Last Tuesday, DigitalEkho hosted their second CIO roundtable dinner in Luxembourg, at the Restaurant Le Sud in Clausen. After focusing on IT transformation last year, with the CIOs of Deutsche Bank and Centrica, the second Luxembourg networking event by DigitalEkho featured Volker Birk, a prominent hacker, and Markus Schumacher, the CEO of Virtual Forge, around the burning topics of data protection and enterprise system security.

 

DigitalEkho is an international IT consulting company based in Luxembourg, which addresses specialized IT topics with very experienced senior leaders, coming from the most leading positions in the corporate world. The firm focuses on helping enterprises in their most challenging projects through IT security and intellectual property protection, IT transformation, ERP implementation, and managed services.

 

DigitalEkho was founded by Leon Schumacher, a former Group CIO of Novartis and of Mittal Steel, as well as a board member of several leading technology companies throughout the world. "In my 10 years as Group CIO of very large enterprises", Leon Schumacher explained, "I have always enjoyed and benefitted from small informal networking events with CIOs of similar mind-sets, large organizations and interesting challenges. Even though I may have changed to the service side of IT in founding DigitalEkho, I have continued the activities of hosting CIO roundtables with friends of mine as speakers since I started it in 2006 together with the CIO Executive Council in the US".

 

Big Data and its overall impact

"You must understand", opened Volker Birk, member of DigitalEkho, Europe’s largest association of hackers, "that from a hacker's point of view, information is power: the power to know more than the other, and especially the power to know about the other". Since the advent of modern forms of telephony such as ISDN, cellular phone systems, and VoIP, eavesdropping on phone calls has become incredibly cheap and easy, "even when the recordings are stored", thanks to Moore's law applied to the storage industry . "The same goes for video calls. Reading your email and watching all your internet activities is even cheaper with incredibly low costs. And because it's possible, it's happening everywhere, all the time".

 

"Of course, organisations are protecting their networks. But are they protecting their information? And what about the communication channels with the partners and customers? What about the increasing use of the Cloud? These issues probably require a change in mind-set", he warned the CIOs attending the conference.

 

We are privatising this power by giving the pervasive – and, more often than not, abusive – access to information, which used to be reserved for the public authorities: "Snowden wasn't hired by the NSA, he was employed by a private subcontractor, Booz Allen Hamilton", underlined Volker Birk. Booz Allen Hamilton is one of America's biggest security contractors and a significant part of the constantly revolving door between the US intelligence establishment and the private sector, according to The Guardian (ed. note).

 

Private actors indeed are increasingly used to provide intelligence services around the world. They have the potential to significantly impact security issues as well as human and civil rights protection. This poses significant challenges to existing regulation, raising questions about how to effectively oversee and hold private security and intelligence companies accountable to these laws. "Business is war today and political power gives a prerogative in the interpretation of the rules. The US and the Five Eyes are privatizing their work. And Europeans already lost this campaign", Volker Birk commented.

 

"Microsoft, Apple, Facebook, and Twitter are all US companies. Modern software is American because Europe doesn't know how to organise venture capital. And things are even getting worse as all hardware today is made in China - and hardware based attacks run below the software layer. So what does an army do if the adversary has an unattainable advantage on the battlefield? They prepare their defences by building fortifications. Luxembourg is right when they build fortresses – physical in the past, now for data. But we must not overlook that we have to secure the communications between these fortresses too", concluded Volker Birk.

 

Why SAP security is becoming increasingly important

Almost every SAP implementation project requires customization of coding and system configuration settings. Without a cautious approach, such changes add an enormous risk to the business, not only the risk of system failures or slower system performance, but also of cyber-attacks and frauds. Markus Schumacher is the CEO of Virtual Forge, an independent supplier of security, compliance and quality products for SAP systems and applications, and a partner of DigitalEkho. The company's software tools address these problems and reduce risks arriving from custom coding and individual system settings. The company's collection of services and software tools addresses these problems and reduces risks arriving from custom coding and individual system settings.

 

"More than 248,000 companies worldwide are using SAP", recalled Markus Schumacher. "SAP customers transport 1.1 billion passengers per year, produce 65% of all TVs, manufacture 77,000 cars per day, and publish 52% of all movies. 82% of all input processed by custom apps come via SAP GUI (the platform used for remote access to a SAP server, ed. note), and 17% from RFC (i.e. the call of a function module that runs in a different system to the calling program, ed. note). Consequently, malicious insiders have the highest chance to successfully exploit weaknesses in SAP applications".

 

Search engines are the hacker's best friends

SAP systems and their ABAP extensions offer web-enabled content that can be accessed using web browsers. Some of the services can thus be misused and unauthorised access is possible. Moreover some critical services are active by default. However, SAP is taking steps to increase security and new vulnerabilities are fixed regularly. But it is crucial to install immediately the security patches as the hackers are aware of all recognized vulnerabilities, often unpatched or patched late by customers.

 

Given the high occurrence of security incidents (due to defective authorisation checks, directory traversals, ABAP command injection,…), and the moderate cost of correcting a defect in the early stages of a project compared to the damages caused by an attack, a system crash or a data loss, it is important to plan preventive measures, key risks identification, and error corrections in SAP environments as critical parts in your security strategy. In order to help customers on this topic, DigitalEkho offers a free scan of the ABAP code as well as subsequent remediation activities to interested companies.

 

Solving the data protection equation at ICT Spring Europe

Volker Birk, as a representative of the Chaos Computer Club, will be one of the world-class lecturers present at ICT Spring Europe 2014 taking place at the New Conference Center of Luxembourg Kirchberg on 3rd & 4th July. The exclusive program of seminars and presentations will be delivered by some of the world’s biggest names in cybersecurity, data protection and civil liberties including, beside Volker Birk, Viviane Reding, Vice-President of the European Commission, Lt. General Minihan, former Director of the NSA,and Brant Cooper, the author of the New York Times bestseller "The Lean Entrepreneur".

 

Additional information can be found on DigitalEkho's web site and Leon Schumacher's blog.

 

Michaël Renotte


Publié le 20 juin 2014