Bundestag Hack: Possible Backgrounds and Defense Methods

Bundestag Hack

Here at Univention, we are of course also concerned by the attack on the German parliament’s IT infrastructure, better known as the “Bundestag hack”. To recap: It appears that there were some bogus e-mails there including links to malware. A number of the Windows PCs in the Bundestag’s “Parlakom” network were or may still be infected with the malware, which is alleged to have searched for and copied certain confidential Word documents. According to a report in the Tagesspiegel (German) newspaper, this allowed the hackers to gain “administration rights for the infrastructure”. The attack was conducted as an “advanced persistent threat” or “APT attack” for short: in other words, a complex, multi-phase attack on the German parliament’s “Parlakom” IT network.

How IT systems can be taken over

There are a whole host of “classic” approaches for taking over IT systems, such as the exploitation of security vulnerabilities in the software, the interception or guessing of passwords (brute force attacks) and the cracking of password hashes. These methods are well known and it is comparatively simple to reduce the risk of such attacks’ being successful. The requisite measures are: regular, comprehensive and rapid installation of updates, encryption of sensitive data and network communication using state-of-the-art encryption standards, the use of sufficiently long passwords, logging of failed login attempts and blocking of user accounts with too many failed attempts, the use of salted password hashes (the salt converts two identical passwords into different hashes), iteration of the hash functions (rounds) and changing passwords regularly.

1 Year Univention North America: The Move across The Pond

140826_Kevin_Dominik_KorteWhen I started at Univention’s Professional Services in Germany, one of the questions I was asked was “Where do you see yourself in 5 years?”. Being prepared for the interview, my answer was a mixture of showing my idea of working with customers, my understanding of the technologies of UCS as well as my personal goals and dreams. Looking back to my answers in our HR folder, I have to admit that life has taken many turns that I didn’t plan for. Today, I’m no longer working in Professional Services. For a bit over a year, I’ve been Univention’s North American Operations dealing not only with technical projects but also with Sales, PR and Management as a whole.

What better chance is there to look back at the challenges and opportunities our move to the US has presented to us at Univention. I will look at the problems we could solve for our customers, the technical challenges UCS has mastered and how it changes us as a company when striving for perfection. For this reason, I’m happy to introduce this short series of blog posts looking back at the past and giving an outlook into the future:

Make money with Open Source software

Even today, the general consensus still stubbornly persists that Open Source software is developed by ponytailed computer geeks as a hobby in the middle of the night. It’s admittedly a very romantic notion, but one which only reflects the reality to a certain extent.

The Linux Foundation recently published a very interesting document on who actually contributes to the Linux kernel. Since 2005, some 11,800 individual developers from around 1,200 different companies have contributed to the Linux kernel. The fact that recently at least 88.2% of the improvements came from people who are also paid for this work – a growing trend – is proof that more and more IT professionals are also working on Linux.

First UCS Training in the United States

Blue skies, red sunset and a training room overlooking lake Washington. In this setting, the first UCS Training in the United States ended in Kirkland, WA, a Seattle suburb. Despite the initial challenge of offering training courses around the world, Univention North America welcomed the first participants to learn about the finer details of operating a domain based on Univention Corporate Server.

Problems of connecting to the various Amazon Cloud images were quickly solved and soon the participants and me, as their trainer, went into discussing the various questions from either the training or their production sides.

The advanced level of the participants quickly allowed for an in-depth look at more advanced topics such as Samba debugging and changing UMC templates, allowing both the participants and us as Univention to take home new insides into UCS as a product and the skills needed to run bigger domains.

Vijay Sankar, ForeTell Technologies Limited:

“Thanks again for your excellent class and for patiently answering all
sorts of questions.”

German “Gründlichkeit” (Thoroughness)

What’s the difference between us Germans and, let’s say Americans, if our spying or security agencies instruct the industry to provide them with all relevant data needed to “spy on friends”?

In keeping with tradition, we don’t do things informally. We document procedures in a proper contract that obliges all parties to confirm in writing that all information within the document is accurate and complete. What can we do, we are bureaucrats.

In the “Agency Contract ‘Transit'”, which has just been published, it is revealed that the German foreign intelligence service BND has been buying available “telecommunication” information from the Deutsche Telekom for a bargain of 6,800 EUR per month. That gives plenty of room for speculation about
the real reward.

Community-developed Open Source solutions in a corporate environment

Enterprise Open Source solutions
To deliver a value, every infrastructure needs applications. If you review the Open Source business solutions market, community-developed Open Source solutions are often among the very best solutions. Examples are Redmine (project and process management), WordPress (publishing and blogging), DokuWiki (wiki), Subversion & Git (version control), Discourse (forum) and many more. Also, some renown companies like SugarCRM, NetSuite, and Suse have grown out of community-developed Open Source projects.

A large community ensures ongoing enhancements and the solution usually has numerous, helpful plug-ins and themes, so that it can be used for multiple business requirements. Furthermore, the speed with which new features are released is often impressive. From a functional point of view, the result is usually just great.