At the end of November 2016, more than 900,000 customers of Deutsche Telekom learned what it means when a network collapses under an attack. They were offline, partial for days. Attacks on users, companies and governments are increasing. The reason: So far, there are no binding standards or seals for IT security.
IT security Why hackers can paralyze us so easily.
First it was just a website – for some days in October badly accessible to the rest of the online world. A few weeks later, many Internet users looked perplexed at their screens: Twitter, Netflix, Amazon and many other popular services were not available worldwide.
Attacks are the order of the day on the Internet. Almost at any time somewhere someone cracks an email account, a criminal crushes a credit card, try to steal organized groups, company secrets.
The first attack in autumn 2016 was the site of the American IT journalist Brian Krebs. He is concerned with organized crime on the Internet and has therefore already been threatened more frequently.
This time, someone seriously, presumably a group of online criminals, reported on the cancer regularly. They bombed the server with Cancer’s website with massive inquiries until the had to give up. For this they used a network of hacked IT devices, a so-called botnet.
Was it revenge? Intimidation? One does not know. The drive ended in any case only when a special service of the search engine giant took over Google. He could finally defend the so-called DDOS attack.
Then it hit the network service provider Dyn. Again a DDOS, again out of a botnet. Massively, tiny data packets poked on the DynServe – until central components of the network collapsed under the load and thus some Dyn customers were not or only badly accessible. Andrew Sullivan, Member of the Board at Dyn, at a conference:
What was really unusual was that we were attacked on a rather unusual level of the network, and the number of computers that were attacking us was not so immense, but they all took on the same component Quickly got things out of control.
The main focus of the two events was on the specialized press. Both were extraordinary. The data packets came from devices of the so-called “Internet of Things”. This “Internet of Things” forms devices and objects, which are interlinked over the Internet. These can be traffic lights, cars, heaters, household appliances or whole factories. In the attacks described, webcams, internet routers, digital TVs and video recorders were taken over and abused.
At the end of November 2016, more than 900,000 customers of Deutsche Telekom learned what it means when a network collapses under an attack. They were offline, partial for days. Internet, telephone, TV – nothing went.
At 3:30 pm on Sunday, our network management center increasingly recorded failures from our customers’ routers.
Reported Telekom CEO Tim Höttges three days after the start of the incident at an IT security conference. What he does not know yet: The Telekom and their customers were not at all the goal of the attack, they were merely dragged into sympathy.
Ladies and gentlemen, the balance of the past few days is summarized and according to my current knowledge: On Sunday afternoon, there was a worldwide hacker attack on Internetrouter. Today we can say that the attackers have not succeeded in routers of Deutsche Telekom customers If the attack had succeeded, the attacker would have had control over several million routers.
Attack over a long known security gap
Actually, the still unknown attackers wanted to hijack a few million Internet routers and then feed into a botnet. To this end, they used a long-known security gap. Fortunately, the telecom routers were immune to the gap in itself. But because the network allowed the onslaught of data packets, the telecom routers of the customers went to their knees.
Three violent events in less than three months. Attack one was annoying, attack two more dramatic. And the third incident has shown nearly one million users what it means to be offline for longer. The German government had not expected this.
The order of magnitude surprised us, which does not mean that this is technically not possible, but the fact that this is happening with us on this scale has surprised us a bit.
Klaus Vitt, State Secretary in the Federal Ministry of the Interior and Commissioner of the Federal Government for Information Technology.
What surprised us so much about using a type of terminal device in size or quantity has been abused as it has been recognized how great the potential is for the attacker to abuse a lot of end devices to get out of it To launch a corresponding attack.
Only very limited security guarantees
But what to do about it? The Internet of Things is still at the beginning. However, its spread will not be stopped. This multiplies the attack area for those who want to cause damage. For now, the security of the Internet is rather poorly ordered, explains Linus Neumann. The hacker, on behalf of companies, analyzes their IT systems and is an expert of the Bundestag for IT security. In addition, Linus Neumann is one of the speakers of the Chaos Computer Club CCC.
The entire first idea of IT security, delivering reasonable quality items, and secondly, to adjust and improve the quality on a regular basis – both are very limited in these Internet-Of-Things devices Fly around the ears all the time.
But precisely because the development is still at a comparatively early stage, it can still be controlled in parts. Arne Schönbohm, President of the German Federal Office for Security in Information Technology, BSI :
I think we now have the great chance that others, I say, may react more sensitive to them and take the issue of information security even more seriously.
For it is high time, says Telekom boss Höttges.
So far, cyber attacks have primarily caused financial damage, but they also have the potential to cause immense physical damage, for example, against critical infrastructure such as energy or water supply or traffic management systems, and they can and do cause catastrophes like any other terrorist attack Even the potential to destabilize states or societies.
At the same time, we can not afford to stop digitization because of feared and actual security risks.
Hardware and software manufacturers are required
In the normal case, IT security is expensive for companies and is annoying for users. Now the things on the net are out of control. Linus Neumann explains that software and hardware manufacturers are responsible for this.
The devices are thrown onto the market without worrying about how to secure them, and above all, we see in the big botnets today that the devices are not only not secured, but also that they are also a thousand times Are not secured in the same way, which makes attacking the work very, very easy, very quickly, of very many devices to take.
Interior Secretary Vitt dares a gloomy forecast.
I’m assuming that will increase because this has now worked.
After the incidents in the USA and the Telekom became increasingly loud calls for the policy loud. But Vitt suggests that IT security incidents can not be prevented by the state. The state is solely responsible for general conditions.
“The IT Security Act is, for example, a framework where critical infrastructure operators define minimum standards for IT security and a reporting obligation for serious cyber-security incidents.”
Critical infrastructures are facilities whose failure would severely disrupt public safety, for example, energy and water suppliers or telecommunications providers. Until the entry into force of the IT Security Act in May 2016, such companies would not even have had to give notice when they were hacked.
The user is also required
But who bears the responsibility if the software is not up-to-date? If devices can be captured? What is the responsibility of the user? Which the manufacturer? And how much responsibility does the provider, who rented his customer terminals such as routers?
Thomas de Maizière, Minister of the Interior, sees quite a responsibility with the user himself. BSI President Arne Schönbohm also reminds the user of his responsibility.
On the net, some users are following the motto: No matter what I’m talking about, and if the prince from Zamunda promises me 30 million dollars, then I click on it or give my contact details It’s a good idea to have a new video surveillance system installed over IP, or the settings on the TV, on the Smart- TV.
Linus Neumann of the CCC, on the other hand, takes the user more into protection. Clearly one had to choose passwords well and regularly renew them. But:
Hundreds of thousands of customers who have purchased an IP camera are now to blame. No, it’s the fault of the manufacturer who sold this scrap to the customer.
Several devices get in their entire product life, sometimes two, often enough but no updates at all; According to Linus Neumann.
This is the responsibility of the companies that earn millions and billions to sell us this shit, and as a user, I can certainly claim that these devices are subject to aftercare, and that these devices are delivered in a reasonably reasonable quality “It can only be my responsibility to include the updates that the provider provides for me.
More security through responsible detection
Security gaps in the software are gateways for attacks. Therefore, the updates to close them. But some manufacturers are too expensive, too expensive. One way to force them to act would be the publication of the security gaps.
Many IT companies actively encourage security researchers to look for gaps in their products. If one finds one, the company pays a premium. For this, the finder is silent until the security gap is closed. In most cases, both companies and researchers make the case public. The procedure is referred to in specialist circles: Responsible Disclosure, Responsible Discovery. The CCC also proceeds in this way.
It is common practice to keep the manufacturer informed, and I’ll give you six months’ time, and if you fix it or not, after six months, I’ll make it known, then you’ll have either the bad press and the problems You can say, wonderful, we use this backwind to push the update so as to remove our customers from the risk to which we have exposed them, and as a software producer they can play with it – or not.
This procedure is required by law, has long been called for in IT circles. So far unsuccessful.
In the case of the Telekom had been known for more than two years around the security gaps. And the group also knew about the danger for its network. But it was only when the router and the routers broke down, the company acted.
Sometimes it is just that certain gaps are closed even when a certain pressure is actually there.
Means BSI President Arne Schönbohm. A government regulation could provide more pressure. But neither the Federal Office nor the Ministry of the Interior can imagine this.
Because when it comes to issuing security gaps, even if you have a solution, the question is when it comes to an end user or a company, how quickly does this company or the public close this gap and as long as it has not implemented the solution A higher risk, so from the point of weighing up opportunities and risks, I can not imagine that we will publish it.
Says State Secretary Klaus Vitt. But behind the restraint, Linus Neumann of the Chaos Computer Club also suspects his own interests of the state. Finally, the prosecution must also find ways to place espionage software like the Bundestrojaner on the computer of a suspect.
The state has an inherent incentive not to fix high-critical security gaps, because it could be used and used somehow, but at the same time, of course, ignores the risk that others can use these security gaps as well.
The Ministry of the Interior clearly rejects this. There is no interest in hiding security gaps, Interior Secretary Vitt says:
First of all, it is our interest to protect citizens and businesses, which means that the security gaps are closed as quickly as possible, and that under certain conditions we want to take appropriate precautions, for example, to promote the communication behavior of organizations where a foundation exists, That we are supervised, but we will not install backdoors.
If there are security gaps that are known, it can be that they are used, but that is not in the foreground, but the focus is on us to close the gaps.
The EU Commission is also currently investigating security gaps. According to the Federal Ministry of Justice, a directive on “digital content” is being worked on, the question is whether and how long customers would be entitled to security updates.
In addition, whether it is appropriate to extend this burden of proof for selling digital content.
In that case, the manufacturer would still have to prove to the user, even after six months, that he had neglected his safety duties. Up to now, the customer has to prove that a technical defect existed from the beginning – almost impossible for consumers.
Controversy about liability for hardware and software
A further adjustment for more IT security would be a liability for the manufacturers of hardware and software. Linus Neumann of the CCC says, at the moment, the manufacturers would not have much to fear.
There is a wisdom that states that there are actually only two products that can be sold without liability – and these are drugs on the one hand and software on the other.
This is not the case, according to the Federal Ministry of Justice.
German civil law already provides for liability for damage caused by faulty or faulty software and hardware.
A manufacturer is liable if a fault in hardware or software causes damage to body and life. In the case of product liability, however, the question is who is responsible for the misery. And here it gets tricky. State Secretary Vitt.
Whoever accepts the product liability, it is the actual product manufacturer, is the company, the company, what the end customer sells the product – with a promise, perhaps, is a software on it that needs to be regularly updated? All questions, you will not be able to answer so quickly and easily.
Vitt, however, concedes that, with all complexity, product liability is a way to increase the security of IT products.
The Federal Office for Security in the Information Technology, Vitts Ministry, can quite possibly win the idea of more liability for producers. BSI President Schönbohm:
The more dependent we are on IT, the more infrastructures it goes through – automated driving – the more important it is, of course, that I take consequences for my actions or non – negotiation. Liability is always one of the topics that cost money, and Therefore, one tries to keep the liability as low as possible, and then increases the security.
With the seal of approval for more security
An idea represents both the Ministry of the Interior and its Federal Office: an identification for the security standard of software and hardware. Klaus Vitt explains:
We are thinking about perhaps introducing a seal of quality for IT products, especially for the private sector. The seal of quality would mean that this product has a certain standard of IT security, according to certain criteria.
Such a seal would not be mandatory. Only if enough manufacturers decided to let themselves be examined, pressure would be built that the others would follow suit. It is hoped that such a seal would become a marketing tool.
The seal of quality and product liability are the forerunners of future state regulation. The IT industry is even more deeply involved, and incidents such as in the USA and Germany should be increasing: state-controlled, comprehensive security audits. That’s why Dyn’s board member Sullivan recently warned at a conference of Internet engineers:
The attacks were against sensitive core components of the Internet, and I think this could encourage a whole series of regulations, so before we do it, we should do something ourselves, because we understand the technology and what the problems are We should not wait for someone to come and do it for us.