ABBL

As a hot spot for financial investment and service providers using the latest technologies, Luxembourg banks should have a keen interest to use every opportunity to get updated on current and emerging vulnerabilities and threats in connection with new technologies. From the 28th to the 30th October, Luxembourg was host to the internationally well respected Information Security Conference hack.lu. The ABBL was among the sponsors, demonstrating a proactive attitude to closely cooperate with skilled and experienced IT specialists seeking to be upfront as regards information security. Live presentations provided much food for thought, establishing how easy it is to access confidential data in poorly secured networks, which network structures are especially vulnerable for attacks, how networks can easily be infiltrated with malware and which special tools are available to monitor and analyse networks against attacks.

One workshop dealt with the vulnerability of modern IP based telephone networks. The security expert from the University of Luxembourg, Radu State, and his teammates Humberto Abdelnur and Jorge Lucangeli Obes from the INRIA institute in Nancy, demonstrated how “Fuzzing” could be used as an automated method to trace weaknesses in telephone systems. Detected weaknesses could open the way to spy the entire telephone network or even to crash the whole system. “People are unaware that modern telephones are more than just a cable coming out of a plug…” Prior to publishing, the results of their research was made available to the affected organizations. All Hackers follow this code since it is their aim to anticipate criminal attacks and help organisations protect critical infrastructures.

Another workshop was directed by security experts Sandro Gauci and Joffrey Czarny. With a set up common telephone system they demonstrated visibly how it could be exploited by outsiders. Unbeknownst to the user, outsiders could listen in. In an interview, the two specialists point out that, especially in organisations, setting up a telephone network should be planned and structured by IT specialists. When dealing with digital technologies it is crucial to give close consideration to security aspects. When asked about encryption to prevent spying, Gauci says that “The companies we visit usually don’t use encryption.” This suggests that involved decision-making personnel is often unaware of vulnerabilities and resulting dangers. Czarny: “As regards VoIP, you can practically apply the same vulnerabilities and threats as with any email server.” Therefore, even medium sized organizations are in need of knowledge about computer science when planning and maintaining their telephone network.

The popular iPhone also served as basis for a workshop held by Billy Rios, a security engineer and expert in emerging risks. He demonstrated how wireless internet access over WiFi bears security risks. Unnoticed by the user, outsiders could join in the internet connection and misuse vulnerabilities in applications such as Facebook to spy the data transfer of the iPhone. Confidential data could be abused. The speaker assumes that this vulnerability would likely also apply to other iPhone applications. In this connection it should be mentioned that the German government is spending considerable money to equip about 350 federal organizations with specially secured smart phones to prevent intrusion.

Jan P. Monsch, a security analyst specialized in assessing security in large environments such as the Swiss banking and insurance industry, presented the open tool project DAVIX. This collective package of open tools (e.g. including GGobi) facilitates the work of security analysts by visualizing suspicious network behaviour, specifying analysis and prioritizing security measures. Monsch commends the Swiss banking industry for taking secure networks very seriously. In the light of the recent incidences with regards to possible data leakage with certain VISA and MasterCard credit cards, this subject has also caught the public’s attention. Luxembourg banks took quick action by informing their customers about possible risks and offering new cards to avoid unnecessary damage. According to Jan P. Monsch, proper assessment combined with good communication will help organisations to learn from past incidences and be continuously updated as to their security.

A talk on security risks in Mozilla Firefox Add-Ons clearly highlighted the urgency of only downloading such Add-Ons from reliable websites. Since these Add-Ons use the same administrator’s rights defined by the user, manipulated Add-Ons could open the way to data theft. This highlights one common message that was repeated several times throughout the hack.lu conference: “Think before you click!” Hackers from over 15 nations agreed that despite all efforts in detecting and removing weaknesses in networks there always remains one main critical weak spot: The User!

This call is especially addressed at organisations, who should also invest in raising awareness amongst their staff and always encourage applying good security reflexes when using Information and Communication Systems. In close cooperation with the Information Security Platform CASES from the Ministry of the Economy and Foreign Trade, the ABBL takes its responsibility very seriously in leading the way to reinforce highest security standards in the financial sector. The hack.lu, organized once a year by the Luxembourg non profit organisation Computer Security Research & Response Team, provided valuable know-how and insights from specialists in the fields of Business, Politics, Society and Law. The discoveries and conclusions are surely inspiring to both professionals and laymen alike. The implementation of knowledge gained will result in higher efficiency and security.

(Source: Hack.lu)