## The IT Security Situation in Germany in 2011 Federal Office for Information Security www.bsi.bund.de ----- ----- ### Contents ##### Preface 5 Overview 6 1 Security Vulnerabilities 8 2 Drive-By Exploits 11 3 Botnets 14 4 Spam 17 5 Identity Theft and Identity Fraud 21 6 Malware 24 7 Stuxnet 28 8 Domain Name System and Routing 30 9 Mobile Communication 33 10 Cloud Computing 38 11 Smart Grid / Smart Meter 40 Conclusion 42 BSI – Focusing on IT Security 43 Bibliography 46 List of Illustrations 47 ----- ----- ### Preface The opportunities offered by present-day IT in both our private and professional lives are many and varied. Just as many and varied, however, are the risks we face as we in creasingly shift our business transactions and social interaction into the virtual world. For attackers also keep tabs on developments and are constantly working out sophisti cated ways of staying one step ahead of their potential victims. Authors of malware are using ever more diverse technical measures to make their programs harder to detect or analyze. For example, there is malware out there that can scan its target system to pick up on features of an analysis environment. If it detects any, it will stop trying to infect the system. This makes it harder for specialists to analyze the program. It also increases the demands on users; it is becoming more crucial for them to play an active role than ever before. There is need to be every bit as alert and curious in the online lives as there is in the offline world. Internet criminals have long since created a market for their services which helps to increase their “earning potential”. A botnet consisting of 10,000 bot PCs, for example, can be rented for around US$ 200 a day. And as botnets can consist of several millions of PCs, the financial potential of such attacks is something we can only guess at. But we will not allow this to discourage us: on the upside there have been plenty of successes. Like the dismantling of large-scale botnets, for example. Often this is achieved through the joint efforts of many companies, IT security organizations and investi gators all over the world. This worldwide network is constantly expanding. April 1 saw the opening of the National Cyber Defense Center, a joint venture of German federal security departments operating under the auspices of the BSI, tasked with defending critical federal government and industrial IT infrastructures against electronic attacks. My employees and I are doing our bit to make the online world safer for all of us. And this is something we are fully committed to. Bonn, May 2011 Michael Hange Michael Hange President of the Federal Office for Information Security Michael Hange ----- ### Overview Countless processes and tasks in the public and private sectors are supported by IT nowadays. Even in our pri vate lives, it is hard for most Germans to imagine doing without their PC and cell phone. Business and industry, the public sector and private individuals are therefore all highly dependent on properly functioning informa tion technology and secure information infrastructures. Organized criminals, but also intelligence services, are carrying out highly professional IT attacks on compa nies, authorities and even private individuals. The meth ods the attackers are using are becoming ever more sophisticated, making them increasingly expensive and complicated to defend against. A recent example was the Stuxnet Trojan horse which targeted industrial process control systems. Its programming was highly complex and was done by people who were experts in their field. There have always been attacks on IT systems, but their intensity and nature have changed. Alongside mass attacks, we are also beginning to see a new quality of specifically targeted attack. Mass attacks mainly ex ploit standard vulnerabilities like banner ads, whereas targeted cyber attacks use secret or as yet undiscovered weak points. The attackers do not “waste” their knowl edge; their methods have become ever more devious since we published our last report in 2009. Besides vul nerabilities in operating systems, attackers exploit weak spots in third-party applications and software compo nents. Targeted attacks geared towards specific individu als that use highly sophisticated social engineering to disguise themselves are also on the increase. The number of new malicious programs is also continu ing to rise dramatically. But malware is no longer being spread randomly across the internet in massive waves. A malware program will often only infect a small number of computers worldwide, making it extremely difficult to detect. “Conventional” phishing is much less common these days. But that does not mean that identity theft no lon ger poses a threat: in fact, quite the opposite. A criminal field of activity has developed in this area which has all the hallmarks of highly professionalized structures. As far as spam is concerned, attackers are seemingly opting for a much less random approach nowadays. The volume of spam e-mail may have reduced, but it is becoming increasingly targeted, so the risk potential remains just as high. Security experts involved in malicious code analysis are finding their work turning increasingly into a race against the attackers. One positive outcome of this is that cooperation between manufacturers, providers and security experts is constantly improving. For example, ----- some dangerous botnets have been disabled as a result of joint initiatives. An international network has also been set up for CERTs: the Forum of Incident Response and Security Teams (FIRST). There is now a general reali zation that working together can benefit everyone con cerned – but we will all need to continue to up our game in order to keep the overall situation under control. The rapid expansion of smartphones, netbooks and tab let PCs also presents a growing challenge, as it signifi cantly increases the number of potential vulnerabilities open to cyber criminals. Assuming that internet attacks can potentially be financially rewarding and that the risk of being caught is relatively low, it is likely that they will continue to increase. The much-talked-about topic of Cloud Computing is set to become ever more widespread in view of its potential for cost-cutting and increasing availability. Ensuring information security will therefore take on a new inter national dimension as data leave the jurisdiction of the Federal Republic of Germany. Stronger international cooperation is becoming increasingly necessary. Just as with the omnipresence of IT systems in our everyday lives – and with the imminent introduction of the Smart Grid/ Smart Meter – IT managers are facing growing organiza tional challenges in areas such as risk management. ##### Risk trends **Threat** **2009** **2011** **Forecast** DDoS attacks Unsolicited e-mails (spam) Botnets Identity theft Security vulnerabilities – Drive-By Exploits – Malware – _Source: BSI_ _Fig. 1: Development of IT threats as assessed by BSI [7]_ ##### Risk potential of attack opportunities in selected applications and technologies **Technology/Applications** **2009** **2011** **Forecast** Mobile communication SCADA DNS and BGP Interfaces and storage media _Source: BSI_ _Fig. 2: Risk potential of attack opportunities in selected applications and_ _technologies as assessed by BSI [7]_ ##### Risk profile of innovative applications and technologies **Technology/Applications** **2009** **2011** **Forecast** Cloud Computing – Smart Grid/Smart Meter – _Source: BSI_ _Fig. 3: Risk profile of innovative applications and technologies as_ _assessed by BSI [7 ]_ rising falling unchanged ----- ### Security Vulnerabilities # 1 ----- The number of published security vulnerabilities was once again at a high level in 2010. It remains to be seen whether this trend will continue through 2011. It is difficult to estab lish exact numbers, as we do not know how many cases of vulnerabilities go unreported. What is more, some manufacturers fix vulnerabilities on the quiet with so called Silent Fixes which are not counted in the statistics. ##### Software vulnerabilities on the rise As far as the typical end-user PC is concerned, the ratio between the number of vulnerabilities in the operating system and in third-party software is changing. While vulnerabilities in operating systems such as Microsoft Windows are becoming less and less attractive to attack ers, the number of security weaknesses in third-party software rose significantly in 2010.[1] This is particularly ##### Security vulnerabilities reported critical given the high prevalence of many applications. For example, Adobe Flash Player is found on more than 99% of all PCs in Europe, according to the manufactur ers, and CVE reports that it was affected by 60 vulnera bilities in 2010, 53 of which were able to be exploited for running malcode. Mozilla Firefox now has the biggest web browser market share in Europe.[2] According to CVE it had 107 vulnerabilities in 2010, 60 of which enabled malcode to be executed. The potential scope for attacks therefore increases with every application that is used. The BSI's alert and information service, Bürger-CERT, is issuing increasing numbers of alerts about time-critical vulnerabilities. In the 2010 special edition of its newslet ter, for example, it published 13 alerts – more than in pre vious years. Since 2008 there has also been a constant rise in the number of technical alerts issued by Bürger-CERT. 16 150 14 127 125 13 12 100 10 8 75 7 6 56 57 6 50 4 25 2 0 0 2008 2009 2010 2008 2009 2010 _Source: BSI_ _Fig. 4: Number of time-critical security vulnerabilities reported by Bürger-CERT and Technical Warnings issued by CERT-Bund [7]_ 1 ----- Software manufacturers have acknowledged the fact that they share responsibility for IT security and are working actively on improving their products. So it is no longer only third parties who are discovering vulnerabil ities: the manufacturers themselves are also reporting them. But time is and remains a critical factor. Zero-day attacks, in which vulnerabilities are exploited on the day they are discovered, are now the rule. At the same time, so many vulnerabilities are being discovered all the time that manufacturers risk not being able to keep pace with this development, potentially resulting in vulnerabilities remaining in place over long periods of time. Accord ing to CVE, for example, on February 15 this year more than 20 vulnerabilities in various Microsoft products (Windows, Office, Internet Explorer) were known about, 16 of which enabled malcode to be run. Many of these had been described several weeks earlier. ##### Central patches help Against this backdrop, users must call for effective update mechanisms to eliminate security vulnerabilities effectively and fast. Automatic update functions have proved very helpful in this regard. They enable a user to keep their software up to date without any involve ment on their part; security-relevant updates are simply downloaded and installed as soon as they become available. Most common applications have these func tions nowadays. But this system is also not without its problems. Because there are no central update function alities, applications typically have their own specific update mechanisms and cycles. And there can even be big differences between an individual manufacturer's products. In addition, some manufacturers do not provide their updates as they develop them but have set patch days on which they publish their patches. In the worst case scenario, vulnerabilities can then exist for anything between one month (Microsoft's current patch cycle) and three months (Adobe's current cycle). So manufacturers are increasingly being forced to respond to critical vulnerabilities with workarounds – temporary measures which involve additional effort on the part of the user and the administrator. However, patch releases are sometimes brought forward when a particularly critical vulnerability is discovered. The BSI is therefore in constant contact with the major software manufacturers with a view to driving forward the development of central update mechanisms and ensuring that updates are made available promptly. The aim going forward is to have updates downloaded fully automatically as soon as they are available so as to keep pace with the security threat caused by the discovery of new vulnerabilities. In administered environments, these mechanisms need to be put in place by the admin istrators. ----- ### Drive-by Exploits # 2 ----- How vital it is to fix vulnerabilities in software straight away is illustrated by the fact that you can infect your own computer simply by "surfing" to a website contain ing one of these drive-bys. In the past, similar malware was predominantly spread through shady websites. In another variant, attackers would set up specially crafted websites and lure users to visit them by sending out spam e-mail containing links to these websites. Today, mal ware distribution via drive-by exploits almost exclusively happens using compromised legitimate websites. Every day, attackers manipulate several thousand web sites across the world and inject malicious code which leads to drive-by exploits. These websites are usually compromised using stolen FTP login credentials for the web servers that have been previously harvested by malware on the website operators' computers. Analysts investigating attackers' servers regularly come across lists with 30,000 or more stolen login credentials for FTP servers. Additionally, security vulnerabilities in content management systems and other server software are often used by attackers for manipulating websites. ##### Infected without clicking CERT-Bund, the German Governmental Computer Emer gency Response Team, currently receives reports from various sources on more than 20 German websites per week that have been manipulated by attackers and lead to drive-by exploits. But this is just the tip of the iceberg, as the BSI is not actively looking out for compromised websites. CERT-Bund asks the operators of the websites concerned to remove the injected malicious code and fix the vulnerabilities being exploited by the attackers. A user’s PC can also be infected through specially ma nipulated banner ads on reputable websites. Attackers regularly compromise marketing service providers' server applications to get them to deliver a malicious payload that leads to drive-by exploits. And the user does not even have to click on the banner ad to activate the payload. Simply having a manipulated banner displayed on a website is enough to trigger automatic exploitation of vulnerabilities on the user's PC. In 2010, CERT-Bund notified more than 100 operators of banner ad servers in Germany of these kinds of manipulations. Some of the infected banners were displayed on the websites of well known companies, popular online magazines and TV/ radio stations. ##### Exploit kits: malicious software packages Malicious code injected by attackers into compromised websites usually does not target only one single vulnera bility. Instead, it leads to a so-called exploit kit. An exploit kit (or exploit pack) is a software package that automates the exploitation of vulnerabilities on users’ PCs using drive-by exploits subsequently infecting them with mal ware. Besides a collection of exploits for various vulner abilities (typically more than 10), an exploit kit usually also contains a web-based management interface that allows for easy configuration and generation of statistics. Exploit kits are traded by cyber criminals for between US$ 400 and US$ 2,000, depending on the number and up-to-dateness of the exploits they contain. In-depth technical expertise is not usually needed to install and operate an exploit kit. ----- Over the past few months, attackers have focused their attention primarily on weaknesses in older versions of the widely used software products Adobe Reader and Flash and in the Java Runtime Environment. However, exploit kits are also still successful at exploiting vulnera bilities in Internet Explorer and the Windows Operating System, many of which have been around for years, since many users have not yet installed the security updates that fix these vulnerabilities. It gets particularly critical when the attackers use zero day exploits that target vulnerable software for which the vendor has not yet issued a security update. ----- ### Botnets # 3 ----- The threat presented by botnets has continued to rise dra matically over the past two years, partly as a result of the risk of infection by drive-by exploits. Botnets are now also being rented out professionally, and their “customers” use them to take revenge, gain competitive advantages and for criminal purposes like extortion. Attacks may also be politically or religiously motivated. Another trend began to emerge in 2010: “hacktivism”. This is a mixture of hacking and activism, in which internet users voluntarily make their PCs available for attacks like DDoS on compa nies. A botnet can also be formed in this way. Botnet operators can potentially infect an increasing number of PCs, because more and more users have broadband internet access and leave their computers connected to the internet 24/7. As a result, the intensity of cyber-attacks is also on the rise: according to BSI estimates, it already exceeds individual providers' service bandwidths, which can lead to network outages. Users do not usually notice that their PC is part of a botnet, as the malcode runs in the background. This is confirmed by a security firm who analyzed 100 million compromised IP addresses worldwide. They discovered that 80 per cent of IP addresses of infected PCs appeared in the statistics for more than a month, and 50 per cent for at least 300 days.[3] One of the reasons for this is that some bot software deactivates antivirus software to prevent itself from being discovered. Computers without antivirus software or running outdated versions simply exacerbate the problem. Often the infection is only discovered when the user is informed about it by their provider. The number of multiple bot software infections has also risen. This is confirmed by an analysis in which multiple infection was observed in 35 per cent of cases.[4] ##### Intensity of DDoS attacks 100 90 80 70 60 50 40 30 20 10 0 2005 2006 2007 2008 _Source: Arbor Networks_ _Fig. 5: Bandwidth increase in DDoS attacks [9]_ 100 100 GBps 90 80 70 60 50 40 30 20 10 0 2005 2006 2007 2008 2009 2010 ----- ##### Anti-botnet initiative permanently knocks the bottom out of infections _According to BSI analyses, in 2010 Germany was_ _among the top 5 source countries for botnets that send_ _out spam e-mail. The BSI is therefore supporting the_ _Anti-Botnet Advisory Center set up by eco-Association_ _of the German Internet Industry. This initiative is being_ _financed with start-up funding from the Federal Min-_ _istry of the Interior’s IT Investment Program and aims_ _to help rid computers of bot infections. This initiative,_ _which was officially unveiled on September 15, 2010,_ _is intended to make life more secure for the end user_ _and knock the bottom out of botnets operating in or_ _out of Germany for good wherever possible. The first_ _step in the initiative is to identify infected computers._ _This is done by the Internet Service Provider (ISP) using_ _honeypots and spam traps. Honeypot systems reside_ _in the provider's network area and are attacked by the in-_ _fected computers. The spam traps receive the spam e-mail_ _sent from there. Then the ISPs inform the identified users_ _that their PCs are infected. To eliminate the infection, they_ _can obtain help in the form of information and tools from_ _the central website, www.botfrei.de. Users who need addi-_ _tional help are pointed by their ISP towards the Anti-Botnet_ _Advisory Service telephone advice hotline. Between Sep-_ _tember 15, 2010, when the project was launched, and April_ _30 this year, more than 994,000 visitors used the website._ _During this time, the DE Cleaners – special tools designed_ _to remove bot software from computers – were used more_ _than 522,000 times. The ISPs involved alerted more than_ _200,000 customers about infections on their computers._ ----- ### Spam # 4 ----- The number of unsolicited e-mails (spam) has fallen compared with the record year 2008. However, spam still accounts for an extremely high proportion of all e-mail: 96.1% in 2010. Spam also seems to be being targeted more precisely of late. For example, the proportion of German language spam e-mails sent specifically to German e-mail recipients by international botnets is growing. ##### Development of spam in Germany _Source: BSI_ _Fig. 6: Development of spam volume in Germany since January 2010 [7]_ The vast majority of spam e-mails are sent by botnets. In a single hour, the BSI observed individual spam waves with over 100,000 different sources (sender systems with unique IP addresses). The Rustock botnet has been found to be the most prolific sender of this spam. As can be seen in the graphic below, the volume of spam in Germany dropped dramatically by nearly 75 per cent in Rustock’s two-week silent period at the end of 2010 and when its comand and control server in the USA were taken down in mid-march. ----- ##### Sending spam via private PCs Weekly spam volume Spamming shows regularities both on a day-to-day and a week-to-week basis. It is also particularly interesting to look at the sources by country. The following diagram shows a weekly pattern, accu mulated over several months, of spam and solicited e-mail sent from Germany at different times of the day, measured against the BSI's e-mail early warning system. According to BSI findings, most of the Spam sent in Germany originates from compromised private PCs. These are probably being used by schoolchildren in the afternoon, but mostly by adults in the evening after Monday Tuesday Wednesday work. Fewer of the infected PCs are being used on Friday and Saturday evenings as people are more likely to have other plans at these times. In an international compa- Cumulative weekly volume of spam rison, it is striking that there are countries in which the Monday Tuesday Wednesday Thursday Friday Saturday Sunday Cumulative weekly volume of spam Solicited e-mails daily maximum falls within the working hours for that time zone and with a much lower volume at evenings and weekends. In these countries, spam is obviously being sent predominantly from workplace PCs. In the league table of spam-sending countries, Germany was in fourth place in 2010 with 5.77%, behind the USA (9.32%), Brazil (8.36%) and India (7.28%). The German share drops during the course of the year. The data refer to the distribution of spam in the Federal Republic of Germany. The BSI expects Germany to be overtaken by some coun tries as a source of spam in 2011. _Source: BSI_ _Fig. 7: Cumulative weekly volume of spam and solicited e-mails_ _sent from Germany [7]_ #### Spam distribution by country 26,68 % Rest 1,28 % Israel 1,45 % Argentina 1,47 % Columbia 1,57 % China 1,85 % Saudi Arabia 1,91 % Spain 2,01 % Indonesia 2,52 % Italy 2,69 % Ukraine 2,76 % South Korea 2,92 % France 3,20 % Romania _Source: BSI_ _Fig. 8: Spam distribution in Germany in 2010 by country_ _of origin [7]_ 9,32 % USA 8,36 % Brazil 26,68 % Rest 7,28 % India 1,28 % Israel 1,45 % Argentina 5,77 % Germany 1,47 % Columbia 1,57 % China 1,85 % Saudi Arabia 1,91 % Spain 5,30 % Vietnam 2,01 % Indonesia 2,52 % Italy 4,38 % Russia 2,69 % Ukraine 2,76 % South Korea 4,06 % UK 2,92 % France 3,20 % Romania 3,23 % Poland ----- ##### German-language casino spam waves from thousands of sources One of the most distinctive and longlasting Spam cam paigns is German-language casino advertising. The BSI monitors it since May 2009. It occurs roughly in hourly waves and increases the volume of spam by more than 100 per cent. Several thousand sources per hour from almost all countries in the world have been identified as the senders – mainly in Brazil, followed by Vietnam, India, Indonesia, China and Germany. They are most likely part of the Maazben botnet. From the variations in time, it can be concluded that large parts of this botnet concentrate simultaneously on one country domain and its language. ##### Casino spam Spam (total) Casino spam _Source: BSI_ _Fig. 9: Casino waves and total spam volume over a typical day [7]_ ##### Internet users being recruited for criminal purposes Since March 2010, a spam wave has been observed which recruits “manpower”. These “money mules” or “agents” are then used to forward illegally acquired goods or money. To increase the credibility of this offer ing, the spam often lists the German Federal Employ ment Agency (Bundesagentur für Arbeit, BA) as the supplier of the addresses. Several thousand sources per hour from almost all countries in the world have been detected as the senders of this spam – mainly in Brazil, followed by India, South Korea, Germany and Poland. For this spam variant, the attackers started by perform ing a small-scale and obviously highly successful test in mid-March 2010. From the end of April to the end of August 2010 this form of e-mail was a firm fixture in the German spam landscape. Thereafter, the messages stopped mentioning the Federal Employment Agency. Another wave appeared at the end of the year. In the opening sentence it made it perfectly clear that people were being recruited for criminal purposes: “A job for someone who is quite clear that if anything goes wrong they can at best expect a suspended sentence, and at worst…” This example shows that the attackers are not afraid to involve large swathes of the population in crim inal acts. Immediately after being alerted by the BSI, the Federal Employment Agency issued a series of press releases on this subject. Spam (total) Casino spam ----- ### Identity Theft and Identity Fraud # 5 ----- Identity theft and identity fraud are not new crimes: they were happening long before we started using electronic media. In the past, the perpetrator and the victim would nearly always be in close geographical proximity to one another, and there would usually only be a few people involved. But as internet usage has increased, the situ ation has changed radically: nowadays there is usually no geographical link between perpetrator and victim whatsoever. What is more, a perpetrator can obtain data from hundreds or thousands of victims with very little ef fort using malware, as analyses of datasets captured from perpetrators have shown. ##### Malware steals personal data Identity theft takes place using malware which transfers the stolen data to “drop zones”, servers controlled by the perpetrators. Once there they can be deployed for iden tity fraud purposes. Occasionally data being transferred by malware to drop zones can be intercepted. When this happens, the owners of the stolen identities are usual ly protected by the operators of the internet services concerned, such as by preventatively changing their password or temporarily deactivating access. ##### Drop zone datasets 50,000 45,000 40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 January 2010 February 2010 March 2010 _Source: BSI_ In 2010 data from approximately 200 drop zones were analyzed. Of particular interest to the BSI are datasets that relate directly to Germany, such as with a domain name ending in “.de”, for example. ##### Particularly common on webmail and online marketplaces Analyses of examples of drop zone datasets from 2010 show that the perpetrators were particularly successful in gaining login credentials for German webmail service providers and widely used online marketplaces. When subsequently deployed for identity fraud, they may not be able to be turned directly into money but they nonetheless harbor considerable potential for dam age. For many users, the e-mail account represents the central trust anchor for a range of other online activities, making it easy for the perpetrators to get hold of other login credentials. Stolen identities for online market places provide the perfect basis for fraudulent buying and selling transactions. 50,000 45,000 40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 January 2010 February 2010 March 2010 April 2010 May 2010 Juny 2010 July 2010 ----- Online banking data, on the other hand, can be exploit ed directly. In 2010 around 86,000 identities were found in the drop zones investigated. These login credentials do not lead directly to a transaction on their own. But as the malware on the target systems is usually still active, the attackers can often overcome the banks’ other pro tective mechanisms such as transaction codes. ##### Trojan horses scour private PCs These days, perpetrators almost always use Trojan hors es that cover their tracks on their victims’ computers very effectively. They use them to track the owners’ login or transaction keystroke combinations or to search their files for particular keywords. The data are then transfer red to the drop zones. Conventional phishing, on the other hand – luring unsuspecting users to fraudulent bank websites and asking them to enter their credentials, for example – is now relatively rare. But the increasing use of powerful Trojan horses has meant that the number of cases – and therefore the levels of losses – are once again on the rise compared with previous years. Today’s perpetrators divide up their tasks in a highly orchestrated way. First one group will produce the mal ware – a Trojan horse, for example. The next group will distribute it across the internet and use it, and a third group will collect the mined data from the drop zones and prepare it for the next stage, identity fraud. The next set of perpetrators will then use the data for criminal purposes. As banks and service providers have tightened up securi ty on money transfers abroad, financial agents with accounts in the home country are used. Recruitment and maintenance of these agents is also organized in a sophisticated way, including by sending out spam (see Chapter 4). 300,000 **Drop zone datasets** 250,000 **1,107,371** 200,000 150,000 Webmailers Online marketplaces 100,000 Online stores Social networks Online banking 50,000 Internet providers Travel portals 0 Other August 2010 September 2010 October 2010 November 2010 December 2010 **Total 2010** ----- ### Malware # 6 ----- In our 2009 status report we observed that the number of malicious programs was rising constantly, they were becoming easier to produce and the attacks were in creasingly being targeted at specific victims. These trends have intensified since then. ##### Malware much harder to detect The number of new malicious programs is continuing to rise dramatically. A new one is launched every one or two seconds. However, they are no longer being spread randomly in large waves across the internet. Whereas in the past one single malicious program could have sever al thousands or even hundreds of thousands of victims, today as few as 20 computers worldwide will be affected. Sometimes people visiting a manipulated website infected with a drive-by download may even pick up an individual malicious code. Particularly problematic are malware programs that can only run on the computer they first infected, as these are completely undetectable in an analysis. Previously, a malicious program would be used actively over several months. These days they will be used for just a few days before being replaced by a new variant that cannot be traced by antivirus software. A direct consequence of these trends is that it is becom ing increasingly difficult to detect malware in the usual way based on signatures and checksums. Manufacturers of antivirus programs have severe problems localizing the large numbers of different malware and producing detection signatures. There are two main causes for the spate of new malware. Firstly, exploit kits and virus construction kits are widely available. They can be expanded to accommodate newly published vulnerabilities and attack methods in just a few days, and they are easy for semi-professional attack ers to use. Secondly, highly efficient techniques exist for automatically producing a thousand new variants of an individual malware with only very minor differences and different checksums. ##### Malware spread mainly by drive-by downloads Distribution of malware via e-mail is dwindling. The BSI assumes that most malware is now distributed via drive by downloads. More and more malicious programs that have infected a computer via the internet are being spread on USB sticks or internal networks. Manipulated Microsoft Office or Adobe PDF documents are increas ingly being used. In addition, malware for mobile devices is on the advance: it is no longer a technical problem for malware to move between PCs and mobile devices during data transmission, although such cases are rarely observed at present. One reason for the decline in e-mail-based attacks is the constant improvement in spam filters which stop infected e-mails being delivered. ----- ##### Infected e-mails on government network The total number of infected e-mails on the government network is falling. But at the same time the BSI is discov ering increasing numbers of harmful e-mails that are not being picked up by virus scanners. The BSI currently detects about four or five targeted attacks per day.[2] In 2004 more than 100,000 infected e-mails per month – many containing the same malware – were blocked by a standard virus scanner. On average there were 1.6 million harmful e-mails per month in 2004. Over the past five years there have only been six months in which more than 100,000 infected e-mails were detected. In relative terms, the number of harmful e-mails detected by the virus scanner has fallen even further, as around four times as many e-mails were received in 2010 as in 2004. The all-clear? Sadly not. Whereas infected e-mails were relatively easy to detect with antivirus software in 2004, the BSI is discovering more and more harmful e-mails with its own detection systems which were not picked up by the virus scanner. These numbers illustrate the benefits of central protective measures in the gov ernment network. The entire federal administration is therefore profiting from the high levels of technological expertise and manpower used by the BSI to protect the government network. ##### Room for improvement The race between the authors of malware and the manufacturers of protection programs is hotting up, and this is not without consequences. An internal BSI analysis has shown that the rate at which virus scanners detect documents with embedded malicious functions needs to be improved dramatically. On average, less than 50 per cent of malicious documents were iden tified in on-demand mode (i.e. without executing the file). Only a combination of at least three different virus scanners was able to identify more than 90 per cent of the infected documents. On-access virus scanners, which use additional detection processes when a file is opened, deliver better results. Antivirus programs on desktop PCs are therefore far superior to those on gate ways which only work in on-demand mode – provided all behavior-based and heuristic detection processes are active. Besides the use of antivirus programs, which offer inadequate security in many scenarios, what measures help? Virtualization techniques can protect against drive-by downloads collected during surfing. These encapsulate the browser in a virtual environment so that it is effectively separated off from the rest of the computer and the intranet, at least providing effective protection against data loss or sabotage actions by malware. Protection against the spread of malware via USB sticks is increasingly taking the form of programs that control computer interfaces, although their use can go hand in hand with considerable loss of convenience and function. To protect against malware in e-mails, 2 The BSI refers to a “targeted” attack when the attacker tailors it individually to a particular person and uses a high degree of social engineering to disguise themselves. The malicious programs they use are changed repeatedly until current antivirus programs no longer recognize them. ----- there are virtually no measures one can take other than using several different antivirus programs. E-mails are such an integral part of typical work processes that it is not possible to virtualize e-mail clients. The IT security industry has responded to this situation and offers man aged security services such as a central e-mail scan or spam defense. For many companies, but also for private individuals, security services provided by specialist firms or providers will in future be an attractive alternative to doing it yourself with protection software. The ever expanding use of mobile devices for processing and storing confidential information continues to present problems. Mobile devices are often poorly protected. Closer cooperation between manufacturers of mobile devices, operating systems and protection software is therefore urgently needed. ----- ### Stuxnet # 7 ----- IT attacks on process control systems have long been the subject of discussion in specialist circles. But now Stuxnet has impressively demonstrated the real threat. This mal ware features some outstanding infection mechanisms and, unlike most Trojan horses, does not target “normal” PCs but industrial process control systems. These are the brains and nerve centers of many processes: they monitor, control, and regulate complex systems as diverse as refin eries, pipelines, electricity grids, industrial bakeries, and assembly lines. With the speculation surrounding poten tial attack targets in the nuclear industry, the subject of Stuxnet has been raised and discussed in many media. Under the surface, Stuxnet is in fact less alarming as a piece of actual malware; rather, its relevance lies in the fact that it clearly demonstrates the potential of attacks of this quality. It proves that there are people out there who will spare neither expense nor effort to attack what they perceive to be key targets and sabotage them un noticed. Whereas attacks on critical infrastructure and their process control systems have often been accepted as a residual risk in the past because of their presumed unlikelihood, this risk now has to be reevaluated. ##### Separating process control systems from other networks Stuxnet was programmed for a particular purpose and geared specifically towards it. A similarly high-quality attack on another target would require the same level of programming expense and effort. And yet there is a significant risk that Stuxnet is just the tip of the iceberg and that similar attacks could follow. It cannot be ruled out that comparable malware may already be being programmed and used both for the process control systems of other operators and manufacturers and for other critical information infrastructures with as yet unknown infection channels and highly complex malicious functions. Besides such highly specialized and targeted attacks, there is also the risk of free-riders who could attempt to damage process control systems with a lot less expense and effort. It is therefore important to isolate these systems from other networks as strictly as possible and protect and monitor any key interfaces as effectively as possible. In some cases the BSI has proved that process control systems are directly visible and ac cessible via the internet. And if something can be seen, it can be attacked. ----- ### Domain Name System and Routing # 8 ----- ### Domain Name System The protocol used for communication between DNS servers for exchanging data has design flaws. Attacks on the protocol can result in DNS information on the internet being manipulated by third parties. In 2010 this problem continued unabated, and there were several incidents of data being corrupted. For example, some traffic to popular websites like YouTube, Twitter and Facebook was diverted to servers in China. To improve the underlying protocol, the Internet Engineering Task Force (IETF) speci fied the DNSSEC (Domain Name System Security Exten sion) protocol extension to enable both digital signing and validation of domain data. ##### Operators responding To implement the improvements introduced with DNSSEC, however, it is necessary to roll out this exten sion actively throughout the whole DNS infrastructure. While both the domain registrars and the ISPs are still hesitant when it comes to implementing DNSSEC, last year some fundamental changes were made to the un derlying basic infrastructures. For example, since July 15, 2010 DNSSEC has been supported by the Domain Name System root zone. Acceptance by top level domains has also risen strongly over the past two years. Between ear ly 2009 and May 2011, the number of top level domains accepting the DNSSEC extensions rose from five to 72 out of 310. Fortunately, apart from China (.cn), the ten largest top level domains have already implemented DNSSEC. These include the German top level domain, .de, whose operators DENIC eG introduced DNSSEC on May 31, 2011. ##### Top Level Domains **Top level domain** **Number of second level** **DNSSEC support** **domains** .com 95,006,677 yes .de 14,369,495 yes .net 14,003,416 yes .org 9,639,660 yes .uk 9,373,754 yes .info 8,200,168 yes .nl 4,442,413 yes .cn 3,379,441 (on 28/02/2011) no .eu 3,341,775 yes .biz 2,254,683 yes _Source: BSI_ _Fig. 11: The ten biggest top level domains [7]_ ----- ### Routing ##### Attack on internet infrastructure availability Another opportunity to use internet structures for attacks is in routing between connected systems. The structure of the internet is based on different providers’ networks interconnecting with one another. Informa tion on how the connected systems can be reached using networks and lines (routing) is exchanged via the Border Gateway Protocol (BGP). Some of, there are very few control mechanisms in existence that enable reliable verification of the information being exchanged. So anyone with access to the BGP infrastructure can mani pulate the routing information being transmitted. A potential consequence of a manipulation of this kind could be that a network is no longer accessible. There have often been disruptions in internet routing in the past. The last major incident, which affected as many as 37,000 networks, happened on April 8, 2010. Some of the data packages addressed to these networks were diverted to China. ----- ### Mobile Communication # 9 ----- As the use of mobile devices for reading, using and trans mitting important business data on the move increases, the BSI anticipates a rise in the number of attacks on these devices in the future. Around 10 million people in Germany regularly use their cell phone to go online.[5] The number of apps downloaded onto cell phones had reached the 900 million mark by the end of 2010.[6] ##### Mobile Apps 1,000 900 Mio. 900 (+112%) 800 700 600 500 425 Mio. 400 357 Mio. (+88%) 300 190 Mio. 200 100 0 2009 2010 2009 2010 Mobile apps down- Mobile apps sales in loads in Germany Germany in euros _Source: Bitkom_ _Fig. 12: Development of downloads and sales of mobile apps for_ _smartphones in Germany [6]_ Not all smartphone users are aware of the risks of using mobile operating systems. According to a survey of smartphone users by the BSI, around 60 per cent know that their mobile devices have the same security re quirements in terms of security updates and protection software as a PC. But 47 per cent of users have never downloaded security updates onto their cell phones, only 20 per cent do so at least once a week, and 11 per cent at least once a month.[7] ##### Risks at the mobile interface GSM STANDARD _Originally named after the Groupe Spéciale Mobile,_ _today GSM stands for Global System for Mobile Com-_ _munications and is the world’s most widespread digital_ _mobile network standard. A GSM network consists of_ _four subsystems: the Mobile Station (MS), the Base Sta-_ _tion Subsystem (BSS), the Operations and Support System_ _(OSS) and the Network Switching Subsystem (NSS). The_ _Mobile Station integrates into the GSM network by set-_ _ting up a communication connection with a BSS via the_ _air interface, i.e. via the wireless interface between the_ _Mobile Equipment (ME) and a Base Transceiver Station_ _(BTS) on the GSM mobile network (Um interface)._ 1,000 900 Mio. 900 (+112%) 800 700 600 500 425 Mio. 400 357 Mio. (+88%) 300 190 Mio. 200 100 0 2009 2010 2009 2010 Mobile apps down- Mobile apps sales in loads in Germany Germany in euros ----- The insecurity of the GSM interface is a particularly significant threat to the use of smartphones. Users who are inadequately protected need to be aware that their connection data (telephone numbers and call times) and usage data (e.g. call data, e-mails and text messages) can be intercepted or that an attacker can find out their whereabouts and their movement profile. All usage data crossing the GSM air interface are en coded according to the GSM standard. But this code is no longer up to date, and tools for intercepting GSM communication have been available for some time. ME BTS SIM **MS** BSC TE BTS **BSS** _Source: BSI_ _Fig. 13: Simplified diagram of a GSM mobile network [7]_ Thus a data thief can work out the GSM code if they manage to intercept data communication on the GSM air interface. Once they have this code, they can then decode GSM call data and sometimes even text mes sages. Data connections via UMTS (Universal Mobile Telecommunications System), GPRS (General Packet Radio Service) and EDGE (Enhanced Data Rates for GSM Evolution) and calls via UMTS are unaffected. |ME SIM MS|Col2| |---|---| ||| ME **PSTN** BTS SIM **MS** BSC MSC/ GMSC VLR TE EIR **SS7** BTS OMC/ NMC HLR AuC **BSS** **OSS** **NSS** ----- Other security risks in the use of mobile devices are: » Back-end eavesdropping: the attacker captures the call data on a cable that transmits the calls unencrypted. » Loading and installation of malware from the inter net and manipulability of mobile devices by Trojan software. Malware can render a smartphone unusable and use it to infect IT systems that are networked with the phone. Mobile phones infected with a Trojan horse can even be used as a phone tap that is operated re motely via the mobile interface. Finally, user data can be mined and sent to the data thief. » If a cell phone user’s itemized bill shows evidence of additional or even missing calls, this may also be an indication of an attack, e.g. by a Trojan horse. » Man-in-the-Middle attack: in this case, the attacker mimics a GSM base station. This is relatively easy to do, as no authentication to the mobile device is required. The attacker assumes a position between the mobile device and the mobile network and deactivates the GSM encryption. _provide better protection when using mobile devices, the_ ----- ### Issues of the Future # 10/11 ----- ### Cloud Computing # 10 ----- The subject of Cloud Computing is very topical in the » If the interfaces provided by a cloud provider are world of IT at the moment and has been gaining in signifi- insecure, vulnerabilities can be exploited to gain un- cance worldwide in recent years. In Germany too, market authorized access to data. researchers expect expenditure on cloud services to grow » Because of the extremely high complexity of Cloud rapidly over the next few years. It is estimated that sales Computing platforms, numerous security problems of cloud services in Germany will rise from €1.14 billion in can arise such as data loss, unauthorized access to 2010 to as much as €8.2 billion by 2015. This corresponds information, impairment of availability or even loss to an average annual growth in sales of 48 per cent.[8] of services. There are many reasons why interest in Cloud Com- The BSI believes that the concept of Cloud Computing puting and the use of Cloud Services are on the rise. will gain a foothold in the market because of its tech- Cloud Computing offers enormous flexibility in terms of nical and economic potential, provided the issue of booking, using and shutting down computer center ca- reasonable information security is resolved. For as it pacity in line with actual demand. There is also massive becomes more widespread, the concept will become potential for savings on IT systems that would other- more attractive to attackers as resources are concentra- wise have to be operated and maintained locally and ted in central locations. Cloud Computing platforms are replaced regularly. Another advantage is the ubiquitous already being used to set up botnets, deposit malware, availability of business applications regardless of the send spam or carry out brute force attacks on passwords. user's geographical location. In addition, some cases have emerged of Cloud Compu- ting platforms being targeted by DDoS attacks. ##### Opportunities versus risks These potential benefits are offset by a series of risks Summary: associated with storing data and applications in a Public Cloud, including the following: _The risk potential is expected to increase. For this rea-_ » Data and applications are kept off site and are there- _son, there is an urgent need to draw up and establish_ fore no longer accessible directly to in-house IT. _internationally recognized standards on the basis of_ » Applicable guidelines and regulations such as data _which Cloud Computing platforms can be used and_ protection requirements could potentially be in- _operated more securely and can be monitored and_ fringed if sensitive data is stored in a Public Cloud. _certified._ » Large numbers of unknown users share a joint in- frastructure. This increases the risk of infringing the fundamental values of information security. » Data and applications are accessed via the internet, so they cannot be accessed if the internet connection fails. ----- ### Smart Grid / Smart Meter # 11 ----- The worldwide market volume for Smart Grid technol- are already being designed, built and even implemen- ogies could potentially be 100 times bigger than the ted. The BSI provides support for the development of the internet, according to estimates by the US company Cisco fundamental principles of intelligent electricity supply Systems. The increasing complexity of electricity net- systems, thus ensuring that the most important aspects works furthermore calls for new forms of whole-system of IT security are taken into account. The introduction of protection against outages. These mechanisms are smart meters will be a key element of supply infrastruc- supposed to use networked IT systems, which in parts still ture improvement . Because the smart meter processes need additional development and implementation work. and forwards personal consumption data and due to potential negative repercussions for the energy supply, As energy and water supply systems are indispensable, there are high requirements for data protection and the current very high level of security of supply will need data security. to be maintained during this work. Supplies must not be put at risk by outages, faults or attacks on the IT infra- structures being implemented – and must be sufficiently robust even in crisis situations. Specific risks may also Summary: arise in future due to the fact that certain parts of the infrastructures will be networked in a complex way _Recent known hacking attacks on smart meters in the_ between different operators. This applies in particular if _USA and hazards like Stuxnet have shown that urgent_ this networking takes place via information infrastruc- _action needs to be taken in Germany to ensure that_ tures that are used for very different applications with a _smart metering solutions are secure. The BSI will there-_ large number of communication participants, or if the _fore be working with industry associations and relevant_ information is exchanged via the public internet. _authorities such as the German Federal Network Agency_ _(BNetzA) and the Physikalisch Technische Bundes-_ _anstalt (the National Metrology Institute Providing_ ##### Smart meters Scientific and Technical Services – PTB) to bring together _the security requirements for smart meters in a spe-_ Given the above, designing and setting up networks that _cial protection profile with a view to ensuring that all_ can be controlled flexibly is the order of the day. We still _market participants meet compulsory data protection_ have a long way to go before we see the introduction of _and security requirements. The intention is to publish a_ integrated, intelligent supply systems: there is still a lot _BSI-certified version of the protection profile by Sep-_ of fundamental development work to do in the sectors _tember 2011. The BSI will also be publishing a Technical_ concerned. But the first steps are already being taken in _Guideline which will set out the requirements for smart_ the supply infrastructures, where various technologies _meter interoperability._ ----- ### Conclusion As IT penetrates into all areas of our lives and networks become ever more interconnected, we depend on it operating flawlessly. The BSI and other security agencies believe that the new hazards arising in parallel to this development, such as cyber attacks, attacks on mobile devices and attacks extending beyond conventional IT, represent a new, joint challenge to politics, industry and society in general. Offers that provide reactive help to the federal administration, industry and private individuals are necessary and fulfill an important role. In or- der to effectively combat the threat potential, we will need to focus even more strongly on prevention going forward. In order to ensure a basic level of IT security and anticipate risks in advance as far as possible, it is becoming increasingly important to formulate security requirements for products and services and make these transparent to the general public. The BSI pursues this approach by formulating minimum stan- dards, such as for Cloud Computing. This will create the technical basis for trusting secure IT and benefiting from its potential. Furthermore, manufacturer and service provider responsibility is increasingly in the spotlight. Improving IT security is a goal that can only be achieved by working to- gether effectively. Success in this area depends on cooperation between manufacturers, providers, security experts, security officers and, not least, users, whose awareness plays an important role in implementing widespread security measures. ----- ### BSI – Focusing on IT Security ----- With the coalition agreement and the BSI Act of August 2009, the German federal government has responded to the demands of IT security and has assigned the BSI a stronger role as a designer and provider of IT security ser vices. The coalition agreement also emphasizes the BSI's duty to promote self protection and encourage the use of secure IT products. **Education and Awareness Raising** The BSI has been active in Education and Awareness Raising for many years. For example, it operates the BSI Information Portal for the general public: the website www.bsi-fuer-buerger.de is still the BSI's most important source of information for private users. Since February 2011, the public has had access to a revised and improved offering which provides detailed and easy to understand information on IT security and makes it easier for people to protect their computers. **Working Together** Education and awareness raising on the subject of IT security has many different faces. Exchanging infor mation and ideas and cooperating with partners and disseminators are therefore particularly significant. For this reason, the BSI is represented on the advisory board of Deutschland sicher im Netz e.V. and supports the Anti-Botnet Advisory Center run by the eco-Associ ation of the German Internet Industry, which opened in the fall of 2010. At the international level, the BSI is a member of the Awareness Raising Community of ENISA (European Network and Information Security Agency), and takes part in the European Union's annual Safer Internet Day with awareness-raising campaigns. **IT Security Provider to the** **German Federal Government** As the central IT Security service provider to the German federal government, the BSI is improving the level of IT security within the federal administration. In particular in the event of IT crises of national significance, it is vital to ensure that the federal government can continue to operate and take decisions by providing prepared information and competent analyses. With this in mind, several steps have been taken: an IT Crisis Response Center for the federal government has been set up at the BSI, the amendment to the BSI Act has established the BSI as a central reporting point for IT security incidents, and an IT crisis management department has been set up for the federal administration. So the administration now has an early warning system in place which enables assessments to be made and crisis response processes to be defined and practiced in accordance with crisis management principles. **Working Together in IT Crises** A targeted and complex attack like Stuxnet has long since been the subject of theoretical discussion. But now, for the first time, there is actual proof of the fact that with the right financial input and technical preparation, protective mechanisms can be evaded and circumven ted. We need to be able to respond to this new quality of attack, since attack mechanisms as used by Stuxnet are not oriented towards the conventional task-sharing of German authorities. Stuxnet proves that even closer coordination between authorities and more intensive collaboration with business and industry is needed. For this reason, in 2011 the federal government adopted the Cyber Security Strategy, which provides for the estab lishment of a Cyber Defense Center headed by the BSI and with the direct participation of the Federal Office for the Protection of the Constitution and the Federal ----- Office of Civil Protection and Disaster Assistance, along with other authorities. There are also plans to expand cooperation with business and industry. **Trusting the Security of Technology** People will only use the possibilities and potential offered by IT and the internet if they trust the security of the technology concerned. Quality marks from author itative sources and established IT security standards form the basis for this trust. With IT security standards in mind, the BSI is taking part in forward-looking projects like smart meters (intelligent energy supply meters) and Cloud Computing. For smart meters, the BSI is working with industry and data and consumer protection orga nizations to develop a joint protection profile. The aim of this profile is to achieve a reasonable level of security which adequately takes account of functionality as well as data protection and IT security. It is also working with manufacturers to produce minimum security standards for Cloud Computing. In addition to this, BSI certifi cation ensures that compulsory safety standards for products are guaranteed and implemented. Two important projects in which the BSI played a key role on the technical implementation side and which repre sent a step forward in terms of secure online communi cation and interaction are the new German ID card and De-Mail. De-Mail enables legally binding documents and messages to be sent confidentially via the internet. It increases the security of electronic communication com pared with conventional methods. The main security goals of confidentiality, integrity and authenticity in De Mail communication are guaranteed with defined secu rity measures. De-Mail enables the identity of the com munication partners and the delivery of the De-Mail to be proved. The content of a De-Mail cannot be intercepted or changed on its journey through the ether. In the new ID card introduced in November 2010, German citizens have more than just a new credit-card format identity document. This card also has various electronic functions which greatly improve security on the internet. These include the eID, electronic ID which people can use to prove their identity beyond doubt. A radio frequency chip (RF chip) integrated into the card contains all the information that is also displayed visually on the document. In addition, the QES (Qualified Electronic Signature) function enables the user to sign documents and declarations of intent online in a legally binding way. **Critical Infrastructures (KRITIS)** A particular focus of our collaboration with industry concerns the protection of critical infrastructures – a responsibility shared by the operators and the state. The BSI and operators of critical infrastructures in Germany have been working closely together since 2007 within the framework of the KRITIS Implementation Plan to discuss new threats and strategies and implement new measures. Exercises are held regularly to prepare for incidents. One of the most important exercise formats is the LÜKEX (National Crisis Management Exercise). The KRITIS companies will be working intensively on this in 2011, as an exercise on the loss of major IT systems and crisis management in this emergency situation is due to take place this year. ----- ### Bibliography [1] Secunia Yearly Report 2010 [2] http://gs.statcounter.com/press/firefox-overtakes-internet-explorer-in-europe-in-browser-wars [3] Trend Micro September 16, 2009 http://blog.trendmicro.com/the-internet-infestation-how-bad-is-it-really/ [4] Damballa 14 February 2011 http://www.damballa.com/knowledge/Feb2011report.php [5] BITKOM press release, August 15, 2010 [6] BITKOM press release, February 14, 2011 [7] BSI surveys [8] BITKOM press release, October 6, 2010 [9] Arbor Worldwide Infrastructure Security Report 2010 ----- ### List of illustrations Fig. 1: Development of IT threats as assessed by BSI[7] 7 Fig. 2: Risk potential of attack opportunities in selected applications and technologies as assessed by BSI [7 ] 7 Fig. 3: Risk profile of innovative applications and technologies as assessed by BSI [7 ] 7 Fig. 4: Number of time-critical security vulnerabilities reported by Bürger-CERT and Technical Warnings issued by CERT-Bund [7] 9 Fig. 5: Bandwidth increase in DDoS attacks [9] 15 Fig. 6: Development of spam volume in Germany since January 2010 [7] 18 Fig. 7: Cumulative weekly volume of spam and solicited e-mails sent from Germany [7] 19 Fig. 8: Spam distribution in Germany in 2010 by country of origin [7] 19 Fig. 9: Casino waves and total spam volume over a typical day [7] 20 Fig. 10: Drop zone datasets in 2010 from approx. 200 drop zones with direct link to .de domains [7] 22 Fig. 11: The ten biggest top level domains [7] 31 Fig. 12: Development of downloads and use of mobile apps for smartphones in Germany [6] 34 Fig. 13: Simplified diagram of a GSM mobile network [7] 35 ----- **Published by** Federal Office for Information Security – BSI 53175 Bonn, Germany **Text and Editorial Staff** Federal Office for Information Security DauthKaun Public Relations **Layout and Design** DauthKaun Werbeagentur **Printed by** Druckpartner Moser, Rheinbach, Germany **Date** May 2011 **Article Number** BSI-LB11502e **Distribution Office** Federal Office for Information Security – BSI Godesberger Allee 185 – 189, 53175 Bonn, Germany Section 321, Information and Communication, Public Relations Tel.: +49 228 99 9582-0, E-mail: publikationen@bsi.bund.de internet: www.bsi.bund.de This brochure is part of the public relations work of the German Government. It is distributed free of charge and is not intended to be sold. -----