Last week, a good 50 developers, software architects and consultants from Zühlke met in Eschborn near Frankfurt for a two-day information security seminar. Our goal was to get the best possible protection for our customers and projects.
Strong IT security is central these days. Many of our customer projects involve handling sensitive customer data and source code. Their protection is paramount. Since IT security cannot be added at the end of a project, but has to be taken into consideration from the very beginning, we have organised a two-day IT security seminar, the Zühlke Security Days. At our German headquarters in Eschborn, we exchanged information and trained each other across national borders. During the two days, various hacking workshops as well as technical and business-oriented talks on cyber and information security took place.
Andre Mueller from Zuhlke UK, for example, explained how to protect Docker containers. Donat Hauser from Zühlke Switzerland carried out Wi-Fi attacks with the help of a Pineapple Access Point. How do you hack the firmware of all common devices? Answers were provided by Alexander Leupold from Zühlke Germany. And the author of this blog post? I explained why today’s web infrastructure is completely broken and why the innovative solution of the Certification Authority (CA) Let’s Encrypt will be successful.
Hacking against vulnerabilities
The keynote speech at the opening was held by Sebastian Schreiber. The famous security expert is the head of SySS GmbH, which checks the security of IT systems with penetration tests and security analyses. The range of these tests extends from simple attacks on web servers to hacking of alarm systems and circulating virus scanners.
“If you don’t know about hacking, you won’t be able to secure your system,” said Schreiber, summarizing the mission of his company. In his talk, the security specialist explained some of the classic hacker’s procedures. He started off with a denial-of-service attack on a public web server, which he knocked out in front of the audience in Eschborn with a flood of requests.
Wireless security risk
Wireless keyboards are a popular gateway for hackers. Schreiber showed how the encrypted connection of a wireless keyboard by a German manufacturer can be breached. A USB dongle, which is available at a price of 18 dollars, and the corresponding software is sufficient for this purpose. The keyboard entries cannot be read directly in plain text, but the system used is vulnerable to replay attacks. The attacker can therefore record and resubmit keystrokes to gain access to a system. Once in, it’s easy to get passwords.
A much greater danger is the option of introducing a trojan via the wireless keyboard; Schreiber also demonstrated such an attack. Similar attacks can be carried out using wireless mice or presenters like Logitech’s – the latter doesn’t even have encryption, making it easy for intruders.
More security for Zühlke
When Schreiber’s company finds weak points in systems, it informs the manufacturers. Not all respond thankfully: in the case of the wireless keyboard, for example, the manufacturer threatened to sue if the bug was made public. However, after disclosing the bug publicly, nothing happened. Instead, the manufacturer removed the “AES Security” label on the keyboard without fixing the bug and simply lowered the price of the product.
In other demos, Schreiber showed how text messages can be sent with a spoofed sender, how virus scanners can be tricked with comparatively simple means, or how a Smartwatch can be used to disable a burglar alarm. The capabilities of Schreiber and SySS will soon provide more security at Zühlke as well. We recently started a collaboration with the company.
Our central concern for the Zühlke Security Days was to bring our developers from the various locations together at one table. The exchange is essential to ensure secure design and development in our customer projects. Only those who promote exchange, including the latest research results and experience from numerous customer projects, can survive in the market and create solutions that offer long-term security for all parties involved.
A solid and holistic security concept is a decisive competitive advantage. Those who do not invest in securing their solutions on a sustainable basis will experience attacks and may lose their credibility in the market. That’s why we are investing heavily in meeting the growing demands of digitalisation and offering our customers and employees the best possible protection.