrigerator and my connected radiator? I will likely have forgotten that the interface to update is on my smartphone or laptop.”
Task force creation
According to Holt, the only solution is widespread introduction of teams dedicated to patch management. “Patch management must become better known within organisations,” she says. “Responsibility must be shared between the IT department, which will fix bugs and functional problems, and the security department, which will ensure that patches become a priority and that structural problems are resolved.”
Botezatu also believes that all organisations should have teams dedicated to IT, which validate updates to their applications. “They must conduct risk-assessment tests to see if their applications will resist malware,” he says. “It is important not to remain stuck in the past when it comes to computer tools.”
Another more radical measure to decrease malware vulnerability is to disconnect vital systems from the internet. “Even with patches, there is no such thing as zero risk. Outside of the network, infection risk will be minimal,” acknowledged Probst. “End users should take a step back and ask if it’s really useful or wise to have access to a database from their smartphones.”
Governments and aviation
To prevent a new wave of WannaCry-type threats, various authorities can now pressure private and public entities to install patches. The first of these is the software publisher, who releases the patch. “The publisher communicates about the patch and how to properly deploy it,” says a Bitdefender employee. Security-service providers must then urge the installation of these patches and perform tests of the protection’s effectiveness. “Following these attack simulations, vulnerabilities are detected and organisations are informed.”
Governments can also sound the alarm. In 2013, the EU created the European Cybercrime Centre (EC3) in The Hague. Together with public and private partners, it has also created the “No More Ransomware” platform, a website that offers prevention advice, decryption tools and a form for reporting violations.
“The EC3 plays an important role in organising the exchange of knowledge, insights, and information among member states and Europol,” says Probst. This European initiative constitutes an interface among different players and includes all aspects of online cybercrime: online fraud, sexual exploitation of children and cybercrime. “It has had significant impact on operations in these areas, so it is clearly a success.”
Even so, additional European and international regulations will be necessary to force software developers and organisations which retain data to maintain up-to-date and secure systems. “Protection is essential in many fields,” says Probst. “Take aviation: manufacturers must be certified to build planes. Aircraft must be verified before sale to an airline company. Following this, they are inspected frequently and there is a safety inspection before every flight. It is thanks to these precautions that relatively few aeroplane accidents occur. We should implement a similar approach for software.”
By Blandine Guignier
Leaders in cybersecurity
Europe is often at the forefront in the fields of digital safety, antivirus protection and encryption. Here are three examples.
It is clearly a field with a bright future: market analysts predict that annual global spending on cybersecurity could reach $200 billion by 2021 as security firms react to growing threats and the world embraces vulnerable new technologies like linked devices and cloud services. Among the winners will be some European companies with cutting-edge technologies and solid business models.
Gemalto, outsourcing security for smaller companies
A global leader in secure software applications, Amsterdam-based Gemalto is also the world’s largest manufacturer of SIM and other smart cards, including e-passports. Since its creation in 2006, the company has spread its operations to 48 countries, earning €3.1 billion last year.
Gemalto has also made a name for itself in the field of secure managed services, which, roughly translated, means providing the online use of secure software platforms as an alternative to managing your own software. Angela Sasse, director of the UK Research Institute in Science of Cyber Security, says such cloud-based services can potentially be of huge use to small- and medium-sized enterprises that struggle with the know-how and practice of managing their IT securely.
“In principle, the practice of outsourcing your security can be very useful if the supplier is competent and trustworthy, as professionals specialised in this area should be able to do a much better job,” she says.
If providers like Gemalto can successfully offer secure cloud services in the face of rising cybercrime, such solutions will help drive the trend towards security as a service. “Previously you would receive a factory-setting connection without a firewall – and it’s up to you to sort it out – but now the entire range of security measures are often taken care of by expert suppliers.”
Kaspersky, leading the antivirus battle
A household name for its antivirus software, Moscow-based Kaspersky also offers an extensive cross- section of cybersecurity products and services. Marking its 20th anniversary, the firm boasts the largest market share for desktop security in Europe, the second highest for mobile use, top ratings from independent testing and, as of 2016, more than 400 million users around the globe.
Like other security providers, Kaspersky’s biggest challenge is keeping up with the rapid speed at which malware is developed, detecting these threats and protecting against them. And although users seem more aware than ever of the risks posed by viruses, Sasse fears that people still overestimate how well they’re protected: “We see people doing things online they really shouldn’t, saying, ‘It doesn’t matter, my antivirus will take care of this’.”
Increasingly on the agenda are questions concerning the responsibilities of cybersecurity companies to their customers in the face of government pressure for intelligence. Kaspersky has been criticised for its proximity to the Russian authorities, primarily by Americans fearful that their privacy could be compromised by “backdoors” built into software for surreptitious access.
Kaspersky has repeatedly denied any government collusion, but the same questions apply to cybersecurity firms everywhere. “As researchers, we believe the needs of consumers and citizens come first,” says Sasse. “Weakening encryption by backdoors, or not patching in the name of national security cannot be endorsed.”
Telegram, encrypting messaging against snooping
Taking advantage of a growing market of people fearing mass surveillance, Telegram is a Berlin-based messaging app, founded in 2013, which last year reported more than 100 million monthly users. Although Facebook-owned WhatsApp tops this with 1.2 billion-plus monthly users, Telegram was quicker to offer end-to-end encryption, with messages never stored on an intermediate server that could be accessed by secret services. The easy creation of anonymous accounts, the timer for destroying messages and the privately developed encryption are further selling points for those wary of Facebook or other US-owned services.
Telegram is used around the world, says Sasse, “often in countries where young people think it offers protection from eavesdropping governments”. The flip-side is that Telegram is criticised for enabling secret communication by terrorists.
Telegram has responded by shutting down channels linked to terrorism, although new ones can be opened quickly as soon as others are shut. Sasse says this highlights an ethical quandary in software development. “Normally you would consider going ahead or not going ahead, depending on whether you believe the negative consequences outweigh the benefits. With security products, you can’t have one without the other.”
Sasse says a bigger issue is the perception of how secure communications with such apps are. “Colleagues of mine have shown that Telegram is relatively easy to break, so if people think it will protect them from governments, it won’t,” she says. “Besides, our studies of Telegram users show that a vast number are actually using the app in unencrypted mode without realising it.” With WhatsApp users now receiving end-to-end encryption across all messaging and governments pushing to undermine secure communications with calls for backdoor access, this misperception may be Telegram’s biggest challenge.
By Joe Dodgshun @JDJourno
The German cloud
The country is getting a lot of attention, thanks to its strict privacy laws. But is it the only option for a data-safe harbour in Europe?
More than $1 trillion are expected to be spent on the shift to cloud computing between 2016 and 2020. But when putting your data and that of your clients in a cloud company, the big question is: whom can you trust? Or perhaps where can you trust? The location of the data servers holding your information is important, as they come under the legal jurisdiction of that country, even if you and your virtual castle do not live there. With nationalism on the rise and some governments undermining privacy in the name of security, Germany, the country with Europe’s strictest data-protection regulations, could be the right choice.
It is perhaps no coincidence that American cloud-service giants like Amazon, Salesforce, IBM and Microsoft have all opened German data-storage centres in the past three years. “Due to our history, we have a constitution with very strict privacy laws,” says Ahmad-Reza Sadeghi, head of the System Security Lab at Technische Universität Darmstadt. He says the core of these privacy laws comes down to one basic principle: personal data can be released only with the owner’s permission. Germany has been a major driver of the EU General Data Protection Regulation that comes into effect in 2018.
PUBLIC and PRIVATE KEYS
Many online processes are secured by RSA encryption – a technology developed 40 years ago.
The “https” code that you see in the address line of your internet browser is directly linked to an encryption system called RSA. Created by three American mathematicians in 1977, it ensures that information exchanged on the internet stays private. One important application is online banking.
Like every encryption system, RSA is based on random numbers. In this case, two random prime numbers (each with between 300 and 600 digits) are multiplied to form what is known as the public key. This public key is saved on a website’s server. The internet browser uses this key to encrypt data before sending it to the server. To decipher the information, you need to know the two prime numbers. In our example, they are saved on the server of the website and known only by the people that have access to it. This is called the private key.
How safe is the technology? The RSA system is based on the principle that the prime factorisation of a very big number is extremely difficult – a supercomputer might take years for this task. In 2012, however, Arjen Lenstra, professor of cryptologic algorithms at the École Poly-technique Fédérale de Lausanne, found that 0.2% of keys were not safe because they were made of a small group of prime numbers. That does not mean the encryption system itself is weak. “If one wants to attack a system, it is in general not a good idea to focus on the part that is, if properly implemented, the strongest,” explains Lenstra. What’s more problematic is the creation of the random prime numbers. If the mechanism is too simple, it can easily be hacked. But given the small percentage of weak keys, RSA encryption may still have plenty of life left.
German Fort Knox
Germany’s cloud-services market jumped from €1.4 billion in 2012 to €9.2 billion in 2015, with 65% of German companies reporting that they used cloud services in 2016. Even so, that is just a fraction of the $209 billion the worldwide market pulled in last year. But Europe is the biggest market after the US, with the UK in the lead and Germany slotting in ahead of France, tipped to show the strongest European growth until 2020.
One flagship of the German Cloud is the offering of Deutsche Telekom’s corporate customer arm, T-Systems, which includes “high-tech Fort Knox” data centres as part of its service. Another is Deutsche Telekom’s partnership with another huge foreign firm, China’s Huawei; together they have rolled out the public Open Telekom Cloud platform. Salesforce and Microsoft alo partems, h oversees all data access in covering privacy requirements. Chief architect for cloud operations and analytics at Huawei’s German Research Centre, Jorge Cardoso explains that Huawei does not supply cloud solutions directly to customers in Europe – unlike in China – but offers joint services.
“For example, on the Open Telekom Cloud we’ll be implementing High Performance Computing (HPC) for big customers that need to carry out heavy simulations,” says Cardoso. Cardoso sees Germany attracting more cloud service providers like Huawei thanks to its role as Europe’s leader in data security. “When the big American companies want to offer data storage in Europe, they’ll build more and more data centres here because, for example, no big German company will trust storing financial data in the US, as nobody knows whether the FBI will be able to access the data or not.”
But there is no guarantee that foreign companies with data servers in the EU will be safe. Microsoft won a case against the US Department of Justice, which wanted to access customer data stored on Irish servers, but Google was recently ordered to hand over e-mails stored outside the US. Google is appealing the decision, but the damage may have been done.
Even so, Sadeghi believes Germany has a cloud jump on the rest of Europe. “The only place where the security awareness is as strong from a research and funding point of view is the UK,” he says. “But how trustworthy is the UK, given that it is a close partner of the US? How could a German company trust its data to a UK cloud company?”
Then there’s Switzerland
Another European country with a longstanding reputation for security and discretion has begun to market itself as a safe bet for cloud storage. Among the arguments of the Vigiswiss Swiss Data Centre Association: “Switzerland is a politically neutral, stable and pragmatic democracy with a culture of confidentiality.” Says Sadeghi: “If Switzerland can keep the money of all kinds of people safe, including dictators, maybe they can do it with data as well.” He adds that Liechtenstein or Luxembourg are also plausible candidates.
Judging by EU guidelines on countries where data can be safely stored, however, Switzerland’s laws are merely “adequate”. The data-safe harbour of the future will be defined first by its laws – and then cemented by technological superiority.
“Even within Europe, everyone knows not only the precision of German tech and engineering but also the nature of the law and the precision of its application,” says Cardoso. “For that reason, Germany is the perfect place for cloud computing or data services.”
By Joe Dodgshun @JDJourno
The next frontier: Quantum cryptography
As familiar encryption systems reach their limits, the strange world of particle physics offers new solutions. The challenge now is to scale the technology for real-world applications.
Encryption underpins every exchange of personal data we make online. From bank details to instant messaging services and medical records, encryption is designed to keep information firmly in the hands of the intended recipients. The current standard, known as RSA, generates keys using algorithms that are easy to compute in one direction (like multiplying two large prime numbers), but virtually impossible in the other (in this instance, factoring that number back into its two component primes). Breaking the system is not impossible, just improbable – like finding a single bookmark among all the books on the planet.
Unfortunately, RSA (from the surnames of its creators, Ron Rivest, Adi Shamir, and Leonard Adleman), is not foolproof. “Since these schemes are based on unproven mathematical complexity assumptions, an unexpected algorithmic innovation could immediately compromise security,” explains Ulrik Lund Andersen of the Technical University of Denmark. Google recently made waves in the cryptography world by breaking the Secure Hash Algorithm 1 (SHA-1), an outdated but once popular formula. Their approach was not exactly run-of-the-mill: “This attack required at least 9,223,372,036,854,775,808 computations,” the team explained. A single CPU would need 6,500 years to crack SHA-1.
In the future, familiar systems may be augmented by and in some instances even replaced with quantum key distribution (QKD). This emerging approach is part of the “second quantum revolution”, which exploits the strange nature of particles at quantum scale to perform tasks that conventional computers can’t come close to. In the case of QKD, that means using photons to create entirely unique, tamper-proof encryption keys.
While these keys are theoretically unbreakable, according to the laws of physics, that does not mean they will always perform perfectly in the real world. “While QKD is unconditionally secure in principle, in practice a determined hacker might crack it,” warns Anthony Laing from Bristol University. “Scientists playing the role of a hacker look for loopholes – not in the protocol, but in its implementation.” As a result, researchers across Europe are working hard to ensure that execution of this new technology delivers on the promise of its theoretical capabilities.
Scaling for cities
Point-to-point quantum encryption equipment is already mature to the point that prototypes are available for purchase. Toshiba’s Cambridge Research Laboratory and University of Geneva spinoff ID Quantique both offer QKD systems capable of key distribution over standard telecom fibre links exceeding 100 km. Andersen notes, however, that building usable commercial networks still poses serious technical challenges. “Sending and decoding encrypted quantum signals requires highly specialised equipment,” he says. “In addition, it’s not yet possible to send quantum signals across distances much larger than a major European city like Copenhagen with a high bit rate.” Andersen’s project is part of a national Quantum Innovation Centre named Qubiz, which could help bypass the current need for highly specialised equipment.
Currently there are two main approaches to QKD – discrete variable and continuous variable. Andersen explains: “With discrete variable QKD, detectors are reliable over long distances, but must be cooled to low temperatures to efficiently count photons. Continuous variable QKD can work at room temperature and, to some extent, with off the shelf detector systems.” Continuous variable QKD is attractive because it is potentially compatible with existing high-rate telecommunication infrastructure. The drawback is that conventional noise can render the system insecure because the receiver cannot distinguish between it and the noise an eavesdropper would create.
Andersen’s team has established a “measurement-device-independent” protocol for continuous variable QKD that rules out attacks on the measurement station – the most obvious target for a nefarious eavesdropper. “Even if the hacker has access to all the measurements made by the mast, it won’t help him or her intercept the key needed to decode the encrypted signals,” Andersen explains. “We are about to implement this protocol over a distance of around 20 km to prove its viability in real-world applications.”
After effective metro-scale networks are established, the next logical step will be to join these networks. That’s part of the plan for the UK’s Quantum Communications Hub (QComm Hub) once test networks in Bristol and Cambridge are operational. The €30 million initiative sees research institutes working in close collaboration with several large private sector players, including BT and Toshiba, to ensure that they develop viable data-security services over the next five years.
Moving beyond metro-scale won’t be easy. The distribution of quantum keys over long distances suffers from photon loss during transmission. “At some point, we’ll need to develop and then install new hardware called quantum repeaters,” explains Bristol’s Laing, who is also a QComm Hub co-investigator. Quantum repeaters are like substations between two distant parties.
Teleportation and the final frontier
The basic idea of a repeater is to divide a quantum channel into shorter segments and distribute entanglement between end nodes. Entanglement is then extended over the entire link by entanglement swapping. For example, if person A’s particle is entangled with person B’s, and person B teleports it to person C, person A’s particle is now entangled with person C’s.
“Another way around the distance challenge is to locate communication stations in space,” says Laing. “Here, the photons need only to pass through a few tens of kilometres of air before they are out of the atmosphere, so loss can be significantly reduced.” This is an area in which China has already made its first breakthrough. As part of the Quantum Experiments at Space Scale project, Chinese physicists led by Pan Jianwei at the University of Science and Technology of China measured entangled photons over a distance of 1,200 km between two ground stations via the Miscius satellite, which used a crystal to produce pairs of entangled photons in orbit.
“Another interesting option is drones,” says Hugo Zbinden, co-founder of ID Quantique. “A network flying at a level of around 15,000 m could prove effective for organisations like governments, especially if they’re already using drones at these altitudes for surveillance and security.” In 2007, ID Quantique’s Cerberus QKD system was used for elections in Switzerland. It was deployed for the 2010 FIFA World Cup in South Africa, and QKD-as-a-Service was launched in 2011, using Cerberus to secure communications in a metropolitan area network with connection distances up to 100 km.
While ID Quantique is Europe’s stand out success story for quantum R&D efforts, it is playing catch-up to China and the US. However, Europe recently decided to excel in quantum communications over the next decade. The European Commission recently launched a 10-year, €1 billion effort to advance the state of commercialised quantum technologies. Quantum networks will be a big part of that picture, and Zbinden is optimistic that work can progress faster than some players in the sector are predicting. “Within the next two years, a testbed European network of trusted nodes will be implemented,” he says. “This will not be commercially viable yet, but in a decade’s time it will be.
UNCERTAINTY at a GLANCE
If two particle receivers test a string of photons, the string of correctly correlated results can be used as a key. The very act of eavesdropping on communication between person A and person B would affect the state of the photons. Person A and person B would know because, in quantum physics, the no-cloning theorem states that it is impossible to create an identical copy of an arbitrary unknown quantum state. There is simply no way for an eavesdropper to intercept quantum-scale information in a way that doesn’t randomly alter its state and alert the sender and receiver. This principle is often described as quantum uncertainty and it underpins all current work in quantum communications.
By Benjamin McCluskey @FreelanceSciWri