News articles

Information Security...

...sounds tiring. It is. But we have to get throug it.

(published on 28.04.2021 by Marianne Rudigier)

All of us.

Even when we think we can do without "smart" products[1]. Because that is almost impossible. For example, if I were to decide to do without all of these products, my everyday life would still be characterized by a "smart" or rather computerized environment. I do my work on a computer and I communicate regularly (and especially in the home office) via my smartphone. So, if I wanted to do without these products, I would have to take up a new profession. I enter my fitness center with a smart card that knows which services I'm allowed to use, and many stores I visit have sensors that can follow the movements of customers, among other things. There are cities that install "smart" sensors in streets, lanterns and sidewalks, and use "smart" power grids and traffic routes to identify peak times to better direct traffic flows. So I would have to be very cut off to avoid this "smartification."

In 2017, 8.4 billion devices were connected to the Internet. By 2021, there should have been around 35 billion devices[2]. The Internet is also increasingly becoming a component of cheaper devices (keyword: Internet of Things). On the one hand, because the cost of these technologies is steadily falling and, on the other, because manufacturers hope this will give them a competitive edge. And because it is possible.

In its entirety, a complex system is created in which everything is interconnected. Bruce Schneier (a renowned IT security specialist from the USA, whose book "Click here to kill everybody" is the main source of this article) uses the term "Internet+" for this, consisting of the Internet, the "smart" products and us humans. The Internet of Things is not particularly "smart" at present, but it will become continuously smarter. With all-encompassing interconnectivity, the Internet+ is not only becoming more powerful, but unfortunately also more vulnerable. During the development of the Internet, security was not given much attention[3]. Many of the original Internet protocols are still in use today. Since computer systems can be expanded almost at will, the problem of inadequate security grows along with the number of systems. In a "system of systems", the participating systems interact with each other. Weaknesses in one system can spread to others. This results in security vulnerabilities that no one anticipated during development. In 2017, for example, hackers penetrated a casino's network via an aquarium connected to the Internet and gained access to sensitive data (fascinating, isn't it?).

On top of that, attack technologies are also constantly improving. Attacks are becoming faster, cheaper and easier. What is only theoretically possible today will be put into practice tomorrow. And because our information systems will remain in use much longer than originally planned, we already have to think about the attackers who will use the technologies of the future when it comes to current developments. At the same time, however, security is often "forgotten" when software is created. High-quality software is not rewarded to the same extent as early completion or under-budgeting, which in turn leads to security vulnerabilities that - if found - must be patched promptly. However, many users do not know what "patching" means (and you can't blame them for not knowing).

As bad as such vulnerabilities are, however, the most common way hackers penetrate networks is by tricking the authentication process. They steal passwords, set up so-called man-in-the-middle attacks to abuse legitimate logins, or impersonate authorized users. However, hackers do not necessarily need security vulnerabilities in software to steal user data; in fact, a successful phishing campaign usually leads to the goal more easily and quickly.

80% of successful attacks are due to the misuse of access data. From mid-2016 to mid-2017, Google studied the behavior of Gmail users and found that 12 million (!) phishing attacks had been successfully carried out every week (!) during this period. The majority of passwords used are also of poor quality (123456 or qwertz are still extremely popular), making it easy for hackers to figure them out. 

What's more, in exchange for supposedly free services, we give up control over our data and resources. Google, Microsoft, Amazon, Facebook and Apple (and Elon Musk and Bytedance, etc.) have astonishingly far-reaching control over what we can look at and what we can do and when. With the Internet+, the amount of data and companies collecting it will increase even more. Not enough, there is also an increasing risk that attacks will place a greater emphasis on altering or manipulating data (such as imagery, manipulating messages, and the like) to compromise its integrity (i.e., its accuracy and reliability). This is to influence decision-making in order to weaken trust in existing (political) systems or to cause physical damage.[4]

Reasons enough to take a closer look at the topic of information security, don't you think?

What can we do as TU Wien and in general as users of "smart" devices to protect ourselves and our data from these threats?

On the one hand, systems should be developed from the beginning in such a way that it is less likely that they will be successfully attacked (keyword: privacy by design and default...). For another, we should be much more conscious of our data, producing less data in the first place, disclosing it, deleting it, and, above all, protecting it with strong, unique passwords and, preferably, a second factor.

As a university, we have a great influence on the former in that we can instill an awareness of the concept of "privacy by design and default" in future developers of technology. This concept should not only be considered from the beginning of research projects. Information security and data protection should also be included in projects in the administration departments right from the start of the project.

Each and every one of us is called upon to deal consciously with data. On the one hand, we can protect our data by using secure passwords (and a unique one for each application! Please!), by encrypting our end devices, by storing data not locally on the computer but in centrally provided file systems (for private purposes, we recommend backing up data on an external, encrypted hard drive), and by considering whether using a service that is supposedly provided free of charge is really worth giving up privacy.

You can learn more about information security in our regular training sessions.

[1] Note: "smart" products are those that can collect and share data during the manufacturing and use phases.

[2] See: findstack.com/de/internet-of-things-statistics/, opens an external URL in a new window, opens an external URL in a new window (last accessed 04/26/2022).

[3] Note: The Internet was developed in a closed and trusted environment in academia and the military. Network security, while important, was nowhere near as complex as it is today, where it extends to business environments, around the world, to private homes, and to open wireless communications.

[4] Cf. to here. B. Schneier, Click here to kill everybody. Internet security risk and corporate and government responsibility. New York 2018.