Prof. Dr. Eric Bodden on IT security
Again, and again citizens and large institutions are targeted by cyber criminals - such as at the University of Gießen at the end of 2019. What vulnerabilities are used here and how does malware work? How can you protect your own systems? IT security expert Prof. Dr. Eric Bodden gives insights and tips and explains what measures he expects from politics and explains the contribution his research and Paderborn's “IT Security Day” want to make.
Mr. Bodden, at the end of last year the Justus Liebig University in Gießen was the target of an attack by cyber criminals. To prevent the situation becoming worse, all university servers were shut down and the university was temporarily completely offline. It was thus possible to prevent the malware programs “Emotet” and “Ryuk” from having an effect and encrypting data in bulk. However, in other cases, cyber attacks have already been successful. Which IT vulnerabilities are currently used by criminals?
Eric Bodden: Modern malware is often developed by a division of labor and therefore comes as a kit. There are many variants that exploit the most diverse vulnerabilities in different software systems. The most well-known vulnerability that Emotet exploited was Microsoft's implementation of the SMB protocol. The server message block is a network protocol, for example, file services in computer networks and allows access to files and directories that are located on another computer. Many Windows systems could be used through the SMB protocol. This weakness was discovered by the exploit, "EternalBlue", which was developed by the US Foreign Intelligence Service NSA. The exploit was stolen from the NSA and was made public in 2017. At this point, Microsoft had already made a patch available, but apparently it was not implemented quickly enough onto large number of systems, thus making it easy for Emotet.
The Architecture of a cyber attack: How does malware like "Emotet" and "Ryuk" work?
Bodden: Current malware is relatively perfidious. For example, Emotet reads e-mail inboxes on infected computers to send targeted mails to the contacts contained therein. These then appear to come directly from the person who owns the infected account. These phishing emails then contain, for example, excerpts from emails sent. The aim of these emails is always to induce recipients to click on certain attachments or links. As a result, the malware is then active on the recipient’s computer. Newer versions of malware use a whole range of distribution vectors and try, for example, to exploit vulnerabilities directly via a WLAN connection. In order to be infected, all that is needed is to be on the wrong network with an unpatched computer.
Whether it is a university, industrial plant, or traffic control system, currently, which technical and organizational measures can software-controlled and networked systems, be best protected against cyber-attacks?
Bodden: As described above, an important weak point is unfortunately the human factor. The first important measure is currently to educate employees so that they can better recognize phishing emails. With current malware however, you can no longer immediately recognize the emails as fakes. Another important point is to have fast and as automated as possible security updates. There are now sophisticated systems with which thousands of computers can be administered simultaneously. Often however, there is the problem that certain security updates can only be obtained with so-called feature updates - and these may be unwanted as they involve a change in the usual work sequences. Software manufacturers are therefore asked to improve separation updates from one another.
Current ransomware regularly encrypts the data on the infected systems and then demands a ransom, usually in the form of bitcoins. Such systems can be restored for free if current backups exist. It is not only for this reason that a systematic backup solution belongs today in corporate security IT. To prevent the development of a business model by ransomware developers, political action is also required: It is obvious nowadays that cryptocurrencies like Bitcoin primarily serve organized crime. The benefits for private individuals and companies are negligible. Therefore, in my opinion, the legislator should issue a blanket ban for such technologies.
What can you do when a cyber-attack comes?
Bodden: In cases like the one at the University of Gießen, a lot of damage was be prevented by shutting down many computers relatively early, after the first detected attacks. This will at least contain the infection. The potentially infected hard drives of the systems can then be cleaned "offline", without having to activate them. Teams of experts should be consulted for this and fortunately, there are now several companies in Germany that specialize in these so-called forensics.
In the "Software Technology" specialist group you head at the Heinz Nixdorf Institute at the University of Paderborn and in the "Digital Security" competence area of the SICP - Software Innovation Campus Paderborn, you and your colleagues start at the very beginning, with the development of software systems. What goals are you currently pursuing with your research?
Bodden: Malware is particularly easy today because there are countless weaknesses in current systems. They arise, for example, from incorrect assumptions regarding cryptographic protocols or the security architecture, but above all from programming errors. To systematically avoid these errors, a well-planned approach to so-called secure software engineering is required. The usual software development process is expanded by a series of security touch points, at which IT security is considered and increased accordingly using systematic processes or effective tools.
The EU has been funding your "CodeShield" research project since the end of 2019. What are you investigating here?
Bodden: The aim of the project is to establish CodeShield GmbH, a spin-off from the University of Paderborn and the Fraunhofer Institute for Design Technology Mechatronics (IEM), and it will initially include three of my former research assistants. The facility will develop and sell a software tool that companies can use to secure their software supply chain. This is also imperative because, today's software systems only consist of approximately 10 percent of self-written program code. Around 90 percent is implemented, for example, by integrating open source libraries. But these libraries often have weak points, which are well known and therefore quickly exploited. If my system uses a susceptible library, it can make the system directly vulnerable - in some cases it is enough that the library has simply been linked.
The CodeShield solution enables companies to recognize whether they are using vulnerable components. And also whether they are being used in such a way that the respective weak point is relevant to the system and an update must therefore be installed. This helps companies to better secure their systems and make significant savings. As the first solution on the market, CodeShield will also recognize weaknesses in a library code which has been compiled or recompiled.
Quantum computers and co.: Which new IT technologies are particularly promising for security solutions?
Bodden: The practical application of quantum computers, if it should be possible in a cost-effective way, still seems decades away. And even these computers would possibly cause more problems than IT solutions in terms of IT security. Encryption algorithms such as RSA are unusable because quantum computers could easily break them.
However, there are significant advances in many areas of IT security. In my own area, software engineering, great strides in recent years have been made in build and test automation. In this way, we are already enabling companies to build faster and larger software systems in a controlled manner and in compliance with best practices in IT security.
Advances in applied cryptography for example, allow exciting new ways to save data. A practical example is the electronic identity card. With this, citizens can prove their age without having to reveal their identity. Data that is saved in this way cannot be stolen - an important step towards more security by design.
On March 18th and 19th, the SICP is organizing the "IT Security Day", for the 15th time. What can interested people expect here and what do you want to achieve from the format of the event?
Bodden: The event is primarily aimed at those responsible for security along side interested parties from companies and associations. This year we are again offering an exciting mix of lectures from applied research and practice, with a broad spectrum from technical to legal topics. The workshops will then further interactively deepen individual topics. We look forward to your participation!
Interested parties can register for "IT Security Day" until March 11: bit.ly/TdITS20.
Interview: Simon Ratmann, Press and Communication Unit