Federal IT Steering Unit FITSU Federal Intelligence Service FIS

Reporting and Analysis Centre for Information Assurance MELANI www.melani.admin.ch

MELANI – Semi-annual report 2014/I

Information Assurance

Situation in Switzerland and internationally Semi-annual report 2014/I (January – June)

Information Assurance – Situation in Switzerland and internationally

2/44

MELANI – Semi-annual report 2014/I

Contents 1 Focus areas of issue 2014/I ......................................................................................... 3

2 Introduction .................................................................................................................. 4

3 Current national ICT infrastructure situation ............................................................. 5

3.1 Attempted fraud targeting Swiss businesses .................................................... 5 3.2 Phishing – tailored to Switzerland .................................................................... 5 3.3 More C&C servers in Switzerland – a trend? .................................................... 9 3.4 E-mail hacked – Cantonal Councillor affected ................................................ 10 3.5 Modern public alert methods – opportunities and limits .................................. 11 3.6 Open access to sensitive data ....................................................................... 12 3.7 Strange windows during e-banking sessions .................................................. 13

4 Current international ICT infrastructure situation ................................................... 14

4.1 Heartbleed in OpenSSL ................................................................................. 14 4.2 Espionage cases ............................................................................................ 16 4.3 Attack against industrial facilities in the West ................................................. 18 4.4 Conflicts in cyberspace .................................................................................. 19 4.5 NSA – further publications .............................................................................. 20 4.6 Scammers' ability to react to current events ................................................... 22 4.7 Disruptions of air traffic control by military exercise? ...................................... 23 4.8 Passwords discovered and stolen .................................................................. 24 4.9 New DDoS variants ........................................................................................ 25 4.10 Attacks targeting virtual currencies ................................................................. 26 4.11 Successes against scammers ........................................................................ 26 4.12 Vulnerabilities of cyber-physical systems ....................................................... 27 4.13 Routers as a point of attack ............................................................................ 29 4.14 Data retention violates EU law ....................................................................... 30

5 Trends/Outlook........................................................................................................... 32

5.1 Social engineering – a multifaceted menace .................................................. 32 5.2 Media and journalists – attractive targets ....................................................... 33 5.3 Internet developments after Snowden ............................................................ 35 5.4 Two-factor authentication for all services ....................................................... 37 5.5 Items of political business .............................................................................. 38

6 Glossary ..................................................................................................................... 39

Information Assurance – Situation in Switzerland and internationally

3/44

MELANI – Semi-annual report 2014/I

1 Focus areas of issue 2014/I

• Security vulnerability in one of the most important encryption library A vulnerability in OpenSSL - one of the most important encryption libraries - made

public on 7 April 2014 affected countless Internet users directly or indirectly. OpenSSL is installed by default on many web servers and Internet services to encrypt communication. With the discovered vulnerability, attackers were able to access part of the memory of an affected server in which the data transmitted by users are stored for a short period of time.

► Current situation internationally: Chapter 4.1

• Social engineering – a multifaceted menace Social engineering attacks take advantage of people's helpfulness, credulity or

uncertainty in order to gain access to confidential data or to prompt them to perform certain actions, for example. There are a lot of examples using this method and MELANI has repeatedly referred to them in the semi-annual reports. Over the course of the first six months of 2014, MELANI received again several reports of Swiss companies being targeted by attempted fraud using social engineering methods. Currently, all companies operating in Switzerland are potential targets of attacks using social engineering methods, regardless of their size or field of activity.

► Current situation in Switzerland: Chapter 3.1 ► Current situation internationally: Chapter 4.6

► Trends/Outlook: Chapter 5.1

• Phishing attempts – tailored to Switzerland In the first half of 2014 there were again a striking number of phishing attempts.

Alongside e-mails in the first half of 2014 that tended to have an international focus, there were also several phishing e-mails tailored to Switzerland. The criminals were mainly targeting the victims’ credit card data.

► Current situation in Switzerland: Chapter 3.2

• Internet developments after Snowden "Privacy on the Internet" suffered heavily after the first Snowden leaks. Individual users are facing this development rather helplessly. But what Internet developments have changed due to the insights gained from the Snowden affair? This question, which was discussed as a general matter in the last semi-annual report, will be investigated in more depth in this report and illustrated using specific examples.

► Current situation internationally: Chapter 4.5 ► Trends/Outlook: Chapter 5.3

• Attack against industrial facilities in the West At the end of June 2014, an espionage and sabotage (preparation) campaign became public that was directed at industrial facilities and energy suppliers in the West. The group of attackers, named "Dragonfly", "Energetic Bear", and "Crouching Yeti" by security firms, may have been active since 2010 according to reports. The attacks now discovered were perpetrated starting in the spring of 2013 in various phases and via different paths.

► Current situation internationally: Chapter 4.3

Information Assurance – Situation in Switzerland and internationally

4/44

MELANI – Semi-annual report 2014/I

2 Introduction The nineteenth semi-annual report (January – June 2014) of the Reporting and Analysis Centre for Information Assurance (MELANI) presents the most significant trends involving the threats and risks arising from information and communication technologies (ICT). It provides an overview of the events in Switzerland and abroad, illuminates the most important developments in the field of prevention, and summarises the activities of public and private actors. Explanations of jargon and technical terms (in italics) can be found in a Glossary (Chapter 6) at the end of this report. Comments by MELANI are indicated in a shaded box.

Selected topics covered in this semi-annual report are outlined in Chapter 1.

Chapters 3 and 4 discuss breakdowns and failures, attacks, crime and terrorism connected with ICT infrastructures. Selected examples are used to illustrate important events of the first half of 2014. Chapter 3 discusses national topics, Chapter 4 international topics.

Chapter 5 discusses trends and contains an outlook on expected developments.

Chapter 5.5 contains selected parliamentary business items relating to information assurance.

Information Assurance – Situation in Switzerland and internationally

5/44

MELANI – Semi-annual report 2014/I

3 Current national ICT infrastructure situation

3.1 Attempted fraud targeting Swiss businesses

Over the course of the first six months of 2014, MELANI received several reports of Swiss companies being targeted by attempted fraud using social engineering methods. Before the attack, information concerning the targeted business is gathered, permitting the scammers to obtain a precise idea of the targeted environment: line of business, key positions, formats used for e-mail addresses. Subsequently, an e-mail purporting to come from a manager, mimicking the manager's real e-mail address, is typically sent to an employee of the accounting department. The accountant is informed that a confidential commercial operation is underway and is put in touch with a "law unit" responsible for supplying payment details. Here again, the scammers pretend to be a real law unit. The authors notably insist on the exceptional nature of the request, the need for discretion, but also the urgency of the situation. Sometimes, telephone calls are made in parallel or preceding the attack in order to underpin the created scenario and to prompt the target to make a payment to an account controlled by the scammers.

Likewise using social engineering methods, a specific type of scam also affected the banking sector in Switzerland in 2014. This scam involved one of the possible ways to make use of pirated e-mail accounts, obtained for example through phishing. With that modus operandi, the scammers analyse the e-mail accounts they have been able to access. They specifically research the e-mail communications the account owner may have with his or her bank. The scammers then write the employees of the bank in question, pretending to be their clients. They ask the employees to carry out a money transfer to a bank account controlled by the scammers abroad.1

Faced with these phenomena targeting businesses, the basic rule is to never give out any internal information or carry out any action pursuant to contacts that appear questionable or unusual. It is strongly recommended to verify the legitimacy of a request or contact by telephone as soon as it appears questionable or unusual. Processes, especially those concerning money transfers, must be clearly defined within the company and followed under all circumstances. MELANI recommends placing a particular emphasis on prevention of such phenomena for employees, especially in key positions.

3.2 Phishing – tailored to Switzerland

In the first half of 2014 there were again a striking number of phishing attempts. Alongside e-mails in the first half of 2014 that tended to have an international focus, there were also several phishing e-mails tailored to Switzerland. The criminals were mainly targeting the victims’ credit card data.

Special offer for chocolate

One attack that was extremely tailored to Switzerland happened in February of this year. In an e-mail sent out to a large number of recipients, it was claimed that the chocolate 1 http://www.tio.ch/News/Ticino/803356/Pirata-informatico-preleva-un-milione-di-franchi-da-un-conto-luganese/ (as at 1

September 2014).

Information Assurance – Situation in Switzerland and internationally

6/44

MELANI – Semi-annual report 2014/I

manufacturer Läderach had a special offer for chocolates. The recipients were told they could pay directly and easily using a credit card on the website. Only a close look at the website showed that this wasn't correct: Instead of laederach.ch, the web address was leaderach.ch. There was also no encryption for the website where the credit card data was supposed to be entered.

Figure 1: The phishing site purports to be from the chocolate manufacturer Läderach

The Läderach company immediately put up a notice on its website. MELANI in turn tried to take down the bogus website from the Internet. However, several further attacks of the same type then occurred, before they suddenly stopped. Apparently, too few victims had fallen for the scam that it would have been worthwhile for the scammers to pursue it.

Federal Administration logo misused for phishing

Another phishing wave occurring for the first time in 2014 was considerably more persistent. The scammers repeatedly tried to obtain credit card data of Internet users by e-mail, pretending to be the Federal Office of Energy (SFOE) or swissenergy. The recipients were baited with a supposed rebate of CHF 165.00 to which they were entitled. To make the payment possible, the victims were asked to access the indicated website. The deceptively realistic website requested not only the name and address of the victim, but also the credit card number including the expiration date and verification number.

Information Assurance – Situation in Switzerland and internationally

7/44

MELANI – Semi-annual report 2014/I

Figure 2: Phishing page purporting to be from the Federal Office of Energy

Also in this case, the SFOE issued a warning, as did the Cybercrime Coordination Unit (CYCO) and MELANI. Additionally, an attempt was made to deactivate the phishing pages quickly. This attempt was not optimal at first, even though the websites always were located on the same (Czech) servers. As soon as a website was deactivated, the next one was already being published. In the meantime, the deactivation process has been optimised, so that deactivation can be achieved within just a few minutes when incidents arise. Nevertheless, additional phishing waves of this type are regularly observed.

The two examples show how important a swift response is, especially during the first attempts of a new variant. If the first waves can already be nipped in the bud and the attackers' success can be minimised, the attacks quickly come to a halt as a rule. But if this cannot be done, the attack waves become difficult to stop, even if the process of website deactivation is accelerated and the attackers' success can be curtailed significantly.

Phishing attempt disguised as a survey

In the case of one phishing attempt that misused the Swisscom logo, a different approach was used. Here, the victim was baited with a survey. First, ten questions on the products and service quality of the company were asked. At the end of the survey, the victim's name and address were requested, but also credit card data was part of the information required. The attackers' intent was clear: With the ten reasonable questions, the attackers attempted to dispel any doubts the victim might have had. Why would scammers bother to conduct a customer survey?

Information Assurance – Situation in Switzerland and internationally

8/44

MELANI – Semi-annual report 2014/I

Figure 3: left: one of the 10 questions; right: a form appeared at the end requesting entry of the victim's credit card data: "This is a required field".

The current phishing attempts show that it is becoming increasingly difficult for e-mail recipients to recognise phishing attempts as such. In the case of e-mails asking for personal data, caution should generally be exercised. If an unsolicited e-mail asks for passwords or credit card data, it is most probably attempted fraud. In its warnings, MELANI regularly points out: "No company would ever ask you for your username, passwords, or credit card data by e-mail."

This statement, which sounds simple at first, does pose certain challenges for companies in the era of electronic customer communication. How should a company communicate with its customers so that they do not think a message is a fraudulent e-mail? And even more importantly: Careless customer communication by a company can also have a negative impact on customer behaviour in regard to fraudulent e-mails.

That this is a topic which must be taken seriously can be seen by supposed phishing messages forwarded by the public that turn out to be from a serious company. The clearest example reported to MELANI in the first half of 2014 is from PayPal. Recipients were asked to update their credit card data. The link to the website was hidden behind a button so that it could not be verified without difficulty or determined which URL the website was associated with. The e-mail was in fact from PayPal.

Figure 4: Reported phishing e-mail that wasn't. This e-mail was in fact from PayPal

Information Assurance – Situation in Switzerland and internationally

9/44

MELANI – Semi-annual report 2014/I

In such cases, it is advisable NOT to click on the link in the e-mail anyway, but rather to manually enter the URL of the company in the address bar of the browser and then to navigate to the page in question. In cases of doubt, the company should be contacted directly. Companies should observe the following points when sending out newsletters:

• Where possible, send out e-mails in text format.

• Send out newsletter e-mails as regularly as possible.

• Use links sparingly in the e-mail and only link to own domains.

• Where possible, use links to encrypted pages (https://...) and notify this to the user.

• Do not link to websites requesting usernames and passwords or other data.

• On the start page of the website, draw attention to the newsletter.

• Address customers with first and last names if this information is available.

3.3 More C&C servers in Switzerland – a trend?

Most infected computers are monitored and managed by one or more control servers. These servers are referred to as botnet command & control servers (C&Cs) and they control the functions of the associated malware. Reports about such C&Cs located in Switzerland have increased dramatically over the past half-year. MELANI has also been able to identify more C&C servers and render them inoperable. Compared with the two previous years of 2012 and 2013, the number of reported and detected botnet C&C servers in Switzerland has more than doubled.

Figure 5: The number of detected C&C servers in Switzerland

Information Assurance – Situation in Switzerland and internationally

10/44

MELANI – Semi-annual report 2014/I

A large number of the detected infrastructures are C&C servers used to control computers infected with e-banking Trojans – such as ZeuS, Citadel, and KINS. In addition to such malware, which usually attacks a broad mass of Internet users, MELANI also became aware of C&C infrastructures used for targeted attacks against government organisations. These attacks are called advanced persistent threats (APTs) in the specialised jargon. In many of these cases, the suspicion arises that they are espionage attempts by foreign actors.

The question arises why Internet criminals, who generally operate from abroad, and other foreign actors are misusing the Swiss Internet location for such actions. Aside from the fact that Switzerland offers high-quality infrastructure that is linked very well to the Internet, it must of course also be taken into account that data protection in Switzerland is well developed. The police and intelligence service must adhere to a strict legislative framework when they operate on the Internet. In light of the Snowden affair, this is a (location) advantage that attracts both companies and private individuals who are sensitised to data protection and privacy. Moreover, these circumstances also make the Swiss Internet location attractive for foreign citizens and organisations that want to escape the strict Internet controls that may exist in their home countries. Unfortunately, however, Internet criminals also know how to exploit this for their own purposes.

Certain foreign hosting providers have also become aware of the favourable situation in Switzerland, and they have recently expanded their products to Switzerland and are trying to attract customers with "offshore hosting with Swiss quality". Often, these hosting providers will turn a blind eye to dubious content and infrastructure hosted on servers in Switzerland.

MELANI investigates reports by citizens and partners concerning criminal infrastructures of this sort and, where necessary, involves the relevant bodies at the federal and cantonal level.

3.4 E-mail hacked – Cantonal Councillor affected

E-mails claiming that a person is stuck in a foreign country and has lost all of his or her money have been known for several years now. This scam involves stolen data to access the e-mail account of the sender. E-mail messages are then sent to all or some of the contacts for that account. Usually, these e-mails are bogus calls for help, claiming that the sender is stuck somewhere abroad and that his or her mobile phone, money, and passport have been stolen. Finally, the sender asks for the recipient to transfer money. MELANI still occasionally receives reports of this kind of scam. Even politicians are not immune. Two years ago, Cantonal Councillor Josef Brägger was affected,2 and in April 2014, FDP Cantonal Councillor Rosmarie Heiniger, who is also the Mayor of Gänsbrunnen, was targeted.3 In her name, the hackers sent an e-mail to all of her contacts, saying that she had an emergency while on holidays in South Africa and urgently needed financial help. In a case like this, it can be helpful to inform all potential addressees in the target's address book that they may be receiving fraudulent e-mails. This is best done using an alternative e-mail address or by telephone or text message. However, the scammers are meanwhile aware that this measure may be taken and that it might significantly reduce the chances of success, so they quickly delete the address book and all e-mails. Apart from all the inconvenience and 2 http://www.tagblatt.ch/ostschweiz/thurgau/kantonthurgau/tz-tg/Kantonsrat-von-Unbekannten-gehackt;art123841,2977642

(as at 1 September 2014). 3 http://www.oltnertagblatt.ch/solothurn/thal-gaeu-niederamt/kantonsraetin-rosmarie-heiniger-wird-opfer-eines-hacker-angriffs-

127848961 (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

11/44

MELANI – Semi-annual report 2014/I

the responses from the recipients, this means that the target loses all of his or her contacts and e-mail correspondence.

Since most e-mails nowadays are no longer downloaded to a computer and stored there but rather are processed using webmail and in a cloud, users often believe backups are unnecessary. Most users often unconsciously delegate this task to the e-mail provider. They believe that the provider will ensure that backups are made. While it is true that the provider makes a backup in the event of technical problems (such as server crashes), the backup is of limited help if someone maliciously accesses an account and deletes data using a process that is normally controlled by the user. This means it is urgently recommended that users regularly make their own backups of contacts and e-mails.

Scammers generally use phishing to obtain the data. Many phishing attempts meanwhile target e-mail login data directly or indirectly. One variant that has been circulating for quite some time claims that the user has received a confidential document. To download the document, the user is asked to click on a link. The user is then asked to select the e-mail provider and enter username and password. This information is then sent to the scammers.

Figure 6: Phishing site for obtaining e-mail login data

3.5 Modern public alert methods – opportunities and limits

Every year, the alarm sirens in Switzerland are tested, most recently on 5 February 2014. The information during such tests is administered by local authorities and the national radio stations. In the case of a real catastrophe the crisis communication would be administered over the same channels The national radio stations (of the SRG/SSR) are specially protected against breakdowns (see MELANI Semi-annual report 2010/2)4. However, more and more people also obtain information from the Internet, such as from the website of the Swiss Federal Office for Civil Protection (FOCP). But precisely that website was temporarily unavailable at the time of the test on 5 February 2014, and the error message "Service Unavailable" appeared. The site was unable to handle the large volume.

An incident like this raises the question under what conditions modern communication technologies can be used for public alerts in the digital age. The resilience of the FOCP-website was highly increased after the this year’s alarm sirens test. Additionally various 4 MELANI Semi-annual report 2010/2, Chapter 3.7: http://www.melani.admin.ch/dokumentation/00123/00124/01122/index.html?lang=en (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

12/44

MELANI – Semi-annual report 2014/I

projects to apply new communication technologies in this area are being run for this purpose. For instance, the inhabitants of the Mattequartier neighbourhood in Bern are already alerted additionally by text message of flood threats through the Bernese professional fire brigade. In Basel, a SMS-service has been run since 2012 for people who are unable to hear the alarm siren.5 The FOCP is likewise considering the introduction of a text message alert system. Specifically, the FOCP is aiming to employ text message alerts as part of a "cell broadcasting" system in future. Using this system, a message is sent to all the mobile phones that have activated the service and are located in the vicinity of the same cell of the mobile network. None of these projects aim to replace the existing public alert system, but rather are meant to supplement them. This approach responds to new needs of the population, and it also further optimises the scope of the alert system. The FOCP is also considering the use of additional communication channels for public alerts and information, such as using existing information systems in public transport or via social networks.

Modern ICT systems continuously give rise to new desires, also in domains where safety is the top priority. One example is the use of GPS for air traffic control.6 In many cases, this is about using systems that are cheaper to operate. This efficiency should not be purchased with the loss of safety, however. But ICT systems may still be a valuable complement to older and more stable safety systems, as the example of text messages in the event of disasters shows.

3.6 Open access to sensitive data

According to a report in the Neue Zürcher Zeitung on 31 March 2014, documents relating to appointment procedures at the University of Basel had for a considerable amount of time been stored without any special protection on servers that were connected directly with the Internet and could be located with a search engine.7

In total, more than 1,500 documents were freely accessible. They included application letters, transcripts, recommendation letters, and diplomas. Application materials in particular may contain a great deal of information that one does not want to make available to everyone, especially not one's current employer.

The University of Basel was informed by an affected person. The data leak was immediately closed and the victims informed. The reason for this mishap was apparently an error during the migration of servers to updated software. The access privileges for folders were not transferred correctly during the migration. Documents that previously had been in encrypted directories became visible to anyone. The university currently assumes that the data was accessible from 27 February 2014 to 15 March 2014.

Once the mistake became known, access to the affected directories was shut down immediately. Additionally, a request was sent to Google for each individual document to be deleted from the Google cache as well. This burdensome process is necessary, because deleting the documents on the server alone is not enough. Published documents are cached by search engines for a certain time period.

5 http://www.polizei.bs.ch/aktuell/gehoerlose-hoerbehinderte.html (as at 1 September 2014). 6 MELANI Semi-annual report 2011/1, Chapter 5.4: http://www.melani.admin.ch/dokumentation/00123/00124/01128/index.html?lang=en (as at 1 September 2014). 7 http://www.nzz.ch/aktuell/startseite/heikles-datenleck-an-der-universitaet-basel-1.18273869 (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

13/44

MELANI – Semi-annual report 2014/I

Mistaken publications like these happen again and again8 and can never be avoided entirely. Nevertheless, there are certain rules of thumb that MELANI has advocated for years to avoid such mishaps. When securing data, much emphasis is placed on technical measures. But this is not enough. Information assurance to a large extent also consists in organisational measures. For this purpose, a certain relevance must be assigned to each file. Depending on the relevance, it must be stored and protected differently. In this case, the question must therefore be asked why data like this was stored on a that could be accessed via the Internet. The incorrect assignment of access privileges can lead to significant problems in this way.

3.7 Strange windows during e-banking sessions

In the first half of 2014, several incidents were reported to MELANI in which a window containing a survey was opened during an e-banking session. This survey consisted of simple questions such as gender, age, and tastes. Users were then led to believe that they had won an iPad or IPhone. The desired gift could be selected and clicked on immediately. Users were then redirected to a website called "Bogabids", which apparently is operated by Flamingo Intervest and also includes the "Ziinga" company. Ziinga has already been mentioned in connection with a similar, earlier incident.9 It seems that these are supposed free offers that in fact turn out to require a subscription fee. The small print states that the gift can be collected only if a membership fee is paid for at least one month. Depending on the type of subscription, this fee may be up to 100 dollars. In this case, there was no evidence of a connection with e-banking or of dissemination of malware using these sites.

Figure 7: Pop-up appearing during an e-banking session

The Swiss flag on the website (figure 7) suggests that it originates in Switzerland, which is supposed to inspire confidence. A closer analysis of the website showed, however, that the flags of a total of 19 countries are stored and can be displayed, depending on the target of the attack. This list ranges from Australia, Belgium, Brazil and Finland to the United States. The attacks are therefore not directed at Switzerland, but rather a wide range of countries. The display of the company text and the web address to the left of the flag (www.test.ch) also varies. The text can be generated arbitrarily by changing a variable in the web address. The displays are likely to be generated by adware found on the user's computer. These programs

8 MELANI Semi-annual report 2008/1, Chapter 4.1: http://www.melani.admin.ch/dokumentation/00123/00124/01065/index.html?lang=en (as at 1 September 2014). 9 MELANI Semi-annual report 2012/2, Chapter 3.7: http://www.melani.admin.ch/dokumentation/00123/00124/01535/index.html?lang=en (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

14/44

MELANI – Semi-annual report 2014/I

are often used as an addition to free programs, free drivers or video codecs and manipulate the computer so that it displays advertising when the user browses the Internet.

4 Current international ICT infrastructure situation

4.1 Heartbleed in OpenSSL

A vulnerability in OpenSSL – one of the most important encryption libraries – made public on 7 April 2014 affected countless Internet users directly or indirectly. OpenSSL is installed by default on many web servers and Internet services to encrypt communication. An analysis by the IT service provider Netcraft shows that 17.5% of all SSL sites using the certificates of a (trustworthy) certificate issuer had implemented the vulnerable function.10

The cause was a security vulnerability in the "heartbeat" function. This function is supposed to ensure that a secure connection is maintained for a certain time period and does not have to be initialised over and over again. Using the vulnerability, attackers were able to access part of the main memory of an affected server – namely the last 64 kilobytes – in which the data transmitted by users are stored for a short period of time. In this way, they were able to steal passwords, transaction data, but also server data such as private keys.

This vulnerability affected not only e-mail providers and financial institutions, but in general web services offering encrypted logins with vulnerable software. But also non-web-based Internet services such as smartphone apps, chat services, cloud storage, streaming services, e-mail services and VPN access were affected by the weakness.

While it was rather difficult to tap a complete dataset, it was very well possible that key material and access data fell into the hands of the attackers and will be used only at a later time. For this reason, the affected providers were forced to install new certificates in addition to fixing the security vulnerability.

MELANI informed all operators of critical information infrastructures as well as the public of the necessary measures to be taken.11 Overall, implementation in Switzerland was swift and efficient. However, difficulties were identified in regard to ordering of certificates. The volume of new certificates that had to be issued took the certificate issuers to the limits of their capacities, and sometimes it took several days until a new certificate could be delivered.

Technical aspects and lessons learned

Because of the security vulnerability in OpenSSL, the use of perfect forward security (PFS) has again come up for discussion more frequently. The background is that while attackers who have tapped an encrypted data stream may not be able to decrypt it right away, there is a risk that this can be done anyway if the key falls into the hands of the attackers at some later time. Heartbleed is the textbook example of how attackers can obtain keys and certificates at a later time.

10 http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html (as at

1 September 2014). 11 http://www.melani.admin.ch/dienstleistungen/archiv/01564/index.html?lang=en (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

15/44

MELANI – Semi-annual report 2014/I

This is precisely where perfect forward security comes in: Normally, session keys are used that must be renegotiated at frequent intervals. It is therefore not possible for an attacker to decrypt all the data traffic, but rather only part of it. Without PFS, these short-term keys are generated by a single long-term key. If the long-term key is stolen, it is subsequently possible to obtain all session keys and use them to decrypt all the data traffic. When PFS is used, knowledge of the long-term key is not enough to generate short-term keys after the fact. This is achieved by using the long-term key only for the purpose of signing short-term keys. The short-term keys are then used to negotiate a session key by way of a Diffie-Hellman key exchange. If a server is compromised, the attacker gains knowledge only of the long-term keys and the session keys of currently active connections. The session keys of older connections have already been deleted and can no longer be reconstructed.12

As a consequence of the OpenSSL issues, there has been an increased focus on several SSL variants that try to solve the problems of the OpenSSL library (historically evolved, many functions that are used only rarely). The following table enumerates the various open source SSL libraries:

Library Description Comments

OpenSSL The library still used the most often. OpenSSL is currently undergoing an intensive code review. The goal is to discover and remedy additional errors.

LibreSSL A further development of OpenSSL that eliminates obsolete functions and tries to stay as close to OpenSSL as possible and keep migrations simple.

From the developers of OpenBSD, which has an excellent reputation in the field of secure software.

PolarSSL PolarSSL was developed because OpenSSL was too big and complex; it focuses on the functions required for TLS connections.

PolarSSL is dual-licensed, both as GPL v2 and as a commercial licence.

GnuTLS GnuTLS is similarly comprehensive in terms of functionality as OpenSSL. Security vulnerabilities are frequent.

GnuTLS has been developed for quite some time as an alternative to OpenSSL and is part of the GNU Project.

MELANI recommends in general to configure cryptographic connections so that the highest possible level of security can be achieved.13

In regard to SSL/TLS this means:

• Use only secure ciphers such as TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• Enable perfect forward security so that any data traffic recorded cannot be decrypted at a later time if a private key is compromised. This is achieved using the algorithms mentioned above.

12 http://en.wikipedia.org/wiki/Perfect_Forward_Secrecy (as at 1 September 2014). 13 http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-

report/at_download/fullReport (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

16/44

MELANI – Semi-annual report 2014/I

• Nevertheless, the private keys have to be stored as securely as possible, ideally on a hardware security module (HSM).

• Use of HSTS (HTTP Strict Transport Security). Using HSTS, the server tells the browser how to deal with encrypted connections. This ensures that the browser communicates with the server only with encryption and valid certificates.

• Avoid mixed content (part of the content transmitted with encryption, part of it without). When encrypted and unencrypted content is mixed, attackers may for instance be able to manipulate session information using the unencrypted part of the content.

• Use a trustworthy certificate authority (CA). In general, and specifically when an incident occurs, there are advantages if the CA is located in the same area of jurisdiction. Depending on the company and the threat situation, attention should be paid that the CA used is based in Switzerland.

From the perspective of architecture, Heartbleed has shown that it is worthwhile to have a central entry point for all SSL connections that can be monitored accordingly and, if a security vulnerability occurs, can be patched very quickly.

4.2 Espionage cases

Several espionage cases again made the headlines in the first half of 2014. On 10 February 2014, for instance, the Russian ICT security firm Kaspersky publicised an espionage case with the Spanish name "Careto", or in English, "The Mask".14

Careto/The Mask

The Careto operation is said to have begun in 2007, but it remained undiscovered for more than six years. This espionage campaign is characterised by its universality and adaptability. Not only is the malware able to infect different operating systems such as Windows, Mac, Linux, etc., but Kaspersky also suspects there is a version for smartphones. The infection took place via the transmission of spear phishing e-mails. These e-mails contained links to websites supplying various exploits tailored to the victim. The exploits were hidden in subfolders of websites, so that they could be reached only via the direct link, not by browsing the website. To make the links look legitimate, the attackers used URLs, which imitate domains of the most important daily newspapers in Spain, but also international papers such as the Guardian and the Washington Post.

As soon as the malware is installed, it attacks various communication channels, such as Skype, and tries to collect as many different documents of a wide range of types as possible. Kaspersky identified more than 380 victims in 31 countries, including Switzerland. The malware affected all kinds of services in the public sector (governments, diplomatic missions) and the private sector (energy, research, finance). When attacks are this complex, the perpetrator is assumed to be a state actor. But in this case, it is rather surprising that the text contained in the malware was in Spanish, indicating that it was authored in the Spanish-speaking world. But of course, this might also be a deliberate deception.

14 http://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/ (as at 1 September

2014).

Information Assurance – Situation in Switzerland and internationally

17/44

MELANI – Semi-annual report 2014/I

Uroburos/Turla/Snake/Epic

In the first half of 2014, various security service providers published reports15 about an espionage network referred to as "Epic", "Turla", "Uroburos", and "Snake". The German ICT security service provider G-Data16 published a report on the Uroburos spy software in March 2014. This complex malware offers peer-to-peer functionality. This means that dissemination and communication also function in an internal network where not all computers are necessarily connected to the Internet. The targets mentioned include state facilities, intelligence services, and major companies. G-Data believes the campaign began in 2011, because the oldest identified drivers were compiled at that time. A report by BAE Systems Applied Intelligence believes the malware was already developed back in 2005, however.17 Also in the espionage attack against the Belgian foreign ministry disclosed in May, the Uroburos spy software is said to have been used. This was reported by the Belgian daily newspaper De Standaard, citing a trustworthy source.18 In this case, it seems that the attackers were mainly targeting documents, analyses, and reports on the Ukraine crisis.

Operation Newscaster

A targeted spear phishing attack was accomplished by an Iranian hacker group that was able to infect more than 2,000 computers over a period of three years.19 For the operation dubbed "Newscaster", the group created dozens of bogus profiles on all major social networks. The persons behind these profiles pretended to be working in journalism, armaments, or government. All of this was done with the purpose of convincing as many victims as possible to accept the attacker's friend requests. Even a bogus news site at which the supposed journalists were working was developed for the operation: "Newsonair.org" copied content from other news portals and published it under its own name. In a first step, only harmless e-mails with simple correspondence were sent. The purpose was primarily to create trust among the specially selected victims. Once trust had been established, e-mails prepared with malware were sent. Target persons included mainly military and political officials in the United States and Israel.

Symbolic operation against alleged Chinese spies?

The US Department of Justice filed charges against five members of the Chinese military on grounds of cyber espionage.20 The attacks are alleged to have occurred between 2006 and 2014.21 The accused persons are members of the Chinese People's Liberation Army. Since these persons will probably never enter the United States or countries with an extradition agreement, the charges are largely of a symbolic nature.

For a long time already, targeted espionage attacks have no longer been isolated incidents. There is ongoing interest and accordingly constant pressure on sensitive data. Switzerland is

15 http://securelist.com/analysis/publications/65545/the-epic-turla-operation/ (as at 1 September 2014). 16 https://blog.gdata.de/artikel/uroburos-hochkomplexe-spionagesoftware-mit-russischen-wurzeln/ (as at 1 September 2014). 17 http://www.baesystems.com/what-we-do-rai/the-snake-campaign? (as at 1 September 2014). 18 http://www.standaard.be/cnt/dmf20140512_01103164 (as at 1 September 2014). 19 http://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/ (as at 1 September 2014). 20 http://www.spiegel.de/netzwelt/netzpolitik/cyberspionage-usa-klagen-chinesische-regierungsbeamte-an-a-970259.html (as

at 1 September 2014). 21 MELANI Semi-annual report 2013/1, Chapter 4.2: http://www.melani.admin.ch/dokumentation/00123/00124/01555/index.html?lang=en (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

18/44

MELANI – Semi-annual report 2014/I

not immune in this regard, since a very large number of elite companies are domiciled here that have expertise and information of great value.

4.3 Attack against industrial facilities in the West

At the end of June 2014, an espionage and sabotage (preparation) campaign became public that was directed at industrial facilities and energy suppliers in the West. The group of attackers, named "Dragonfly",22 "Energetic Bear",23 and "Crouching Yeti"24 by security firms, may have been active since 2010 according to reports. The attacks now discovered were perpetrated starting in the spring of 2013 in various phases and via different paths. In a first step, e-mails with malware in their attachments were sent to selected employees in the targeted companies (spear phishing). The attackers then infiltrated various websites that dealt thematically with energy supply and placed drive-by infections (watering hole attacks). Finally, the group was also able to replace legitimate software packages on websites of the manufacturers of programmable logic controllers with manipulated versions.

The attackers employed various malware types to achieve their goals:

• Trojan horses (Havex and Sysmain)

• Backdoors (Karagany and Oldrea)

• Other tools depending on the purpose (entrenchment in the network, data theft).

Only security vulnerabilities that were already known were exploited for the attacks. The victims were mainly Western European and US companies.

An interesting aspect is the automatic search for OPC servers locally and on the network. By manipulating OPC servers, the physical processes they control can be disrupted. For this purpose, the malware has the capability of identifying OPC systems with the help of fingerprints, and it transmits information about the identified systems to command & control servers (C&C servers).

The campaign is primarily designed for espionage. However, the goal was also to establish a sustained presence in the target systems and networks and to establish the possibility of later sabotage acts.

Because the manufacturer software had been infected with Trojans, the security measures on the part of the users could be cancelled out completely – security software should, after all, be installed expressly so that a device or service can be used.

This campaign illustrates impressively how attacks against critical infrastructures are carried out: Using focused measures, gateways into operator networks are identified in order to establish a presence in the vicinity of the target systems. Consequently, as much information as possible is collected (reconnaissance). The attackers secure access in order to collect further information at a later time and, as desired, to perform manipulations as well.

22 http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat (as at 1 September

2014). 23 http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_Threat_Report_2013.pdf

(as at 1 September 2014). 24 http://www.kaspersky.com/about/news/virus/2014/crouching-yeti-an-ongoing-spying-campaign-with-2800-highly-valuable-

targets-worldwide (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

19/44

MELANI – Semi-annual report 2014/I

Several approaches exist to secure the OPC interface:

• Introducing and regularly updating ACLs (access control lists) between the OPC clients and servers, taking account of least privilege.

• Sealing off RPC communication in separate networks and with point-to-point connections.

• Tunnelling of such connections. • Monitoring access (central logging and regular monitoring of access logs). • If the software is digitally signed, the signatures should also be verified before installation. As a general matter, MELANI recommends sealing off industrial control systems as strongly as possible from the usual ICT infrastructure and also to strengthen them against direct attacks; see also the MELANI measures for the protection of industrial control systems (ICSs).25

4.4 Conflicts in cyberspace

Apart from the conflict in the Middle East, in which Israel is attacked by Arab hacktivists, and the ongoing actions of the Syrian Electronic Army to support the Assad regime, the Ukraine crisis has now also given rise to operations by various actors in cyberspace. Before and during the incursion of armed troops in Crimea at the end of February 2014, mobile telephone operations and Internet access on the peninsula were disrupted by physical interference with the telecommunication infrastructure and possibly also by cyber attacks. Shortly afterward, websites belonging to the Ukrainian government were likewise temporarily unavailable, and various members of parliament complained that they had trouble using their mobile phones. After the websites of government critics were shut down in Russia at the beginning of March, hacktivists attacked Kremlin websites so they could temporarily no longer be accessed. (Other) hacktivists have done the same with NATO websites.

It can only be speculated at this point in time to what extent the attacks against industrial facilities in the West described in the previous chapter can likewise be classified in this way. In the United States, a scenario has been developed for quite some time in which a foreign power might infiltrate the US energy supply in order to turn off energy in the US at will.

As already discussed in previous semi-annual reports, conflicts in the physical worlds increasingly frequently also result in actions and reactions in cyberspace. Especially if a party to the conflict is hard or impossible to attack using conventional means – whether because a physical attack would lead to an escalation of the situation or because the "enemy" is not within physical range for such an action or simply because carrying out a physical attack would fail because of the asymmetry of the potential use of force – a cyber attack is an obvious way to inflict harm upon the opponent or at least to express displeasure.

States whose economy and/or critical infrastructure depend heavily on the smooth functioning of ICT and are therefore vulnerable in that respect can suffer massive damage due to cyber attacks even by smaller groups of persons or individual perpetrators.

Finally, the aspect of spreading information (propaganda) by the involved parties and other stakeholders must be taken into account when actions in cyberspace occur: in every conflict, the party is at an advantage that dominates or even controls the information sphere. 25 http://www.melani.admin.ch/dienstleistungen/00132/01557/index.html?lang=en (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

20/44

MELANI – Semi-annual report 2014/I

4.5 NSA – further publications

Reporting about Snowden and the NSA affair continued in the first half of 2014, albeit to a lesser degree. Nevertheless, we would like to briefly summarise the most important publications in this regard. The first consequences of the published documents for developments on the Internet are discussed in Chapter 5.3.

United States keeps security vulnerabilities in computer systems secret

One publication from the Snowden findings claimed that the NSA often exploits identified security vulnerabilities in software for its own purposes. An advisor to US President Obama stated in this regard that criteria do in fact exist for whether a security vulnerability is published or not. By exploiting the vulnerability, important information might be gained. Criteria for whether a security vulnerability is used for espionage purposes or not are, for instance, how widespread the software is and whether someone else is able to discover and exploit the weakness. The option also exists to exploit the vulnerability first and then make it public.26

This finding is not new. Already in 2005, an espionage campaign was observed that systematically exploited weaknesses in Microsoft products. The suspected origin at the time was China.27

NSA should have manipulated US network technology sent by post

Another report by the journalists and lawyers Glenn Greenwald and Jacob Appelbaum made public that "in some cases" the NSA intercepts network devices and peripheral devices sent by post for the purpose of installing espionage software. Employees of the Tailored Access Operations (TAO) are said to install special technology in these devices that provide possibilities for espionage. The devices are then repackaged and sent to the recipient. According to Greenwald, routers and servers of Cisco are among the devices manipulated – a US company that manufactures and deploys a large share of the network components used worldwide.28 It is worth mentioning that over the past few years, especially the United States has proclaimed that the Chinese companies Huawei and ZTE, which also manufacture network components, are not to be trusted.29 Specifically, the alleged threat is that components of the two companies might be employed to spy on US networks.

The US House of Representatives passed a bill in June 2014 that would prohibit the NSA and the CIA from funding security vulnerabilities or backdoors in domestic IT products or services for the purpose of surveillance.30 The draft law would also prohibit the common

26 http://www.tagesanzeiger.ch/digital/internet/USA-halten-Sicherheitsluecken-in-Computersystemen-geheim/story/12638578

(as at 1 September 2014). 27 MELANI Semi-annual report 2006/1, Chapter 5.2: http://www.melani.admin.ch/dokumentation/00123/00124/00162/index.html?lang=de (as at 1 September 2014). 28 http://www.droemer-knaur.de/buch/7943698/die-globale-ueberwachung (as at 1 September 2014).

http://www.heise.de/newsticker/meldung/NSA-manipuliert-per-Post-versandte-US-Netzwerktechnik-2187858.html (as at 1 September 2014).

29 http://www.spiegel.de/netzwelt/netzpolitik/us-kongress-will-chinas-telekom-firmen-huawei-und-zte-aussperren-a-

860014.html (as at 1 September 2014). 30 http://thehill.com/blogs/floor-action/house/210027-house-votes-to-limit-nsa-spying (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

21/44

MELANI – Semi-annual report 2014/I

practice brought to public attention of retroactively searching for US citizens in already collected and received data. The bill must first be debated by the Senate, however.

Nationwide recording of telephone data

It was also disclosed that mobile phone conversations of all of the Bahamas are being tapped under the code name "Somalget". At least in one other country, phone conversations are also said to be tapped nationwide. "Somalget" is part of the "Mystic" programme, in which information on telephone calls in Mexico, the Philippines, and Kenya is being collected.31 The difference, however, is that in the case of "Mystic", only metadata are recorded, while "Somalget" also records content. Apparently, an agreement between the authorities of the Bahamas and the US Drug Enforcement Administration (DEA), which cooperate in the surveillance of individual telephone connections for the purpose of combating narcotics, was used by the NSA to obtain complete access to the mobile phone network.

Influencing the standard for phone call encryption

In the first half of 2014, documents were published claiming that the Government Communications Headquarters (GCHQ), the British equivalent to the NSA, had pushed through short keys for the mobile communication standard A5/1. While keys with a length of 128 bits were first proposed, the GCHQ had insisted on a 48-bit key in the 1980s. Finally, a compromise was reached, and a 64-bit key was used – but with ten digits always set to zero. According to the report, this means that the A5/1 algorithm was easy to crack from the very beginning.32 The first attacks already became known in 2000.33 The 25-year-old standard is still used and is only slowly being replaced by its successor A5/3.

Last year the "Dual_EC_DRBG" standard made special headlines in this regard – a random number generator developed by the NSA that does not actually generate numbers as random as they should be.

NSA and GCHQ allegedly have access to app user data

It is not news that certain data in smartphone applications ("apps") is forwarded to their operators. Already in the MELANI Semi-annual report 2011/2,34 we pointed out that the rights allocated to apps with or without the knowledge of users often go beyond what would really be necessary for the smooth functioning of the app. According to reports in The New York Times, The Guardian, and ProPublica, however, it is now also being claimed that the NSA and the GCHQ intercept data that smartphone apps collected about their users. In addition to simple data such as age, gender, and location of a user, complex profile data may also be included. The value of such data is so high that the NSA is said to have paid more than one billion US dollars for this programme. In one of the leaked slides, the NSA also refers to the increased use of smartphones as a windfall.

31 https://firstlook.org/theintercept/2014/05/19/data-pirates-caribbean-nsa-recording-every-cell-phone-call-bahamas/ (as at 1

September 2014). 32 http://www.aftenposten.no/nyheter/uriks/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s-

7413285.html#.UtFDAvZuTGK (as at 1 September 2014). 33 http://en.wikipedia.org/wiki/A5/1 (as at 1 September 2014). 34 MELANI Semi-annual report 2011/2, Chapter 5.4: http://www.melani.admin.ch/dokumentation/00123/00124/01141/index.html?lang=en (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

22/44

MELANI – Semi-annual report 2014/I

WLAN at the airport – Canadian intelligence service allegedly monitors network

In the age of mobile communication, one of the first actions after disembarking from the plane is to turn on one's mobile phone and check e-mails or download other information – preferably using the WLAN made available by the airport. This is precisely what the Canadian intelligence service Communications Security Establishment Canada (CSEC) is alleged to have exploited in order to locate people in the country, namely by using the WLAN at a major Canadian airport. Every time a connection is established with a public network, metadata is transmitted that allows the device to be identified again at a later time. The data obtained at the airport can be used in that way to follow target persons digitally.35

NSA is able to redirect Internet connection

According to publications from the Snowden findings, the NSA is said to be capable as part of its "Qfire" programme to interrupt and redirect any Internet connection at will. When these decentralised attacks on Internet connections are carried out, the NSA is said to be able to intercept and manipulate data as close as possible to the targets.36

NSA should also have targeted the OSCE

International organisations are especially interesting for espionage attacks. In a small area, employees from many different countries are working, and a wide range of electronic means of communication are used. Already in August 2013, it became public that the headquarters of the United Nations in New York had been bugged by the NSA.37 And now, according to the Austrian newspaper “Die Presse”, the OSCE in Vienna is alleged to have been on the target list of the US intelligence services.38 This claim cited a German journalist who had access to the Snowden files. The document mentioned "foreign policy objectives" and "arms control and trade" in particular.

4.6 Scammers' ability to react to current events

Advance fee scams are a phenomenon that is widely known and documented. In these scams, the swindlers create a scenario in which the target is purported to have the opportunity to benefit from a large sum of money, for instance an inheritance, unclaimed assets, or lottery winnings. If the target responds to the initial contact, payments are demanded on a variety of grounds, but of course the promised sum is never remitted. One of the special features of these scams is their adaptability, whether in regard to the target or the context. One typical example is the way in which the authors use current events to increase the chances of deceiving their victims. This year, the World Cup in Brazil was widely used by scammers, for instance. The scarcity of tickets and the exceptional nature of the event were fertile ground for elaborating scenarios in which the target was promised an exceptional opportunity to participate in the event, of course in exchange for prior payment. Naturally, these were only tricks aimed at gaining money, but also personal information. 35 http://www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-track-canadian-travellers-edward-snowden-documents-1.2517881

(as at 1 September 2014). 36 http://www.spiegel.de/fotostrecke/qfire-die-vorwaertsverteidigng-der-nsa-fotostrecke-105358.html (as at 1

September 2014). 37 http://www.spiegel.de/politik/ausland/nsa-hoerte-zentrale-der-vereinte-nationen-in-new-york-ab-a-918421.html (as at 1

September 2014). 38 http://diepresse.com/home/politik/aussenpolitik/3809719/NSAAffaere_Obama-laesst-OSZE-ausspionieren (as at 1

September 2014).

Information Assurance – Situation in Switzerland and internationally

23/44

MELANI – Semi-annual report 2014/I

The Malaysia Airlines disaster in spring 2014 and especially the confusion that arose after the disappearance of the aircraft were also a source of inspiration for various types of scam. In particular, links promising access to a video of the found plane spread especially on social networks. The user following those links risked an infection of his/her computer, because instead of the video the user was redirected to a site created to transmit a virus. In some cases, the victim was directed to a phishing page where the victim was requested to furnish login information in order to access the promised content.

Scammers active on the Internet are often characterised by their great adaptability. In that sense, events with an international resonance offer many opportunities for them. Building on these current events, they develop scenarios aiming to rouse the interest of their targets. Internet users should develop and maintain a prudent and sceptical attitude toward offers they receive spontaneously. Before following a link, opening an attachment, or furnishing information, users should always be certain of the legitimacy of the message and the sender. In case of doubt the e-mail should be deleted.

4.7 Disruptions of air traffic control by military exercise?

On 5 and 10 June 2014, the radar contact of civilian aviation was interrupted in some parts of Central and Eastern Europe for 20 or 25 minutes. The secondary radar was affected, which transmits the data of the aircraft's transponder, such as identification and altitude. The position of the aircraft was, on the other hand, visible. Radio communication with all aircraft also continued to be ensured.

Shortly thereafter, the suspicion was raised that a military exercise held by NATO in Hungary and Italy was responsible for the breakdown of the secondary radar. NATO confirmed that it had practiced local disruptions of certain frequencies, but that it was highly unlikely that the disruptions were caused by the NATO exercises. The frequencies disrupted during the exercise were different from the frequencies used for civilian aviation. The European Organisation for the Safety of Air Navigation (EUROCONTROL) is investigating the incidents.

According to the present state of knowledge, the probability of a software- or hardware-based malfunction or even a manipulation of the radar devices is low. Otherwise, it would be difficult to explain why the air traffic controls of various countries using different kinds of devices would have observed the same phenomenon. An external disruption is certainly more plausible in this case. Even though a preliminary report of EUROCONTROL assumes that the military and civilian frequencies were sufficiently separated from each other,39 the correlation of the incidents with the exercise in terms of both time and location is striking.

39 http://www.n24.de/n24/Nachrichten/Politik/d/5260064/militaeruebungen-koennten-radar-gestoert-haben.html

(as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

24/44

MELANI – Semi-annual report 2014/I

4.8 Passwords discovered and stolen

German Federal Office for Information Security discovers 34 million stolen passwords

At the end of January 2014, the German Federal Office for Information Security (BSI) announced that during the analysis of a botnet, it had discovered 16 million sets of access data consisting of e-mail addresses and passwords.40 This access data belonged to all kinds of online accounts for which an e-mail address can be used as a username. The access data was apparently obtained via computers infected with malware. Each time an e-mail/password combination is entered using such a compromised computer, the access data is stolen and transmitted to a central server controlled by the criminals.

At the beginning of April 2014, the BSI informed the public about another password find. This time, 18 million sets of user data were affected.41 In addition to the URL already installed in January 2014,42 which can be used to check one's e-mail address, other notification options are being taken into account this time. For instance, the relevant information was also furnished to e-mail providers such as GMX and Web.de, which then blocked affected e-mail accounts with a notice that data had been stolen. In both incidents, Swiss e-mail accounts were also affected.

Data theft at eBay

Last May, eBay published a statement in which the company admitted that it had been victimised by an attack allowing the hackers to access a database containing customer information. The authors of the attack were in that way able to access e-mail addresses, (encrypted) passwords, postal addresses, and telephone numbers, but apparently no financial information. The number of compromised datasets was not disclosed. Even though none of the available information indicates that the criminals would have been able to decrypt passwords, eBay recommended that all users change them.

One of the key questions relating to this incident is that of the initial weakness. In this particular occurrence, as confirmed by eBay, access data of company employees was already compromised at the beginning of February. Thanks to that data, the authors were able to gain access to the company network. The way in which the access data was initially acquired remains, however, unconfirmed. The hypothesis advanced by several experts, according to which an attack was employed that at least in part used social engineering methods, currently appears to be the most probable route. Here again, a spear phishing mailing may have been used.

This incident shows that an initial infiltration of a narrow scope may, depending on the case, provide extensive access to a network and everything it contains, specifically databases. For criminals, it is therefore often smart to invest considerable resources to target a few company accounts that give them access to important sources of information. For companies, this means that the number of accounts with extensive privileges should be limited to the extent possible and monitored in order to detect any unusual activity.

40 https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2014/Mailtest_21012014.html (as at 1 September 2014). 41 https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2014/Neuer_Fall_von_Identitaetsdiebstahl_07042014.html

(as at 1 September 2014). 42 https://www.sicherheitstest.bsi.de/ (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

25/44

MELANI – Semi-annual report 2014/I

4.9 New DDoS variants

Denial-of-service attacks aim to make certain services unreachable for their users or at least to significantly limit the reachability of the service. Such DDoS attacks are widespread and represent a serious threat to many ICT infrastructures. In addition to the well-known DNS amplification/reflection attacks, in which universally accessible DNS servers are misused for the attack, several newer techniques have surfaced in recent months. For instance, other openly accessible services are being misused in a similar way. Examples are the Simple Network Management Protocol (SNMP), the Network Time Protocol (NTP), which is used for time synchronisation within a network, and the Character Generator Protocol (Chargen), which is used to find errors. Typical of these attack methods is that a small query generates a response that is many times greater and is then redirected toward the actual target of the attack. The services are based on the User Datagram Protocol (UDP), which is very popular for DDoS attacks, since the protocol is connectionless and does not contain any validation of the IP addresses involved in communication.

The misuse of NTP servers with the help of the "monlist" command was already discussed in MELANI Semi-annual report 2013/2,43 but it continues to be a problem. This command outputs a list with the 600 IP addresses that most recently connected with the NTP server. If this command is executed with a falsified IP address, the responses rain down on the innocent victim whose IP address was falsified. During the largest DDoS attacks in the spring of 2014, bandwidths of more than 400Gb/s were measured. SNMP offers a similarly great amplification possibility and is already actively being misused.

A new variant of DDoS attacks misuses a function in the widespread blog/CMS software WordPress. WordPress has a function called pingback that allows the user to request notification when a link to the user's page is established. If an attacker misuses this function and sends the address of the victim to a large number of WordPress instances, these instances send the corresponding HTTP queries to the victim's page, which then collapses under the deluge of queries. The original attacker is virtually invisible to the victim, since the victim is attacked by many thousands of legitimate WordPress installations. During such an attack, more than 160,000 different WordPress sites were observed that were misused for the DDoS attack.

In general, MELANI recommends protecting the systems so that they cannot be misused for DDoS attacks. There are resources available on the Internet for that purpose, such as those made available by Team Cymru for securing DNS servers and NTP servers.44 Securing WordPress instances is not so easy, given that pingback is in principle a desirable feature of the system. However, there is the option of creating a filter plug-in that turns off the function.

For Internet service providers (ISP), implementation of BCP 3845 (Best Current Practice) is a key element for solving the DDoS problem in the medium to long term. BCP 38 defines how to protect a network from undesired incoming traffic (packages with bogus or faulty IP addresses) (ingress filtering).

43 MELANI Semi-annual report 2013/2, Chapter 3.10: http://www.melani.admin.ch/dokumentation/00123/00124/01565/index.html?lang=en (as at 1 September 2014). 44 http://www.team-cymru.org/ReadingRoom/Tips/dns.html (as at 1 September 2014). 45 http://tools.ietf.org/html/bcp38

Information Assurance – Situation in Switzerland and internationally

26/44

MELANI – Semi-annual report 2014/I

4.10 Attacks targeting virtual currencies

The decentralised digital currency bitcoin was already discussed in a chapter in the last edition of the MELANI semi-annual report.46 The security issues surrounding that currency have already been raised: theft of private keys, attacks targeting exchange platforms, and malware attempting to steal bitcoins from the user or using the user's computing power for purposes of mining.

Bitcoin is still a current topic in 2014, especially in regard to security considerations. Android users, in particular, have been targeted by malware. For this reason, Google had to withdraw several applications from the Google Play Store that contained malware aiming to mine bitcoins and other similar currencies without the knowledge of the smartphone user. In the case of bitcoin, the growing number of users and consequently the increase in the resources necessary to mine currency explain why criminals are trying more and more to gain access to additional computing power, especially through mobile phones. Numerous experts note, however, that this approach is currently not very lucrative, given the time necessary for mining. For the user, this diversion of resources means lower computing efficiency and more rapid battery depletion.

The platforms where users are able to exchange traditional currencies against bitcoins have also continued to come under pressure this year. As we mentioned in the last semi-annual report, these exchange platforms are a preferred target. The case of the bankruptcy of Mt. Gox47 testifies to the importance of these exchanges and to their vulnerability. That platform, one of the oldest and most important on the market, halted all transactions on 7 February 2014 before being placed under bankruptcy protection in Japan at the end of that month. Mt. Gox lost 750,000 bitcoins belonging to its clients and 100,000 of its own, with a total value of USD 620 million. One of the causes of that loss may be found in the exploitation of the problem of the changeability of transactions on the Mt. Gox platform. However, some experts dispute the assertion that this is the sole explanation of the loss. The failure of Mt. Gox's internal management and the use by hackers of other possible methods to gain access to bitcoins, in particular, are other routes mentioned to explain the losses.

Bitcoin and virtual currencies continue to be at the centre of attention, especially under the aspect of security questions and the question of their reliability. Their role in the context of current criminal investigations justifies a very particular interest on the part of the authorities in criminal prosecution at the international level, while states are still trying to clarify the legal status. In Switzerland, a recent report by the Federal Council proposes to take stock of the functioning of virtual currencies and the problems associated with them.48

4.11 Successes against scammers

Again in the first half of 2014, some successes were achieved in the fight against scammers and hackers.

46 MELANI Semi-annual report 2013/2, Chapter 5.2: http://www.melani.admin.ch/dokumentation/00123/00124/01565/index.html?lang=en (as at 1 September 2014). 47 http://en.wikipedia.org/wiki/Mt.Gox (as at 1 September 2014). 48 http://www.admin.ch/aktuell/00089/?lang=en&msg-id=53513 (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

27/44

MELANI – Semi-annual report 2014/I

Raid against persons in possession of the Blackshades malware

On 20 May 2014, a raid took place against persons in possession of the Blackshades espionage software. During the operation initiated by the Federal Bureau of Investigation (FBI), more than 300 persons alleged to be in possession of this malware in 19 countries were subjected to a house search.49 About 100 people were arrested, including the alleged mastermind, Alex Yucel. With the Blackshades malware, Windows computers can be remote-controlled almost without limits. The users of the software are likely to have employed it for a wide range of purposes. The malware was also discovered among members of the opposition in Syria and Libya.

Game over for GameOver Zeus

On 2 June 2014, the US Department of Justice (DoJ) and the FBI announced the deactivation of the two botnets GameOver Zeus (GOZ) and CryptoLocker.50 GOZ is a further development of the ZeuS/Zbot malware that has been active also in Switzerland for four years and that is one of the few botnets based on peer-to-peer (P2P) technology. The goal of the botnets was to engage in e-banking fraud or to extort computer users (ransomware).

Already since July 2013, MELANI has taken measures against the threat from Cryptolocker together with Swiss Internet providers.

After the deactivation of the CryptoLocker botnet, the IT security service providers FireEye and Fox IT made a service available free of charge that enables victims to retrieve data encrypted by the malware.51

Arrest with Swiss help

At the beginning of March 2014 and with Swiss help, the Thai police arrested the alleged hacker named Diab10 in Bangkok, one of whose crimes is said to be the circulation of the Zotob computer worm in 2005.52 At that time, Zotob shut down numerous computers. The born Moroccan with a Russian passport was being sought in Switzerland for computer fraud. The arrested person, against whom a Swiss arrest warrant was issued, is being extradited to Switzerland.

4.12 Vulnerabilities of cyber-physical systems

Malware in a Japanese nuclear power plant

Malware was detected on a computer in the control room of the Japanese nuclear power plant Monju at the beginning of 2014. It is suspected that the computer was infected through an update of free video software performed by an employee. As a consequence, about 42,000 e-mails as well as employee training documents were transferred to or via South Korea. The infection was detected by network monitoring, which recognised connections to an unknown website.

49 http://www.fbi.gov/news/stories/2014/may/international-blackshades-malware-takedown/international-blackshades-malware-

takedown (as at 1 September 2014). 50 http://www.abuse.ch/?p=7822 (as at 1 September 2014). 51 http://www.melani.admin.ch/dienstleistungen/archiv/01583/index.html?lang=de (as at 1 September 2014). 52 http://www.nzz.ch/aktuell/panorama/hacker-diab10-in-thailand-verhaftet-1.18265704 (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

28/44

MELANI – Semi-annual report 2014/I

The report does not indicate whether the affected computer was used only for administrative purposes or whether it was also intended to control critical processes in the power plant. It is also not clear whether the computer would have had an Internet connection during normal operations of the reactor – the power plant was not operational at the time of the attack – and, if so, how it is separated from the operational systems of the control room. According to the operator, reactor security was at no time endangered by this incident.

The fast breeder reactor already had to be shut down in 1995 due to a fire shortly after it had become operational. In spring 2010, it was started up again in test mode. After a fuelling accident less than four months later, it finally had to be shut down again, probably forever.

Even though this incident was probably not a targeted attack against a nuclear power plant, but rather a random infection, it is still alarming that a computer in the control room, where the operations of the reactor are managed, could be infected with malware. Operational and administrative networks should be separated from each other to the extent possible – especially when the processes being controlled have such a high threat level as nuclear power generation.

Computer-based medical technology and security vulnerabilities

Over the course of two years, the security researcher Scott Erven examined electronic medical devices in American hospitals and found disastrous shortcomings in some cases. These related primarily to embedded web services that allow the devices to communicate with each other and to send data directly to patient files. The problems were found less in the fundamental programming of software than in the implementation of the systems. Often, devices were protected only with weak or non-changeable standard passwords, or they transmitted patient data without encryption through the network or could be disrupted by sending meaningless commands (i.e., commands unknown to the device).

One dare not imagine what might happen if an operation robot all of a sudden were to shut down during a surgery or if an infusion pump were to dispense too much (or too little) of a drug or if a cardiac pacemaker were to shock the user at the wrong moment. X-ray devices or computer tomography systems might also be manipulated, leading to excessive radiation doses. In addition to direct influence on medical technology devices, the increasing interlinkage of building automation is also a risk, especially in the hospital environment: If the temperature cooling systems for stored blood or drugs can be regulated remotely, it is possible to destroy the supplies.

As in traditional industrial facilities, cyber-physical systems are also used in the health care field – devices that control a physical process using software. The underlying administration is often carried out with ordinary computers that are linked to an (internal, at least) network. Accordingly, attention must be paid also in hospitals that these systems are shielded effectively from the Internet and cannot be infected with malware either deliberately or randomly. In the case of targeted attacks, normal computers can serve as a gateway to internal networks if they have access to the Internet.

Information Assurance – Situation in Switzerland and internationally

29/44

MELANI – Semi-annual report 2014/I

Vulnerability of municipal power supply

The public services of a medium-size German city let a hacker team loose on its facilities to test the security of the power and water supply.53 The attackers tested the full range of infiltration methods. Apart from direct hacking attempts via the Internet, these included physically plugging a hotspot into a relatively easily accessible network socket on the plant site – for instance in the lobby area or in conference rooms – which could be used to gain direct access to the internal network. But here again, the simplest method was to use social engineering to induce an employee to open a prepared e-mail attachment, which installed software that offered the attackers a gateway into the internal network. The hired hackers ultimately succeeded in infiltrating the control software in the control centre of the power supplier to the extent that they could have taken over control and command functions. The security experts' conclusion is that while taking over control is feasible, it is very difficult to sustain because the defender has physical access to all devices and therefore has a crucial advantage over the attacker. Also, in the case of traditional supply systems, many electro-mechanical protective elements and analogue displays continue to be used, which are beyond the control of a cyber attacker. Any induced power outage would thus probably be only brief.

An attacker with strong motivation and a lot of time, i.e., who is sufficiently persistent, can penetrate almost any system. The first step is always to obtain as much information as possible about the company, its employees, and information about the target system that may already be available in the public domain.

Unfortunately, it is virtually impossible to fully secure a system. For that reason, one should monitor one's networks effectively in order to immediately identify incidents, intervene rapidly, and restore the normal state of affairs.

4.13 Routers as a point of attack

As already discussed in the last semi-annual report (2013/2), cybercriminals are increasingly focusing on routers. Again in the current reporting period, various attacks against routers and their weak points were observed:

At the beginning of the year, the manufacturers Cisco, Netgear, and Linksys confirmed that a security vulnerability can be used to read and also manipulate the configuration files of the router.54 Moreover, passwords and certificates for VPNs had been tapped from some devices. A service was running on port 32764 of the affected devices. It was unclear whether this security vulnerability could be exploited only from the local network or also from the Internet. It is astonishing that this vulnerability has apparently existed in a variety of products for several years already.

53 http://heise.de/-2165153; see also the TV documentary http://www.arte.tv/guide/de/048364-000/netwars-krieg-im-netz

(German), http://www.arte.tv/guide/fr/048364-000/netwars-la-guerre-sur-le-net (French) and the interactive webdoc http://netwars-project.com/de/ (German) or http://netwars-project.com (English).

54 http://www.heise.de/security/meldung/Mysterioese-Router-Backdoor-Viele-tausend-Router-in-Deutschland-haben-eine-Hintertuer-jetzt-testen-2080913.html (as at 1 September 2014).

http://www.golem.de/news/port-32764-cisco-bestaetigt-backdoor-in-routern-1401-103882.html (as at 1 September 2014). http://www.golem.de/news/dsl-router-netgear-schliesst-endlich-hintertuer-zu-port-32764-1404-105705.html (as at 1

September 2014).

Information Assurance – Situation in Switzerland and internationally

30/44

MELANI – Semi-annual report 2014/I

At the beginning of February, it became known that attackers were able to make phone calls and charge them to victims using security vulnerabilities in the router supplied by the AVM-Fritzbox company. Initially, stolen passwords were suspected in the case of this hack, but later a security vulnerability was suspected. Nearly all devices, with or without remote access, were affected.55

In March, the manufacturer D-Link warned its users of a security vulnerability in the DSL-321B modem and made an update available.56 By exploiting the security vulnerability, attackers were able to access the device via the Internet. In the observed attacks, DNS server entries were modified.57 For instance, when victims call up a website, they can be redirected to a website defined by the attacker. Criminals can use manipulations of that sort to redirect online banking sessions, for example.

Team Cymru also made a case public at the beginning of March involving modified DNS settings. The security research firm says that it discovered modified DNS settings in about 300,000 routers. Especially routers of the companies D-Link, TP-Link, and Zyxel, but the focus was also on devices especially for small offices (SOHO, Small Office, Home Office). Also in these cases, weaknesses are said to have made the manipulations possible.

Routers are attacked automatically, manually, and using malware. For this reason, there are various worms that spread via the infection of routers. For instance, the Moon Worm attacks devices of the manufacturers Linksys and Netgear by exploiting a vulnerability.

Attackers are increasingly focusing on routers because they often contain unsecure configurations or security vulnerabilities. At the same time, the awareness of users regarding the security of routers is not yet very high. Usually, a device is connected and then never maintained or updated for its entire life cycle. Another aggravating factor is that in the case of older devices, updates are not is not installed automatically.

MELANI recommends limiting access to the maintenance interfaces of routers to the extent possible. Many devices support a restriction to a single IP address from the internal network. If devices are used that are not maintained by the provider, users must regularly check whether updates are available for the router and download any updates themselves. Moreover, any services no longer used should be deactivated.

4.14 Data retention violates EU law

Data retention is the storage of telecommunications data by or for public authorities even though the data is not currently needed. In criminal proceedings, for instance, such data can be used to find out at a later time what person was associated with an IP address used for a crime. For the allocation of information on the Internet to work, every computer connected to the network merely requires a non-personal IP address. Data retention also includes information about telephone calls and text messages as well as location data indicating where a person was located at the time the telephone was used.

55 http://www.heise.de/security/meldung/Hack-gegen-AVM-Router-Fritzbox-Luecke-offengelegt-Millionen-Router-in-Gefahr-

2136784.html (as at 1 September 2014). 56 http://www.dlink.com/de/de/press-centre/press-releases/2014/march/10/ma_sicherheitspatch-modem-dsl-321b-revision-z1

(as at 1 September 2014). 57 http://www.heise.de/security/meldung/Akute-Angriffsserie-auf-D-Link-Modems-2135158.html (as at 1 September

2014).

Information Assurance – Situation in Switzerland and internationally

31/44

MELANI – Semi-annual report 2014/I

According to the judgment of the European Court of Justice (ECJ) on 8 April 2014, the controversial EU Data Retention Directive violates European law and is invalid. The ECJ examined the compatibility of the EU directive with Articles 7, 8, and 11 of the EU Charter of Fundamental Rights. The ECJ held that data retention constitutes an especially serious interference with the fundamental rights to respect for private life and protection of personal data. According to the ECJ judgment, very precise conclusions can be drawn regarding the private life of the persons, such as habits of daily life, permanent or temporary whereabouts, changes of location that occur daily or at other intervals, work performed, social relationships, and the social environment. This may trigger a constant feeling of surveillance on the part of the citizen.

While the ECJ recognises that the fight against serious crime, especially organised crime and terrorism, is of the utmost importance for guaranteeing public safety and that its effectiveness depends to a large extent on the use of modern investigative techniques, the court at the same time reaches the conclusion that an objective serving the common good, as fundamental as it may be, does not justify the necessity of data retention as specified in European Directive 2006/24 for the purposes of fighting crime. The protection of the fundamental right to respect for private life demands that the exceptions to the protection of personal data and the restrictions thereof must be limited to what is absolutely necessary. On the basis of the formulation of the European directive, however, this leads to interference in the fundamental rights of almost the entire European population, since it extends generally to all persons and all electronic means of communication as well as all traffic data without any differentiation, limitation, or exception. Other arguments were the lack of information provided to users about data retention and the lack of objective criteria that limit the access of national authorities to the data.

It must be emphasised that while the ECJ holds that the data retention set out in the directive is disproportionate, the judgment does not conclude that data retention as such is impossible.

The reactions of the EU Member States varied. Numerous efforts exist to find a solution for constitutionally permissible data retention, but there is no real alternative. The EU Commission does not appear to have the intention to draft a new directive on this issue, so that Member States will probably take back their legislative authority on this point.

The ECJ judgment not only impacts the future, but as of its entry into effect on 30 June 2014 also requires all data collected so far to be remedied. Deleting this data poses challenges for providers that are not entirely trivial, given that providers must weed through large databases.

The ECJ judgment will presumably result in far-reaching changes to the European approach to data retention. For Switzerland, the ECJ judgment does not have a direct domestic effect. However, the clear rejection of data retention so far will have a negative impact on European and international cooperation in the field of criminal prosecution and for the time being will not contribute to continental European legal certainty in the fight against crime. Whether the ECJ judgment and the associated changes in the EU region will have a signal effect on the upcoming legislative revisions in Switzerland and the efforts to extend the retention of data from six months to one year cannot be gauged at this point in time.

Also likely of importance to the future of data retention in Switzerland will be the further development of the complaint filed by Digitale Gesellschaft – a grouping of persons and organisations interested in Internet policy. By way of a complaint to the Post and Telecommunications Surveillance Service (PTSS), Digitale Gesellschaft has demanded a cessation of data retention with the reasoning that it violates fundamental rights and is disproportionate. In its response dated 30 June 2014, the PTSS rejected the complaint.

Information Assurance – Situation in Switzerland and internationally

32/44

MELANI – Semi-annual report 2014/I

Digitale Gesellschaft continues to pursue its complaint, however, appealing the decree to the Federal Administrative Court and if necessary to the European Court of Human Rights in Strasbourg.

5 Trends/Outlook

5.1 Social engineering – a multifaceted menace

Social engineering attacks take advantage of people's helpfulness, credulity or lack of self confidence in order to gain access to confidential data or to prompt them to perform certain actions, for example. To do so, the attacker exploits a human and gains the confidence of the interlocutor by various artifices (impersonation, boldness, intimidation, etc.) to obtain what the attacker wants.58 This definition lumps together a whole range of behaviour, and the examples in which these methods have been implemented are numerous and have often been mentioned by MELANI in its semi-annual reports. Fraud is first of all a domain in which social engineering plays a large role. This is in particular true of the attacks against companies described in Chapter 3.1. Currently, all companies operating in Switzerland are potential targets of attacks using social engineering methods, regardless of their size or field of activity. In these cases, social engineering methods are implemented in order to directly achieve the ultimate objective of the attacks, namely a payment of money, and without the aid of advanced technological means. But it would nevertheless be wrong to limit the phenomenon to that kind of attack. Social engineering in effect has different faces, and it often constitutes only one of the tools used as part of much more complex attacks extending over a long period of time and involving various technological tools. Regardless of the actor and the objective, one of the points common to the most complex attacks is often the method used for the initial infiltration allowing the attacker to establish a foothold in the targeted network. This is the level at which social engineering occurs, because the authors in effect often send a e-mail, sometimes extremely targeted, to an employee of the entity in question (spear phishing). They then try to trick the employee into revealing access data, or into clicking on an infected link or opening an infected attachment to infect his computer. In particular, this method often plays a role in complex attacks carried out for purposes of espionage so called advanced persistent threats (APTs). In the case of Careto/The Mask (see Chapter 4.2), for instance, links imitating the domain names of well-known newspapers are used to induce the targets to follow the link. Operation "Newscaster" (see Chapter 4.2) is another example of advanced implementation of social engineering, particularly by way of creating numerous false identities. Complex attacks carried out with financial objectives also often use a similar modus operandi for the initial infiltration. The attack against the Target chain stores at the end of last year59

58 See also the definition in the reference work by Kevin Mitnick, "The Art of Deception" (2002) : "Social

Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology."

59 See MELANI Semi-annual report 2013/2, Chapter 4.4: http://www.melani.admin.ch/dokumentation/00123/00124/01565/index.html?lang=en (as at 1 September

2014).

Information Assurance – Situation in Switzerland and internationally

33/44

MELANI – Semi-annual report 2014/I

began with the theft of access data from a supplier, with the help of a targeted e-mail containing a malicious attachment. In that case, the criminals first identified a supplier with access to the company network, then it addressed a tailored e-mail to one of its employees. The information online allowed the attackers to prepare their attack. In the case of data theft affecting eBay this year (see Chapter 4.8), the hypothesis that social engineering was used is likewise very credible. The technological tools at the disposal of criminals are constantly evolving. New weaknesses are discovered, new protocols used, and ever more complex malicious code surfaces. In that environment of constant transformation, one attack vector remains the same: the exploitation by criminals of human weaknesses. Even if the manner in which they are exploited changes, testifying to the inventiveness and adaptability of "social engineers", those engineers always push the same buttons in their targets: curiosity, gullibility, pursuit of profit, goodwill, etc. That phenomenon must thus be considered as a whole and not solely through the prism of a particular type of attack. These methods will continue to be used on a massive scale in future, as long as they allow criminals to gain information, money, or access in ways that technological means alone cannot or at least not easily. In light of this threat, an absolute priority is thus to raise the awareness of the user. Users must learn to develop a prudent – even suspicious – attitude in general when faced with any interlocutor requesting the user to furnish information, follow a link, or open an attachment. Verifying the legitimacy of every request has to be an imperative and a basic reflex of every user. In companies, the internal processes must be clearly defined and followed at all times, especially when they concern financial flows. The possibility for attackers to gain access to the entirety of a network simply by compromising a single account must also be questioned, limiting access and privileges in a general manner and granting them only where truly necessary. Finally, the control of information that an entity or individual puts online, on a website or social network for instance, must also be envisaged under the aspect of potential utilisation by a party with bad intent. "Social engineers" in effect know how to use that information to refine their attacks and enhance their chances of success.

5.2 Media and journalists – attractive targets

Information is the key value that actors carrying out cyber attacks try to attain, mainly across three dimensions: confidentiality, availability, and integrity. In this sense, actors in possession of large quantities of information – as well as those whose jobs consist in the dissemination of information – are consequently interesting targets. Media and journalists are affected by these two cases: their activities cause them to deal with sensitive information, and as disseminators, the information they publish sometimes has a major impact and multiplier effect. Thus, media are often at the front line and are regularly targeted by different types of attack. Not only professional journalists may be targets, but also other information providers ("citizen journalists", bloggers). Numerous sources of information confirm that this trend is rising.

Attacks against the confidentiality of data

A unit dealing with a large volume of information is an interesting target. Different actors, including state actors, may be interested in different types of information held by the media and their employees. One additional aspect is the high mobility of journalists, which increases the potential attack vectors. Mobile devices (smartphones, laptops) are preferred targets for attacks.

The way to gain information depends on the nature and the possibilities of the attacker and the attacker's relationship with the target. In the first case, a state actor may use privileged access to an IT-infrastructure allowing the state actor to obtain information. That access – for

Information Assurance – Situation in Switzerland and internationally

34/44

MELANI – Semi-annual report 2014/I

instance in the case of certain totalitarian states – may allow more or less systematic surveillance based on the takeover of the IT infrastructure and communication systems of their territory. In totalitarian systems, journalists – especially those transmitting an opinion contrary to that of those in power – are a target of choice for such methods. In such cases, the journalist's informer network will also be targeted information.

Actors unable to use that type of privileged access, but with the objective of acquiring information and the means to pursue that objective, will avail themselves of computer network operations (CNO). Examples include campaigns of the APT type, such as frequently reported on by MELANI, but also attacks of a lesser complexity that may also target journalists. These may involve "classical" phishing methods aiming to obtain identification data or spear phishing with the purpose of installing malware on the victim’s computer. Some of these attacks have been the subject of sustained public attention, because of statements by victims or the publication of reports by security firms. Examples include the attacks against the e-mail accounts of journalists working at major US media companies (New York Times, Wall Street Journal, Bloomberg, Washington Post), followed by the publication of the APT1 report by Mandiant. Nevertheless, many victims prefer not to make the attacks public.

Attacks against the availability or integrity of data

As information providers – often with a significant multiplier effect depending on their prominence or legitimacy – information sites as well as accounts on the social networks of newspapers or press agencies represent a privileged target for attacks. They are primarily targeted by actors wanting to send out a message of a religious or political nature, trying to enhance their public profile, and sometimes even trying to destabilise public opinion with erroneous information. One actor that has frequently used these methods over the past years is the Syrian Electronic Army (SEA).60 One of the most striking attacks by that actor was without a doubt the hacking of the Twitter account of the Associated Press (AP) and the publication of a tweet announcing an explosion at the White House that had purportedly injured President Obama. This message had a major resonance, due to the large number of followers who relayed the information, and it had a visible impact on the US markets. It was made possible thanks to several thefts of identification data from AP employees during an intense phishing campaign. In addition to attacks against social networks, defacing of information sites is also a possibility that may be used by that type of actor.

The development of the Internet has not only given rise to a multiplication of information providers (classical media, blogs, citizen journalists) but also an increase in the technologies and platforms used (social networks, websites, forums, etc.) For some actors, these developments may also be considered opportunities, in that they multiply the ways to obtain information as well as the possibilities for spreading messages effectively. The pressure on information and its providers continuously grows. This must lead to a higher level of vigilance on the part of those professions. Different elements must be taken into account in the context of a specific risk analysis. First of all, the initial infiltration methods for accessing targeted systems or accounts (spear phishing and more globally social engineering) must be made the object of particular sensitisation. At that level, mobility must also be considered an additional vulnerability factor, in that it increases the potential attack vectors. Another aspect of analysis is the question of surveillance, which may be carried out in certain situations by actors benefitting from privileged access to an infrastructure, and solutions for dealing with it. In that regard, the possibilities available to secure communications must remain the focus of considerations. The choice of Internet service provider, especially for e-mail services or data

60 See MELANI Semi-annual report 2013/2, Chapter 4.8: http://www.melani.admin.ch/dokumentation/00123/00124/01565/index.html?lang=en (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

35/44

MELANI – Semi-annual report 2014/I

storage, must also be viewed from the perspective of guarantees in regard to confidentiality of data.

5.3 Internet developments after Snowden

"Privacy on the Internet" suffered heavily after the first Snowden leaks. The leaked documents suggested that most data flows are monitored and also that data located at US companies is anything but protected from access by the US government. Individual users are facing this development rather helplessly. Users may change their behaviour to some extent, for instance by selecting their ICT service provider or additional encryption methods. (For instance, the Swiss WhatsApp alternative "Threema" has recently attracted many new users.61) Nevertheless, users are in many cases dependent on standardised hardware and software components. But have Internet developments already been influenced by the insights gained from the Snowden affair? It is certainly too soon to identify any long-term changes. But there are public and private initiatives that are based at least in part on the newest Snowden insights.

Two trends can currently be seen: On the one hand, governments are trying to make certain parts of the Internet more independent from the United States. This includes the construction of their own networks or the use of their own components. On the other hand, US companies are trying to regain trust in the Internet system by employing new encryption techniques and other measures.

Initiatives for more independent networks

Angela Merkel has launched an initiative for inner-European data traffic. The EU Commission has signalled support in this regard.62 Since the beginning of the leaks of the NSA documents, there have been proposals for a network that would permit purely inner-European data traffic. This idea is that data packets between Internet users in the Schengen area would in fact remain within those borders. Today, a data packet looks for the fastest route, which may pass through the United States. It remains to be seen to what extent something like this can actually be implemented. It must also be taken into account that plans like these are also subject to economic policy or national policy.63

Already in the autumn of 2013, Brazilian President Dilma Rousseff announced that Brazil plans to increase the number of independent Internet connections with other countries.64

Also in Switzerland, the published information has had initial consequences. At the beginning of February 2014, the Federal Council decided that critical infrastructures, such as the communication networks of the Federal Administration, should be built within Switzerland where possible and that other orders should also be placed with Swiss companies where possible. This primarily concerns the ICT infrastructures of the federal government that

61 http://www.handelsblatt.com/unternehmen/it-medien/instant-messenger-whatsapp-alternative-threema-

waechst-rasant/9519942.html (as at 1 September 2014). 62 http://www.heise.de/newsticker/meldung/Bruessel-unterstuetzt-Merkels-Vorstoss-fuer-Schengen-Netz-2116663.html (as at 1

September 2014). 63 http://www.welt.de/politik/ausland/article126925318/Schengen-Cloud-koennte-zum-Handelskrieg-fuehren.html (as at 1

September 2014). 64 http://www.theguardian.com/world/2013/sep/20/brazil-dilma-rousseff-internet-us-control (as at 1 September

2014).

Information Assurance – Situation in Switzerland and internationally

36/44

MELANI – Semi-annual report 2014/I

require confidentiality, such as telephones, mobile telephones, computers and networks, and military facilities.65

By September 2015, an international structure is to be developed for the Internet Corporation for Assigned Names and Numbers (ICANN). This development includes the private sector, governments, and the public. ICANN, which is registered as a non-profit organisation, coordinates the allocation of unique names and addresses on the Internet and is subject to the supervision of the US Department of Commerce. The current contract with the US government ends in 2015. Already for quite some time, there have been initiatives to this effect mainly from Russia and China, but they have not been taken up so far due to pressure from the Internet industry. While any connection with the current Snowden leaks is being denied by the United States, the United States is now willing to give off control of the ICANN Internet administration.66

Investments by US and non-US firms in IT and legal security

Several e-mail providers switched to transport encryption in the first half of 2014. Already in November 2013, Yahoo announced that it intends to enhance user security step-by-step. At the beginning of the year, web traffic was switched to HTTPS by default. At the beginning of April, all traffic between Yahoo services and the data centres was then also encrypted. A new encrypted version of Yahoo Messenger was likewise announced.67 Similarly, the German e-mail providers Freenet, GMX, Web.de, and Deutsche Telekom have only allowed encrypted communication between users and data centres since the end of April.68

The transport encryption mentioned above refers only to the path between the user and the user's e-mail provider, however. The transport of data between providers must be examined separately. If, for instance, the recipient's provider does not accept encrypted data, the e-mail data will continue to be transmitted without encryption. Google has published a first transparency report for this purpose and also lists the providers that do not accept encryption. According to this report, 75% of the messages sent from Gmail are encrypted, while the share of incoming messages is smaller at 57%.69 Both figures have risen over the last half year. In general, encrypted data traffic has increased heavily in recent months, as a study published in May 2014 shows. Encrypted data traffic has doubled within one year, and in Europe it has even tripled.70

One case currently involving Microsoft might have far-reaching consequences for data storage, especially for cloud services. The question is whether client data of US companies stored in Europe must also be delivered to the United States. This legal dispute is being followed with interest worldwide, especially in light of the Snowden leaks. Specifically, a US district court is demanding that Microsoft hand over e-mails belonging to a customer and other data stored in a data centre in Dublin. Microsoft argues that the US justice system does not have the right to demand data stored outside the United States. The symbolic power of

65 http://www.nzz.ch/wirtschaft/newsticker/chus-geheimdienstaffaere-br-will-mehr-sicherheit-fuer-telekom-und-informatik-

1.18236385 (as at 1 September 2014). 66 http://www.faz.net/aktuell/wirtschaft/netzwirtschaft/amerika-gibt-aufsicht-ueber-internet-verwaltung-auf-12849181.html (as at

1 September 2014). 67 http://yahoo.tumblr.com/post/81529518520/status-update-encryption-at-yahoo (as at 1 September 2014). 68 http://www.computerbild.de/artikel/cb-Aktuell-Sicherheit-E-Mail-made-in-Germany-Telekom-GMX-Web.de-Freenet-SSL-

8593819.html (as at 1 September 2014). 69 http://www.google.com/transparencyreport/saferemail/ (as at September 2014). 70 https://www.sandvine.com/trends/global-internet-phenomena/ (as at 1 September 2014).

Information Assurance – Situation in Switzerland and internationally

37/44

MELANI – Semi-annual report 2014/I

this judgment is enormous: Not only the long-term trust of customers in US companies is at stake, but also the jurisdiction over data in a cloud.

Also in the United States, there are signs that data gathering by the NSA will be regulated more heavily. President Obama has ordered changes to the data gathering practice of the NSA. For instance, the United States no longer intends to spy on communications of heads of state and government of "friends and allies" abroad, as long as there is no compelling national security reason. The plan is also to grant non-US citizens some of the protections that previously have applied only to US citizens.71 However, these statements are not yet very concrete and are very open to interpretation.

5.4 Two-factor authentication for all services

In the current threat situation, passwords and in general authentications that rely only on a single factor do not offer sufficient security anymore. For this reason, MELANI always recommends using a second factor for authentication. In general, the following authentication factors exist:

• Knowledge: "I prove my identity through knowledge", e.g. a password

• Possession: "I prove my identity through possession"; e.g. a smart card

• Inherence: "I prove my identity through a characteristic", e.g. a fingerprint

If two of these factors are combined, it is called two-factor authentication. Very often, knowledge and possession are combined. This has been the standard in e-banking for quite some time, and many applications of major Internet providers are slowly catching up. Often, the technique is used that a text message is sent with a code to a previously defined telephone number. Some services solve the problem by requiring this step only the first time a device is used, and the device is then permanently stored as trustworthy. Others use a one-time password (OTP) procedure based on an app generating random numbers that are valid only for a short time period (e.g. Google Authenticator).

Some providers which are supporting two-factor authentication:

• Google applications (Gmail, Google+, etc.)

• Outlook.com

• Dropbox

• …..

This type of authentication should also be used for the administration of CMS systems and in general for administration interfaces that are accessible from the Internet: the loss of a password in this area can cause especially great damage, also for third parties. Most CMS systems support two-factor authentication, either directly as in the case of Joomla or using plug-ins as in the case of WordPress, which uses the Henrik Schack plug-in.72 The SSH service under Linux, which also makes encrypted data transfer available and is often attacked using brute force, can be secured for instance with the user-friendly Google Authenticator or a private key/public key procedure.

71 http://www.nzz.ch/aktuell/startseite/obama-setzt-geheimdiensten-engere-grenzen-1.18223803 (as at 1 September 2014). 72 https://wordpress.org/plugins/google-authenticator/ (as at September 2014).

Information Assurance – Situation in Switzerland and internationally

38/44

MELANI – Semi-annual report 2014/I

For especially sensitive access or for major companies, technologies using certificates on smart cards or insulated one-time password methods should be considered, since the smartphone itself is connected with the Internet and thus can also be attacked.

5.5 Items of political business Item Number Title Submitted by Submission

date Council Office Deliberation status & link

Ip 14.3019 Procurement. ICT projects Ruedi Noser / Radical Free Democratic Group FDP

03.03.2014 NC FDF http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143019

Fr 14.5063 Telephone wiretapping system ISS Balthasar Glättli 05.03.2014 NC FDJP http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143193

Kt. Iv 14.305 Stop anonymous calls for demonstrations and major events without taking responsibility

Canton of Bern 19.03.2014 http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20140305

Ip 14.3204 Consensus of Agur 12 working group. Further steps

Felix Gutzwiller 20.03.2014 CS FDJP http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143204

Po 14.3193 Improvement of police investigations in social networks

Karl Vogler 20.03.2014 NC FDJP http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143193

Mo 14.3288 Identity abuse. An offence per se Raphaël Comte 21.03.2014 CS FDJP http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143288

Ip 14.3240 Global Internet administration. A unique opportunity for international Geneva

Carlo Sommaruga 21.03.2014 NC FDFA http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143240

Mo 14.3236 Adjustment of basic provision of broadband Internet

Martin Candinas 21.03.2014 NC DETEC http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143236

Mo 14.3011 Cost reduction through electronic customs procedures

Economic Affairs and Taxation Committee of the NC

24.03.2014 NC FDF http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143011

Mo 14.3293 Tax on empty data carriers Economic Affairs and Taxation Committee of the NC

08.04.2014 NC FDJP http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143293

Ip 14.3379 Secure Swiss websites using Swiss companies

Derder Fathi 08.05.2014 NC FDF http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143379

Ip 14.3351 Personalised medicine. National biobank instead of foreign private databases for Swiss patients

Barbara Schmid-Federer

08.05.2014 NC FDHA http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143351

Ip 14.3341 Planned transition of Swisscom from analogue to Internet telephony for all landlines

Balthasar Glättli 08.05.2014 NC DETEC http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143341

Ip 14.3409 Minimal right to digital access Luc Recordon 05.06.2014 CS DETEC http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143409

Mo 14.3423 Positioning of Switzerland as an international platform for the Internet

Ruedi Noser / Radical Free Democratic Group FDP

10.06.2014 NC FDFA http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143423

Po 14.3532 Stocktaking and outlook for open source in the Federal Administration

Edith Graf-Lischer 19.06.2014 NC FDF http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143532

Po 14.3658 Internet platforms for exchanging services between Internet users, especially for accommodation and transport. Report on consequences and measures to be taken

Carlo Sommaruga 20.06.2014 NC FDF http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143658

Ip 14.3630 Rules on advertising. Automatic adoption of EU law

Thomas Müller 20.06.2014 NC FDFA http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143630

Information Assurance – Situation in Switzerland and internationally

39/44

MELANI – Semi-annual report 2014/I

6 Glossary

Access control list (ACL) An access control list (ACL) is a software technique used by operating systems and applications to limit access to data and functions.

Address bar By entering the URL in the address bar of the browser, the corresponding website is accessed.

Advanced Persistent Threat (APT)

This threat results in very great damage impacting a single organization or a country. The attacker is willing to invest a large amount of time, money and knowledge in the attack and generally has substantial resources.

Backdoor "Backdoor" refers to a software feature that allows users to circumvent the usual access control of a computer or of a protected function of a computer programme.

Backup "Backup" means the copying of data with the intent of copying them back in the event of data loss.

Bit/byte A byte is a measurement unit for the data volume of digitally stored and transmitted data. One byte consists of 8 bits.

Botnet A collection of computers infected with malicious bots. These can be fully remotely controlled by the attacker (the owner of the botnet). Depending on its size, a botnet may consist of several hundred to millions of compromised computers.

Brute force The brute force method is a solution to problems that relies on trying out all or at least many of the possible cases.

Cache In computer science, a cache is memory that helps avoid repeated access to a slow background medium or costly new calculations.

Certificate A digital certificate is a digital dataset that certifies certain characteristics of persons or objects and whose authenticity and integrity can be verified using cryptographic methods.

Certificate authority

A certificate authority is an organisation issuing a digital certificate. A digital certificate is the cyberspace equivalent of a personal identification card and serves to assign a specific public key to a person or organisation. This assignment is certified by the certificate authority with its own digital signature.

Information Assurance – Situation in Switzerland and internationally

40/44

MELANI – Semi-annual report 2014/I

Chat Chat refers to real-time electronic communication, usually via the Internet.

Cloud computing Cloud computing (synonym: cloud IT) is a term used in information technology (IT). The IT landscape is no longer operated/provided by the provider himself, but rather obtained via one or more providers. The applications and data are no longer located on a local computer or corporate computing centres, but rather in a cloud. These remote systems are accessed via a network.

Code review Reviews are used to manually check work results in software development.

Command and Control Server Most bots can be monitored by a botmaster and receive commands via a communication channel. This channel is called command & control server.

Computer network operations (CNO)

In warfare, computer network operations are measures to gain information superiority against an enemy or to limit the enemy's information superiority.

Content Management System (CMS)

A content management system (CMS) is a system that makes possible and organizes the joint preparation and processing of content, consisting of text and multimedia documents, generally for the World Wide Web. An author may operate such a system even without programming or HTML knowledge. The information to be displayed is referred to as "content".

Defacement Unauthorized alteration of websites.

Diffie-Hellmann Diffie-Hellman key exchange or Diffie-Hellman-Merkle key exchange is a key exchange protocol. Two communication partners employ it to generate a secret key that only they know.

DNS Domain Name System. With the help of DNS the internet and its services can be utilised in a user-friendly way, because users can utilise names instead of IP addresses (e.g. www.melani.admin.ch).

DNS Amplification/Reflection Attack

A denial of service attack (DoS) that exploits publicly accessible DNS servers and uses these as amplifiers.

DoS attacks

Denial of service attacks. Have the goal of causing a loss of a specific service to users or at least to considerably restrict the accessibility of the service.

Drive By Infektion Infection of a computer with malware simply by visiting a website. Often the websites concerned contain reputable offerings and have already

Information Assurance – Situation in Switzerland and internationally

41/44

MELANI – Semi-annual report 2014/I

been compromised beforehand for the purposes of spreading the malware. The infection occurs mostly by trying out exploits for vulnerabilities not yet patched by the visitor.

Driver software

A device driver, or simply "driver", is a computer programme or software module that controls the interaction with connected devices.

Exploit code (or exploit) A program, a script or a line of code with which vulnerabilities in a computer system can be used to advantage.

Fingerprint In IT, fingerprints are often hash functions for identifying a file.

Hardware security module (HSM)

The term "hardware security module" (HSM) refers to an (internal or external) peripheral device for the efficient and secure execution of cryptographic operations or applications.

HTTP Strict Transport Security HTTP Strict Transport Security (HSTS) is a web server setting that forces an encrypted connection between the web server and the user.

HTTP-Request HyperText Transfer Protocol A communication standard for transferring HTML documents (e.g. over the Internet).

HTTPS A protocol for the secure, i.e. encrypted transmission of HTML documents (e.g. via the Internet).

Ingress filtering Generally speaking, ingress filtering is used to protect networks from undesired incoming data traffic.

Internet Service Provider (ISP) Internet Service Provider. Companies that provide different services, mostly against payment, which are necessary for using or operating internet services.

IP-Adresse Address to uniquely identify computers on the Internet or on a TCP/IP-network (e.g.: 172.16.54.87).

Least privilege The concept of least privilege means that a subclass should not be given access to a component if not absolutely necessary.

Malicious Code

Generic term for software which carries out harmful functions on a computer. This comprises amongst others viruses, worms, Trojan horses.

Metadata

"Metadata" and "meta-information" refer to data containing information about other data.

Information Assurance – Situation in Switzerland and internationally

42/44

MELANI – Semi-annual report 2014/I

NTP Network Time Protocol (NTP) is a standard for clock synchronization between computer systems over packet-switched communication networks.

OPC server OLE for Process Control (OPC) was the original name for standardised software interfaces meant to enable data exchange between applications of different manufacturers in automation technology.

OpenSSL OpenSSL, originally SSLeay, is a free software for Transport Layer Security, originally Secure Sockets Layer (SSL).

OTP A one-time password is a password for authentication or authorisation. Each one-time password is valid only for a single use and cannot be used a second time.

Patch Software which replaces the faulty part of a programme with a fault-free version. Patches are used to eliminate security holes.

Peer To Peer Peer to Peer Network architecture in which those systems involved can carry out similar functions (in contrast to client-server architecture). P2P is often used for exchanging data.

Phishing Fraudsters phish in order to gain confidential data from unsuspecting Internet users. This may, for example, be account information from online auctioneers (e.g. eBay) or access data for Internet banking. The fraudsters take advantage of their victim's good faith and helpfulness by sending them e-mails with false sender addresses.

Pingback Pingback is a method that allows web authors to request notification as soon as someone links to their documents or pages.

Port A port is part of a network address that allows operating systems to allocate TCP and UDP connections and data packets to server and client programs.

Private key/public key The public key method is an asymmetric, cryptographic method that uses a pair of keys. This cryptographic pair of keys consists of a public and a private key.

Programmable logic controller (PLC)

A programmable logic controller (PLC) is a digitally programmed device used to control or regulate a machine or facility. For some years, it has replaced hardwired control elements in most domains.

Information Assurance – Situation in Switzerland and internationally

43/44

MELANI – Semi-annual report 2014/I

Ransomware A form of malware used to extort money from the owners of infected computers. Typically, the perpetrator encrypts or deletes data on an infected computer and provides the code needed to recuperate the data only after a ransom has been paid.

Remote Administration Tool

A remote administration tool is used for the remote administration of any number of computers or computing systems.

Remote procedure call (RPC) Remote procedure call (RPC) is a technique for realising inter-process communication. It allows functions to be called within other address spaces.

Router Computer network, telecommunication, or also Internet devices used to link or separate several networks. Routers are used, for instance, in home networks, establishing the connection between the internal network and the Internet.

Smartphone A smartphone is a mobile phone that offers more computer functionality and connectivity than a standard advanced mobile phone.

SMS Short Message Service Service to send text messages (160 characters maximum) to mobile phone users.

SNMP The Simple Network Management Protocol (SNMP) is a network protocol developed by IETF to monitor and control network elements (e.g., routers, servers, switches, printers, computers, etc.) from a central station.

Social Engineering Social engineering attacks take advantage of people's helpfulness, credulity or lack of self confidence in order to gain access to confidential data or to prompt them to perform certain actions, for example.

Spearphishing Targeted phishing attacks. The victim is made to believe that he/she is communicating via e-mail with a person they are acquainted with.

SSH FileTransfer Protocol Secure Shell A protocol for encrypted communication. It may be used to securely login to a computer system via a network (e.g. the Internet).

SSL Secure Sockets Layer Protocol that provides secure communication on the internet. SSL is used today, for instance, in online financial transactions.

Information Assurance – Situation in Switzerland and internationally

44/44

MELANI – Semi-annual report 2014/I

Streaming service Streaming media refers to the simultaneous transmission and reproduction of video and audio data via a network.

Transport encryption Encryption of data between two servers, especially for e-mail services between the user and e-mail provider.

Trojan horses

Trojan horses (often referred to as Trojans) are programs that covertly perform harmful actions while disguised as a useful application or file.

Tunnelling In a network, a tunnel or tunnelling refers to the conversion and transmission of a communication protocol that is embedded in a different communication protocol for the purpose of transport.

URL Uniform Resource Locator. The web address of a document. It consists of protocol name, server name, path and document name (e.g.: http://www.melani.admin.ch/test.html).

User Datagram Protocol (UDP) UDP is a minimal, connectionless network protocol belonging to the transport layer of the Internet protocol family. UDP's job is to assign data transferred via the Internet to the proper application.

Video codec A video codec refers to a pair of algorithms that describes the encoding and decoding of digital video material.

Virus A self-replicating computer program with harmful functions that attaches itself to a host program or host file in order to spread.

VPN Virtual Private Network. Provides safe communication between computers in a public network (e.g. the internet) by encrypting the data flow.

Watering-Hole Attack Targeted infection with malware using websites preferentially used only by a specific user group.

Webmail Webmail refers to services on the World Wide Web for managing e-mails with a web browser.

WLAN WLAN stands for Wireless Local Area Network.