Is Mobile Telephony via GSM still Secure enough?

As all of you most probably have heard of, on 28th of December 2009 a German computer engineer announced at the CCC in Berlin that he had cracked the A5/1 cipher used in GSM communication. This would mean that someone could eavesdrop on confidential information exchanged via a cell phone.

I have asked my Cryptography Competence Center around Prof. B. Esslinger to analyzed the risk and to provide a security report with further details and recommendations, which you can find below.  More information about the work of Prof. Esslinger and the open source crypto community can be found on the project page at http://www.cryptool.org/index.php/en.html
 
Currently, we see the risk still as acceptable and from a technical point of view, the situation is under control. However, this might change very soon and therefore this risk area must be continuously monitored.
 
NOTE: In general, phones, especially cell phones and cordless phones, shall not be considered as secure communication devices. For business areas with high confidentiality requirements, the usage of encrypted mobile phones is strongly recommended.

I really like the report and therefore I wanted to share with all of you as you may have the same questions or requirements in your area of responsibility.

Cheers
-Andreas

Read full article

Happy New Year and all the best for 2010!

Now that 2009 is over I want to give you a quick summary about what happened and how we as ITRiskSpace.com team see the future. I want to thank you all for the support and commitment we have received from all of you. Please join us as well in future.

 

Enjoy

-Andreas

Read full article

What I Look for When Hiring IT Security Staff

As most of you know already, since October 1st I have taken on a new role. I have switched from the Pharmaceutical to the Financial world and many people have asked me why I do this at a point in time when the financial world is under big pressure. One special request I received came from the Microsoft TechNet team. They have asked me the question to write down for them what I'm looking for when I hire a new IT Security staff member. TechNet went live with the article in the meantime and as I received very positive feedback I want to publish it here as well. Link

Read full article