Security of mobile apps

SRC invites to the webinar “Security of mobile applications”

SRC invites you to the free webinar “Mobile Appli­cation Security” on 10 June 2021. The four-hour event will focus on potential targets, attack strategies and the defence against attacks on appli­ca­tions on mobile devices.

Due to the flexible use of mobile appli­ca­tions, smart­phones store and process a large amount of sensitive data. This makes them an increas­ingly attractive target for attackers. Malware such as banking Trojans and ransomware are already being used specif­i­cally against mobile appli­ca­tions. Along with this, the need for security of mobile appli­ca­tions is also increasing in order to effec­tively protect the data of their users.

SRC Security Research & Consulting GmbH offers a half-day webinar on the topic of mobile appli­cation security. The aim of the webinar is to under­stand the approach of attackers when analysing mobile appli­ca­tions, to be able to identify risks and to harden the appli­ca­tions accord­ingly already during development.

Lutz Weimann, SRC expert for mobile security, is a computer scientist with a focus on complex software systems. In his work, he has dealt inten­sively with fuzzing, software and network security and penetration tests.Lutz Weimann gives software archi­tects and devel­opers an insight into the proce­dural model of attackers. How are mobile appli­ca­tions analysed? How are risks identified and assessed? How can appli­ca­tions be hardened during development?

Register for the webinar // Mobile Appli­cation Security! Places are limited.

IT security in the health sector: Regulation is necessary and overdue

IT security in the health sector: Regulation is necessary and overdue

Open inter­faces, outdated technology and different interests: IT security in the health sector is a complex topic, after all it is about the needs and safety of the patient. A major problem is the lack of regulation on the part of author­ities such as the Federal Institute for Drugs and Medical Technology and the Federal Office for Infor­mation Security — currently there are only recom­men­da­tions but no binding guidelines.

The Federal Office for Infor­mation Security (BSI), the Federal Institute for Drugs and Medical Devices (BfArM) and gematik are the competent author­ities for IT security of medical devices in Germany. It must be ensured that unautho­rised persons cannot use the IT in medical devices and systems against the patient and that compo­nents and systems are only open to autho­rised persons. Companies special­ising in IT security, such as SRC Security Research & Consulting GmbH from Bonn, can help here. Regulation is necessary to create security standards — although a sense of proportion is needed here. Because over-regulation can also cause damage.

Under the title “IT Security in the Healthcare Sector: Regulation is necessary and overdue” (german), the magazine “all about security” gave Randolf-Heiko Skerka, Head of IS Management at SRC Security Research & Consulting GmbH, the oppor­tunity to comment comprehensively.

If you are inter­ested, we would be pleased to hear from you.

BSI publishes CC certifi­cates of connectors in the healthcare sector

Within the framework of the gematik telem­atics infra­structure, a connector coordi­nates and encrypts the commu­ni­cation between the client system, eGK, HBA/SMC and the central telem­atics infra­structure. It thus repre­sents the link between these compo­nents on the decen­tralised service provider side and the central telem­atics infrastructure.

A connector fulfils security require­ments that have been laid down in corre­sponding protection profiles.

The connector in product type version 3 comprises the following components:

  • the network connector,
  • the appli­cation connector including a signature application,
  • the specialised modules “Versicherten­stam­m­daten­man­agement” (VSDM), “Notfall­daten­man­agement” (NFDM) and “Arneimitteltherapiesicherheit/elektr. Medika­tion­splan” (AMTS/eMP).

SRC has success­fully evaluated the network and appli­cation connector in product type version 3 of the company Research Indus­trial Systems Engineering (RISE) Forschungs‑, Entwick­lungs- und Großpro­jek­t­ber­atung GmbH. The certifi­cates BSI-DSZ-CC-1052-V3-2021 and BSI-DSZ-CC-1132–2021 have been published by the BSI.

In addition SRC has success­fully evaluated the network and appli­cation connector in product type version 3 of the company secunet Security Networks AG. The certifi­cates BSI-DSZ-CC-1044-V3-2020 and BSI-DSZ-CC-1135–2020 have been published by the BSI.

For questions about Common Criteria or other evalu­a­tions, please contact us.

Certification of fiskaly Cloud Crypto Service Provider

Certi­fi­cation of fiskaly Cloud Crypto Service Provider

Among other things, the Tax Code provides for a combi­nation of technical and organ­i­sa­tional measures to effec­tively prevent manip­u­lation of digital basic records. The core of the tax code is a certified technical security device (TSE for short). The TSE is the central technical component for securing the basic records against subse­quent manip­u­lation. The certi­fi­cation aims to ensure a uniform minimum level of trust and security in the TSE as well as compliance with necessary inter­op­er­ability requirements.

Cash register systems carry out digital basic records in the above sense. Therefore, the cash register security ordinance of the Federal Ministry of Finance specifies require­ments for the certi­fi­cation of TSEs, which have been imple­mented accord­ingly by the BSI. These include detailed require­ments for the security module, the storage medium, the digital interface and the electronic storage, which have been published in the form of several technical guide­lines and protection profiles.

The central security component of a TSE is a so-called Crypto­graphic Service Provider (CSP). This is the component that performs the crypto­graphic signature opera­tions and securely manages essential compo­nents such as crypto­graphic keys and other parameters.

The BSI has certified fiskaly’s CSP Light based on the evalu­ation results of the SRC. This CSP Light is imple­mented as a cloud service to enable integration into networks.

In contrast, CSPs can also be created in the form of smart cards for stand-alone systems. Such products have also already been evaluated by SRC.

PCI DSS v4.0 release delayed

PCI DSS v4.0 release delayed

The publi­cation of a new, funda­men­tally revised version of the payment trans­action standard PCI DSS has been announced since 2019. We are eagerly awaiting the changes that the new version will bring.

After PCI DSS v4.0 had already undergone two RFC phases in 2019 and 2020, the PCI Security Standards Council has now decided to also initiate an RFC phase for supporting documents, in particular for

  • the template for the Report on Compliance (ROC),
  • the template for the Attes­tation of Compliance (AOC), and
  • the self-assessment question­naires (SAQs)

in June 2021. However, this will also delay the publi­cation of PCI DSS v4.0.

Instead of the announced release period in Q2 2021, the aimed period of final­ization is now Q4 2021. The actual release date has not yet been specified.

We must therefore be patient a little longer before we can properly plan the migration. With the shift of the publi­cation date, the planned transition periods from PCI DSS v3.2.1 to v4.0 have also been postponed. We are therefore also postponing our PCI DSS v4.0 webinars to 2022.

How cryptocurrencies create new market opportunities for banks and financial services providersHow cryptocurrencies create new market opportunities for banks and financial services providers

How cryptocur­rencies create new market oppor­tu­nities for banks and financial services providers

“The impor­tance of cryptocur­rencies is growing ever faster. Banks can use their expertise in imple­menting regulatory issues to gain a good starting position in the market for cryptocur­rency services such as key custody. Through their existing compe­tences in dealing with crypto­graphic proce­dures, e.g. in autho­ri­sation, online banking or PIN protection, banks already bring along a large part of the technical prereq­ui­sites for entering this business field.” SRC expert Dagmar Schoppe explains the oppor­tu­nities for banks and financial service providers with regard to the devel­opment of cryptocur­rencies in an article just published on the specialist platform “it-daily.net”.

Are there depen­dencies on the digital euro?

The increasing interest in cryptocur­rencies — in addition to the rapid rise in the euro equiv­alent to a bitcoin observed in recent days — should also be seen in connection with the discussion about the intro­duction of a digital euro. The digital euro — according to the perception in the German banking industry (DK) — is assessed as a forward-looking means of payment in a digital economy that coher­ently comple­ments the existing and proven systems and struc­tures. In this context, the greatest possible synergies should be sought with existing payment trans­action solutions so that access to digital central bank money can be secured for end consumers.

New oppor­tu­nities in the digital­i­sation of business processes

Insti­tu­tions face the challenge of increasing their visibility in this new market segment in order to then be able to respond to requests from customers, retailers as well as service providers. In the medium term, the generally growing interest in cryptocur­rencies can also result in oppor­tu­nities for insti­tu­tions that, for example, offer their corporate customers self-issued cryptocur­rencies to support them in the digital­i­sation of their business processes.

The SRC experts follow the exciting devel­op­ments in the field of cryptocur­rency and the digital euro for you and support you in the reali­sation of your crypto custody service. We will be happy to inform you about the oppor­tu­nities to get involved in this innov­ative sector.

further liter­ature

SRC TeleTrusT

SRC joins the German IT Security Associ­ation (TeleTrusT)

SRC joined the German IT Security Associ­ation (TeleTrusT) at the beginning of the year.

The Bundesverband IT-Sicherheit e.V. (TeleTrusT) is a compe­tence network comprising domestic and foreign members from industry, admin­is­tration, consulting and science as well as themat­i­cally related partner organisations.

Due to the perma­nently changing require­ments in the field of IT security, it is important for SRC that its experts regularly inform themselves about and exchange infor­mation on new neces­sities, techniques, processes and regulations.

TeleTrusT offers partic­u­larly good condi­tions for this, since in addition to the exchange of experts from the business world, contact is also estab­lished with politics and science.

SRC will contribute its wide-ranging expertise to the various working groups of TeleTrusT and thus give further signif­i­cance to the status of IT security in Germany and Europe.

Cyber Resilience

Opera­tional Resilience — Cyber resilience require­ments for institutions

Current key topics: Opera­tional Resilience and Cybersecurity

Attacks on the financial system can have serious conse­quences — not only for the affected company, but also for the entire public. Experts at the Bundesbank and security experts at BaFin and the ECB also cite cyber attacks and a lack of resilience to such attacks as the greatest threat posed by increasing digiti­zation in the financial sector. This is one of the reasons why more legal and regulatory frame­works are being created in order to establish uniform standards across the entire financial sector and increase the „opera­tional resilience“.

For both the ECB and BaFin, the focus in 2020 was on “opera­tional resilience” and “cyber­se­curity”. In addition, the TIBER-EU program was launched at European level, which the Bundesbank imple­mented as TIBER-DE in September 2020. Alongside this, the EU published its require­ments for opera­tional resilience and cyber­se­curity in October 2020 as part of the Digital Finance Package in the form of DORA (Digital Opera­tional Resilience Act).

The question for those respon­sible is how these various activ­ities interact and — even more relevant — how efficiently they contribute to the achievement of the objectives.

Revision of MaRisk and BAIT — Opera­tional IT Security

Domes­ti­cally, BaFin published its approaches to addressing opera­tional IT risks in October with the amendment of MaRisk and BAIT. The impor­tance of the topic is evident in the expansion of the BA IT require­ments as part of a new chapter. Imple­menting the specific require­ments formu­lated there is likely to pose major challenges on smaller and medium-sized insti­tu­tions, as they are aimed at operating a security infor­mation and event management system (SIEM), setting up and operating a security opera­tions center (SOC), as well as regular internal deviation analyses, vulner­a­bility scans, penetration tests and the simulation of attacks (“red teaming”). In practical terms, this requires the estab­lishment of a profes­sional cyber security department as well as independent internal infor­mation security struc­tures. This will pose major challenges on the insti­tu­tions concerned, due to the required expertise and limited resources on the labor market alone. Emergency management — also in a separate new chapter in the BA IT — is addressed as a further focal point.

The TIBER Program of the ECB and the Bundesbank

Back in 2018, the central banks of the European System of Central Banks launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) program. TIBER-EU serves as a framework on threat-led penetration testing that financial insti­tu­tions can use to put their own resilience to cyber­at­tacks to the test. The goal here is to create a “gold standard” of penetration testing. The clear reluc­tance to partic­ipate in TIBER-DE can be explained on the one hand by the complex scope of the project, the signif­icant risks and, on the other hand by the “voluntary nature” of partic­i­pation. Of course, especially in 2020, many internal forces are tied up elsewhere, also due to the Covid pandemic. The question arises as to whether the insti­tu­tions subjec­tively perceive the risk of a cyber attack as critically.

Digital Opera­tional Resilience Act (DORA) of the EU

With the publi­cation of the Digital Finance Package, the EU regulatory framework on digital opera­tional resilience contains a compre­hensive legislative proposal for the Europe-wide prevention and reduction of cyber risks. Up to now, national regula­tions for opera­tional resilience have been in place, but they do not do justice to the cross-border and global use of IT systems and are therefore not very effective. Moreover, this fragmen­tation also carries the risk of incon­sis­tencies and is also associated with additional high expenses for insti­tu­tions operating across Europe.

It is therefore highly desirable to strive for uniform regula­tions with DORA, in particular for risk management, testing, outsourcing emergency and incident management. In addition to improving and optimizing the resilience of the IT systems used, a signif­icant reduction in admin­is­trative effort for the insti­tu­tions will certainly also be achieved.

Increasing Cyber Resilience together

The SRC experts will gladly discuss the new devel­op­ments and their impact on the legal and regulatory level with you. Together we analyze your need for action and support you in the imple­men­tation. We evaluate the amendment of MaRisk and BA IT for your insti­tution, support you in the prepa­ration, execution and analysis of TIBER tests and analyze the planned require­ments of DORA. You can draw on our experience from countless penetration tests, banking compliance and infor­mation security management projects.

Cryptocurrencies ECB Digital Euro

Cryptocur­rencies — When and how will the Digital Euro emerge?

The European Central Bank’s (ECB) public consul­tation on the Digital Euro concluded on January 12, 2021. Based on the state­ments received, a funda­mental decision on the contin­u­ation of this major project is expected in the summer of 2021. In this context, the devel­op­ments of the private sector cryptocur­rencies Bitcoin and Diem (formerly Libra) are also considered. Other central banks’ activ­ities, e.g. in Sweden regarding the “E‑Krona” as well as in China, will certainly have an impact in this regard as well.

Statement of the German Banking Industry Committee

In its statement on the Digital Euro, the German Banking Industry Committee expressed its support for the ECB’s activ­ities and pledged its assis­tance with the design and project planning.

“For the German Banking Industry Committee, the intro­duction of a Digital Euro by the Eurosystem has the potential to strengthen Europe’s compet­i­tiveness, depending on how it is designed. However, it also carries the risk of funda­men­tally changing the geometry of the European banking system. Banks in Germany and Europe play a key role in the economic cycle and make an indis­pensable contri­bution to the efficient supply of financial resources to companies and consumers. That alone is why it is important to involve the banking industry in the consid­er­a­tions of a digital currency at an early stage.”

Karl-Peter Schackmann-Fallis, Executive Member of the Board of the German Savings Banks Association.

Predom­i­nantly positive tenor

The tenor of the German Banking Industry Committee statement is mostly positive. The Digital Euro is considered to be a pioneering payment method in a digital economy, which coher­ently comple­ments the existing and proven systems and struc­tures. The aim should be to achieve the greatest possible synergies with existing payment trans­action solutions in order to ensure access to digital central bank money for end consumers. There is consensus that digiti­zation is changing payment trans­ac­tions and that the ECB needs to carefully design the Digital Euro to ensure financial stability. To implement the targeted activ­ities, high invest­ments are inevitable for both insti­tu­tions and the economy. But the use of modern tokenization solutions, e.g. through Distributed Ledger Technology (DLT), enables the imple­men­tation of innov­ative payment solutions. In this context, the use of smart contracts and micro­pay­ments, services such as “Blockchain as a Service”, “Smart Contracts as a Service” or payment offers in the Internet-of-Things (IoT) are conceivable.

Need for clarification

It is considered critical that the proven two-tier banking system with central bank and commercial banks could be called into question. According to the German Banking Industry Committee, this constel­lation is essential for money market stability, the supply of loans to companies and private individuals, and the accep­tance of and trust in the payment methods issued. The estab­lished banking system is seen as a crucial component for ongoing economic growth.

Another open question is to what extent a Digital Euro is to be regarded as a crypto-asset in the sense of MiCA (Proposal for a regulation on Markets in Crypto-assets) and what impli­ca­tions this might have. The German Banking Industry Committee has also issued a statement on the ECB’s proposed regulation.

There is a need for further clari­fi­cation with regard to some regulatory issues. In this context, the German Banking Industry Committee proposes an orien­tation towards existing standards. All parties involved should at least comply with the require­ments of

From the German Banking Industry Committee‘s point of view, legal certainty, uniform speci­fi­ca­tions for a token-based fiat money and an appro­priate regulatory standard are the basic prereq­ui­sites for consumer accep­tance and trust in the Digital Euro.

Courses of action for payment institutions

The discussion on the Digital Euro has to be seen in the context of the general increase in the impor­tance of cryptocur­rencies. Many companies have long since recog­nized that Distributed Ledger Technology can help to efficiently digitize complex supply relation­ships. It is therefore a logical conse­quence that there is also growing interest in using this new technology to process payments as well. In the future, it will certainly not only be central bank-issued cryptocur­rencies that will be used. For payment insti­tu­tions, the generally growing interest in cryptocur­rencies increas­ingly results in the need to offer their own customers storage of and trading in cryptocur­rencies. In addition, oppor­tu­nities may also arise for insti­tu­tions that offer their corporate customers self-issued cryptocur­rencies to support them in the digital­ization of their business processes.

The SRC experts will keep an eye on the exciting devel­op­ments in the field of cryptocur­rency and the Digital Euro for you and support you in the realization of your crypto storage service. We will gladly inform you about the options to get involved in this innov­ative sector.

BSI Medical and Care Products

BSI publishes study results on the security of medical products and care products

The thoughts of unsafe medical or care products is discon­certing. Especially in a sensitive area such as the health care sector, the affected person trusts in the best possible help. But especially with the advancing digital­i­sation in the healthcare sector, vulner­a­bil­ities are increas­ingly appearing in networked medical‑, IoT- and elderly care products. If such vulner­a­bil­ities are discovered or even exploited, this often poses a major problem for users and manufac­turers of these products.
The Federal Office for Infor­mation Security (BSI) therefore initiated the projects “ManiMed — Manip­u­lation of Medical Devices” and “eCare — Digiti­sation in Care” in order to be able to assess the IT security of selected products.

he studies now published by the BSI enable manufac­turers to improve the IT security features of their products. In addition, users of medical devices are informed about which IT security features could be critical. Improved IT security features strengthen the confi­dence of patients and doctors in the security of networked medical devices. In the study, a total of six products from different categories were examined in terms of IT security.

SRC played a major role in the prepa­ration of the eCare study. The study focused on networked products (both medical and IoT products) that are used in the field of care for the elderly or sick. These include, for example, devices for measuring vital data or a tablet for senior citizens. A total of six products from different categories were examined from an IT security perspective. The results of the study can be found on the BSI website for Download.

In summary, the IT security level of the products examined can be rated as poor to very poor. The results lead us to believe that none of the products examined, including their inter­faces, apps, etc., have been subjected to a profes­sional security evalu­ation, an independent penetration test or similar.