Information security: "A residual risk remains"

Peter Vahrenhorst is chief detective in the "Cybercrime Competence Centre" of the NRW State Criminal Police Office. In the //next interview, the investigator outlines the most common current attack methods and warns of typical vulnerabilities in the IT systems of companies, consumers and self-driving cars.

As a cyber investigator, Peter Vahrenhorst is a sought-after speaker on security topics, here he is speaking at the summer festival of the Herford Furniture Associations in 2018. As a cyber investigator, Peter Vahrenhorst is a sought-after speaker on security topics, here he is speaking at the summer festival of the Herford Furniture Associations in 2018.

Mr. Vahrenhorst, as a Criminal Investigator in the "Cybercrime Competence Centre" you have exciting insights into the subject area of "cybersecurity". How did you come to this unit - and what are your tasks there?

Well, I've been a police officer for 41 years - but I came to my new unit rather by chance: I was able to change careers through my studies in 1998 and initially had to deal with spied-out access data. In retrospect, that was in a way the start of my career as a cyber investigator. Over time, this has developed further. The police established a separate police department for this future field, for which I then conducted investigations for ten years. Then the topic of "prevention" came up - here in North Rhine-Westphalia, a "Cyber Crime Competence Centre" was set up for this purpose in the State Criminal Police Office in 2011. Since then, I have been responsible for the topic of "awareness", i.e. education and prevention for companies. In other words: I give companies, their employees and especially the management tips on how to make their digitalisation more secure. The so-called "lessons learned" from our investigations provide important impulses: Why should companies take which steps at all costs to avoid falling into similar traps as those who have already been harmed?

What happened to those companies? Do you have any current examples of typical threats?  

Currently, we are mainly concerned with the topic of "ransomware": Hackers penetrate the system, encrypt sensitive data and deny access to legitimate users. Only after paying a ransom - ransomware - do they get the key to use their data again. Unfortunately, this is currently one of the major phenomena of our time! Vulnerabilities in systems make it easy for the perpetrators. Companies are then often willing to pay because they need their data. This happens to both small and larger companies. That's why we have to put so much emphasis on protecting functionalities! On the other hand, there are also perpetrators who target private individuals. For example, online banking is also cracked again and again in order to withdraw money. Perpetrators are always active where there is money to be taken. Globalisation and digitalisation also play a role here: the perpetrators can be located anywhere in the world - whether in China, Russia, North Korea, America or here in Germany. The victim does not know his counterpart. Often they are not even aware of their vulnerabilities before the crime. Only after the crime do they realise how important IT security would have been ... 

Let's stay with private households: What has changed for them through the use of smart gadgets? For example, I use a robot hoover. Does that also harbour dangers?

Generally speaking, if you use smart technology in your home, please do so consciously and with security in mind! Many attacks are directed at online banking via notebook: As recommended, this is often done with 2-factor authentication. But for the sake of convenience, many use a certificate that is permanently installed on the computer. And if you leave your laptop for a moment and come back, 25,000 euros are missing from your account. How can that be? No one else was in the house, no one broke in - and yet the money is missing? The bank says, "It was your device, your 2-factor authentication: You did it!" But the technical analysis shows: The notebook was connected via the same WLAN as all the other devices. And in the refrigerator, which also has a WLAN component, there was a weak spot in the software. A hacker used this to penetrate the home network and also had access to the notebook. Through the permanently installed certificate, he was then able to debit the money without entering a password. This risk can be minimised by changing the settings for 2-factor authentication (more on this topic here on //next)! Otherwise, you have the option of setting up two Wi-Fi networks at home: one for TVs, dishwashers, Alexa, light bulbs and vacuum robots - and the other for banking and home office. In addition, we are generally very careless with our data! We reveal our identity in every competition, post on social media like Facebook and Instagram. Of course, this allows conclusions to be drawn about our person. That doesn't have to be bad, but it can be critical in a sensitive area ...

What do you think of the smart home concept in general? Do smart water sensors, home cameras & Co. do they pose more risks than they bring advantages?

Basically, I am very open to such technologies. I now own three Alexas, a vacuum cleaner robot and many digital lights. But: If I treat myself to such gadgets, then I absolutely have to set them up consciously and safely! I have to think about that in advance. An example: If my neighbour hangs a WLAN camera in his garden and it is also displayed in my network, he has done something wrong. The point is to use the opportunities offered by technology - but always consciously and in a secure environment.

And what is your opinion on the "robo-driver" and the vulnerability of self-driving cars? Is this already an issue for the police?

That's a fair question, because we're often not even aware of what our cars can already do today. For us as police, this was a very exciting topic, because of course the idea was to integrate a police computer into the cars. However, we first checked in which environment we would build it. In the process, we discovered that today's cars are all networked and have an enormous amount of technology: Lane departure warning, automatic braking and many other systems work via sensors. This means that the car manufacturers know pretty much exactly where we are and how we are driving, because telemetry data is constantly being exchanged.

In America, Uber's robo-drivers are already driving themselves in real life. In Germany, we are not quite there yet. However, we are also looking into the future and have a science lab at the police in NRW. The "Patrol Car 2027" is already being developed there, which will intervene precisely in these structural systems - because the city and the flow of traffic will also become digital at some point. But one of the basic principles must be that we trust the software. If it has a weak point - and that is still the case in many cases - then I also have concerns because I then have no influence on the car. That's why the software has to be built very securely. Otherwise, I'm sitting in the car - but I'm not the master of it. In the best case, a hacker drives me to another place, but in the worst case, he causes damage. Especially when human lives are on the other side, it's a fine line: safe autonomous driving always means safe software and safe infrastructure. We still have to work on this with various players. Otherwise I wouldn't get into such a car.

Apart from that, intelligent traffic control is of course a huge topic. In the current situation, however, it could amount to all traffic lights being switched to red in the event of a hacker attack. That would lead to a complete traffic standstill, and emergency ambulances would no longer be able to get to their patients. Then we're talking about human lives again. This is always a chain of reactions. We are all challenged here and must think about the possible risks and effects. Also from very different roles, because we are networking the world right now. We have to get much more into a big whole, otherwise it won't work.

And what consequences does all this have for the police? How has your job changed - and is the police well equipped for future threats?

I think the opportunities for the police are not even that we as police now have access to data that we wouldn't have otherwise. It's always great on US TV shows: their officers access cameras and tap their data - you have access to virtually everything. That's science fiction, of course! It's not about creating a surveillance state. But of course it's about seeing the possibilities here too - but I mean the possibilities to protect oneself. To go more into the advisory function. In our daily work, we have to know how technologies work, why hackers were able to penetrate a company network, for example. Of course, these are things that you have to be able to understand as a law enforcement officer. And here too, the hacker no longer physically comes to the door, but attacks online. This also changes the behaviour of the perpetrator. In the past, you had to say "You're an idiot" to the person's face, now I do it - often even anonymously - via social media. The inhibition threshold to become a perpetrator is completely different. The technical challenges and possibilities are not easy for us as police either, we also have to invest in the future. In personnel, in training and also in technology, in order to map certain things and to stay on the ball.

Um gar nicht erst die Polizei einschalten zu müssen: Wie kann ich mich privat am besten vor Cyber Gefahren schützen? Was muss dafür vielleicht auch im Hintergrund geschehen, Stichwort: Versicherungen und Schutzsoftware?

Ein gewisses Schutzlevel braucht jeder. Am Ende würden Sie, glaube ich, schließlich auch nicht die Haustür offenlassen. Genau dieses Schutzlevel muss ich in der IT auch mit einbauen – allerdings muss ich hierfür erst verstehen, wie die jeweiligen Technologien funktionieren. Ein wichtiges Schutzlevel beispielsweise ist das bewusste Trennen des heimischen WLAN-Netzes, wie eingangs besprochen. Durch dieses Schutzlevel habe ich dann einen Großteil erreicht, aber auch nicht zu 100 Prozent. Ein Restrisiko bleibt. Um dieses abzumildern, können Versicherungen meines Erachtens eine gute Idee sein. Mit anderen Worten: Eine Cyberversicherung kann eine sehr gute Ergänzung sein, um Schäden für Privatpersonen und auch Firmen einzugrenzen – sie sollte aber nie alleine stehen.

Finally, would you please have a few tips for us on where we can get to grips with security in more detail?

A good platform for you as private individuals is certainly the BSI for Citizens. This is a large authority that provides a lot of information. They also deal a lot with the trends around the smart home and offer a lot of security advice. You don't need to study computer science, but you can get easy tips that are easy to implement. In addition, the consumer centres are quite well positioned, for example, in the direction of data economy or questions such as "Do I have to give my data everywhere? For the corporate sector, there are various initiatives, also from the BSI Alliance for Cyber Security.

Interview: Alina Gedde

Most popular