International Workshop on Cyber Crime (IWCC 2013) Date: 24 May, 2013 Location: San Francisco http://stegano.net/IWCC2013/ Today's world's societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous socio-economic impact on global enterprises as well as individuals. This poses new challenges for law enforcement policies and forces the computer societies to utilize digital forensics to combat the increasing number of cybercrimes. Forensic professionals must be fully prepared in order to be able to provide court admissible evidence. To make these goals achievable, forensic techniques should keep pace with new technologies. International Conference on CyberCrime and Computer Forensic 2013 - 'One Digital World, Many Digital Crimes' Date: 25-28 August, 2013 Location: Hong Kong http://apccf.org/ Technology related crime is an ever growing problem with increased application of mobile technology. Costs of cybercrime is estimated to run into USD100 billions a year worldwide. International conference on Cybercrime and Computer Forensic 2013 'ICCCF2013' aims to bring together researchers and practitioners of cybercrime and computer forensic to exchange and discuss idea how to reduce costs of such crime to the society. ICCCF 2013 is a timely platform to discuss these pressing issues on cybercrime and computer forensic. The three-day conference will feature many research/original papers, as well as paper from emerging issues. The conference proceedings will be in electronic media and abstracts will be in printed format.

 

Dear Reader, XXXXXXXXXXXXXXXXXXXXXXXXXX

European Countries were confused by UK that announced they were working to build a National CERT. The confusion arises from the lack of clear definitions and indications on what is a National CERT. Apart from the guidelines published by ENISA, there is no serious plan about CERTs in Europe. How a country can measure the real impact of a CERT? Which are the lessons learned in Europe? Why they are not shared with other member states? An invite to Cyber Security experts in Europe: the directive discussion will start in a few weeks; get involved through your government, through the many working groups/events organized in Brussels or through us. There is still a lot of space for improvement! Andrea Rigoni

“Cyber security, next moves of Italy.” by Andrea Rigoni – Director-General GCSEC “Change the conversation, change the venue and change our future” by Melissa Hathaway - President of Hathaway Global Strategies LLC “Same ol'... password” by Alessio Coletta - GCSEC “EU’s proposal of Directive for ensuring high common level of security across the Union” by Alessandra Lonardo - GCSEC

events

editorial

in this number

May 2013 – year 3, issue 3

 

Why the ‘i’ in iPhone Will Stand For ‘Identity’ http://www.cultofmac.com/225352/why-the-i-in-iphone-will-stand-for-identity/ The “i” in the next iPhone will stand for “identity.” When people hear rumors and read about Apple’s patents for NFC, they think: “Oh, good, the iPhone will be a digital wallet.” When they hear rumors about fingerprint scanning and remember that Apple bought the leading maker of such scanners, they think: “Oh, good, the iPhone will be more secure.” But nobody is thinking different about this combination. I believe Apple sees the NFC chip and fingerprint scanner as part of a Grand Strategy: To use the iPhone as the solution to the digital identity problem. NFC plus biometric security plus bullet-proof encryption deployed at iPhone-scale adds up to the death of passwords, credit cards, security badges, identity theft and waiting in line. The Boston Consulting Group estimates that the total value created through real digital identity is $1 trillion by 2020 in Europe alone. CIOs fail to protect mainframe customer testing data. 20 per cent admit to not masking or protecting their customer data http://www.csoonline.com/article/733056/cios-fail-to-protect-mainframe-customer-testing-data IT research agency Vanson Bourne questioned 520 CIOs worldwide on their attitudes to mainframe application testing data on behalf of Compuware. A fifth of CIOs (20 per cent) admit to not masking or protecting their customer data before providing it to outsourcers for mainframe application testing purposes. On the other end of the spectrum, 82 percent of companies that do mask their customer data before providing it to outsourcers describe the process as "being difficult". In addition, 56 percent of those that mask data say that it "negatively impacts the quality of their testing and quality assurance processes". Notably, 30 percent of companies do not provide their outsourcer with customer data at all - despite the fact test data should reflect production data conditions as closely as possible. Lesson from the Google office hack: do not trust third-parties (many Tridium Niagara systems in use today are left unpatched, and the company acknowledges there's a problem with update deployments) http://www.csoonline.com/article/733054/lesson-from-the-google-office-hack-do-not-trust-third-parties The recent hack of the building management system in a Google office demonstrates how organizations should not trust third-party installers to adequately secure the technology. Cylance, a security company focused on industrial control systems, broke into the Tridium-developed Niagara system in one of Google's Australian offices and showed how it could have taken full control of whatever automation systems were attached. Instead, the company notified Google, which took the system off the Internet. Exactly what was accessible is not clear. Google said a hacker would only be able to change the temperature of the air conditioning or turn it off and on. However, the company did not go far enough with the hack to determine exactly what it could control.

Article originally published on Agendadigitale.eu (Italian language): http://www.agendadigitale.eu/smart-cities-communities/313_cyber-security-le-prossime-mosse-dell-italia.htm It is important that the country in the coming months starts to work at its strategy, aligning to the requirements defined by the European Union: creating a national authority for Cyber Security, starting the National CERT and CERT Public Administration, developing a draft Information Sharing between Public and Private. February and March have been busy months on the topic of Cyber Security: in a few weeks the European Strategy, the Draft European Directive and the Decree of the President of the Council of Ministers in the field of Security of Cybernetic Space have been released. Although the Directive is still under discussion in parliament, should be noted how the Italian strategy is in line or not with the principles of Brussels. The Directive requires each Member State to adopt a "National Competent Authority on security of networks and information." Italy does not have an Authority and will not have it in a short period, as the Prime Minister's Decree does not provide for the creation of an Authority, but rather assigns the responsibility for coordinating three different offices, two of which are collegial, the CISR - Inter-Ministerial Committee Security of the Republic and the CISR Technical, and one, the Cybernetics Core Security, within the Office of the Military Adviser at the Presidency of the Council of Ministers. Although in the case of European Directives the member States have the opportunity to include them by making changes to adapt to the specific national model, in this case the organizational model identified by PDCM will meet hardly the expectations of Brussels. To complicate the matter there is also the National CERT: always in accordance with the Directive, this should report to the Authority, while in our case it brings back to the Ministry of Economic Development. In fact, definitions aside, the Prime Minister's Decree provides that the Operative Core at the office of the Military Advisor performs the typical functions of a CERT, incident management and national crisis and sharing of information between all relevant bodies.

“Cyber security, next moves of Italy.” By Andrea Rigoni – Director-General GCSEC

news

While there is a potential overlap of roles between the Cybernetics Core Security and the National CERT, on the other side we would be partially aligned with the Directive. Overlap that still must be addressed as soon as possible in order to avoid duplication of efforts in a historical moment in which the reduction of costs and increased energy are key principles of the Government's strategy. The second key theme of the Directive is the exchange of information between national authorities and between authorities and national public and private stakeholders. On this theme, the decree is vague and does not provide any indication of the way in which you can start a system of Information Sharing in Italy. Many countries, including the U.S., Great Britain and the Netherlands have started from years some national projects of Information Sharing, but to date the real benefits are to be proven. The exchange systems are still immature, there is no standard for the description of threats and the human component is still a determining factor in the exchange, slowing the process of sharing and limiting the scalability of the system.

Brussels also has not yet very clear ideas on Information Sharing and demonstrated this when mentioning the use of the S-TESTA network to enable the national authorities to exchange information. S-Testa is a classified network built at the beginning of the last decade and which connects the 27 member states. Each country has at least one S-TESTA node, usually within the Ministry of the Interior. It is a classified network and therefore its access is limited only to those organizations and people who have security clearance. Although the use of a classified network is correct for government and military applications, for the private sector is inhibitory. In the past, the European Commission launched a project for Information Sharing for Critical Infrastructure called CIWIN - Critical Infrastructure Warning Information Network. The use of a classified network has been ranked one of the factors that led to the abandonment of the project: the majority of the member States failed to involve the Critical Infrastructures for the limits of the use of a classified system. In Italy, the largest private operators are strongly interested in participating and supporting an national initiative, as discussed both during the hearings of the control room for the Italian Digital Agenda, both during the meeting of December 5, 2012 held at the MISE and which was attended by the big players in various national and world-renowned experts like Melissa Hathaway (ex Chief of Cyber Security Administration of G.W. Bush and

Researchers find hundreds of insecure building control systems, Google's office is not the only one in Australia with vulnerable building control software http://www.csoonline.com/article/733057/researchers-find-hundreds-of-insecure-building-control-systems Intruders used to creep in through ventilation ducts. Now they break in using the software that controls the ventilation. Hundreds of organizations across Australia are using out-of-date industrial control systems (ICS) to control the lights, heating and cooling, access controls and even the elevators. Using the Internet to manage buildings is convenient, but it may come at a steep price, presenting new opportunities for hackers. Domain registrar attacked, customer passwords reset, Name.com scrambles after data leak http://www.theregister.co.uk/2013/05/09/name_dot_com_data_leak/ Reports are emerging that Internet registrar Name.com has suffered a data breach and is resetting all user passwords. The breach has been revealed in an e-mail to customers published by TheNextWeb, stating that compromised information could include usernames, e-mail addresses, passwords and credit card information – the last two of which were, however, encrypted. The company has confirmed the attack, later backing that up with news that it has used RSA 4096-bit encryption, and the private keys required for the encrypted data were stored in a separate, remote location that wasn't compromised. Similarly, the EPP domain transfer keys were also remotely stored and not accessed. Malaysian election sparks web blocking/DDoS claims http://www.theregister.co.uk/2013/05/09/malaysia_fraud_elections_ddos_web_blocking/ Opposition leaders and human rights activists have warned that Malaysia’s recent elections were tarnished with widespread web blocking and DDoS attacks designed to deprive voters of information about opposition coalition Pakatan Rakyat (PR) before going to the polls. Barisan Nasional (BN) extended its 56-year rule by storming to victory on Sunday, winning 133 parliamentary seats out of a total of 222 while PR managed just 89, even though the result was expected to be much tighter. PR leader Anwar Ibrahim immediately branded the elections a fix, claiming widespread fraud and even that the ruling coalition had flown in tens of thousands of “phantom voters” from Borneo states to help sway the result. Several independent sources have argued that online censorship was also used to disrupt the opposition’s campaign efforts in the run-up to the elections Senators introduce bill that would flag countries, products that benefit from espionage http://www.scmagazine.com/senators-introduce-bill-that-would-flag-countries-products-that-benefit-from-espionage/article/292523/ A group of senators has responded to the widely broadcast threat of foreign cyber espionage with the introduction of new legislation that calls for the creation of a "watch list" of countries believed to be engaging in such acts and the blocking of certain imports. The bipartisan Deter Cyber Theft Act, introduced on Tuesday, charges James Clapper, the director of national intelligence, to prepare a list of nations

Obama), John Stewart (Chief Security Officer of Cisco Systems) and Freddie Dezure (Director of CERT- EU). Among other things, it should be mentioned that Italy has developed a successful project on Information Sharing in the fight against cybercrime: the Postal Police, in collaboration with the British Police and the Romanian Police has developed an advanced system of information exchange with the banks, named OF2CEN. The project was partially funded by the European Commission and is made with the collaboration of the Foundation GCSEC created by Poste Italiane. It's important that Italy in the coming months start to work on its strategy, aligning to the requirements defined by the European Union: a) creating a national authority for the Cyber Security; b) initiating the National CERT and CERT Public Administration; c) developing a project of Information Sharing between public and private sectors, building on the achievements already made in Italy by the project OF2CEN.

Article originally published on cgionline.org: http://www.cigionline.org/publications/2013/5/change-conversation-change-venue-and-change-our-future

The Internet, together with the information communications technology (ICT) that underpins it, is a critical national resource for governments, a vital part of national infrastructures and a key driver of economic growth. Over the last 40 years, and particularly since the year 2000, governments and businesses have embraced the Internet, and ICT’s potential to generate income and employment, provide access to businesses and information, enable e-

learning and facilitate government activities. In some countries, the Internet contributes up to eight percent of gross domestic product (GDP), [1] and today, businesses around the world tender services and products through the Internet to more than 2.5 billion citizens using secure protocols and electronic payments. Services range from e-government, e-voting, e-banking, e-health and e-learning to next generation power grids, air traffic control and other essential services, all of which depend on a single infrastructure. [2] The Internet is the fuel of the global economy and the backbone of the international financial system. recent reports suggest that the industrial Internet opportunity (through modernization) represents a 46 percent share of the global economy. [3] No country can afford to put their economy at risk. Increasingly, though, the availability, integrity and resilience of this core infrastructure are in harm’s way. For example, in March 2013, cyber criminals successfully launched a virus that penetrated the defences of multiple financial institutions in South Korea, including Shinhan Bank, the country’s fourth-largest bank, as well as two other banks — NongHyup and Jeju. The motive was destruction of data using a malware similar to that used in the recent incident against Saudi Aramco, which destroyed data and rendered the main operating systems of computers useless. Additionally, a distributed denial of service (DDoS) campaign has been underway for the last year against the United States’ top financial institutions,

believed to be participating in economic or industrial espionage against U.S. companies. He also must build a "priority" list of the countries he judges are engaging in the most "egregious" forms of digital spying, according to the proposed legislation (PDF). In addition, he must chronicle the technologies that are being targeted by the espionage, and a list of products that are created as a result of any hijacked information. The proposed law would then require the president to bar the import of products containing this technology or ones that benefited from stolen information.

Stealthy Web server malware spreads further: Eset has found a malware program targeting Apache servers also affects the Lighttpd and Nginx web servers http://www.csoonline.com/article/732994/stealthy-web-server-malware-spreads-further A stealthy malicious software program is taking hold in some of the most popular Web servers, and researchers still don't know why. Last week, security companies Eset and Sucuri found Apache servers infected with Linux/Cdorked. If that malware is running on a Web server, victims are redirected to another website that tries to compromise their computer. Marc-Etienne M. Leveille of Eset wrote that the company has found 400 Web servers infected so far, of which 50 are ranked in Web analytics company Alexa's top 100,000 websites.

India introduces Central Monitoring System: phone calls, texts, emails and even social media all now snoopable http://www.theregister.co.uk/2013/05/08/india_privacy_woes_central_monitoring_system/ Privacy advocates are up in arms after the Indian government began quietly rolling out a Rs.4 billion (£47.8m) Central Monitoring System (CMS) designed to give the authorities sweeping access to citizens’ phone calls and internet communications in the name of national security. The scheme is initially thought to have been conceived as a response to the threat of terrorism, such as the 2008 Mumbai attacks which killed over 150 people and injured hundreds more. However, the CMS will not only be used by law enforcement but also the tax authorities and offers the government a single point of access to “lawfully” intercept voice calls and texts, emails, social media and the geographical location of individuals, Times of India reported. Stats confirm that trojans spreading, malware being built at record rates http://www.scmagazine.com/stats-confirm-that-trojans-spreading-malware-being-built-at-record-rates/article/292188/ Trojans continue to dominate the threat landscape, according to Panda Security's latest quarterly report. The anti-virus maker's found that between January and March of this year, more than 6.5 million new malware strains were built, with trojans comprising 75 percent of those. In total, trojans were responsible for 80 percent of global computer infections – a record – far outpacing worms, viruses and adware. Across the globe, researchers discovered that more than 31 percent of PCs have been seeded with malware, with machines in China experiencing the highest infection rates (around 50 percent). In the United States, PandaLabs said 28 percent of computers are infected nationwide, numbers that roughly correspond to previous versions of the report.

“Change the conversation, change the venue and change our future” by Melissa Hathaway - President of Hathaway Global Strategies LLC

including JPMorgan Chase, Bank of America, Citigroup, U.S. Bank and PNC. The DDoS attacks are reaching levels at which the telecommunications providers can no longer guarantee quality of service. In both cases, Internet banking services are being degraded or blocked outright, and other e-services disrupted. These and other attacks and disruptions of Internet activity and connectivity have significant implications for global trade and global business continuity. In addition, many governments now realize that their GDP growth is being eroded by a wide range of nefarious cyber activities. For example, it is estimated that the Group of Twenty (G20) economies have lost 2.5 million jobs to counterfeiting and piracy, and that governments and consumers lose US$125 billion annually, including losses in tax revenue. [4] The United Kingdom estimates that it is losing £27 billion per annum to cybercriminals. [5] Furthermore, research by TNO, an independent research organization in the Netherlands has shown that cybercrime costs Dutch society at least 10 billion euros per annum, or 1.5 to two percent of their GDP. This loss is equal to the Netherlands’ economic growth in 2010. [6] No nation can afford to lose even one percent of their GDP to illicit cyber activities. To counteract these risks, some governments and businesses are turning to international venues, seeking mechanisms to drive a path toward international cooperation and increased government intervention to “assert control,” all as part of an effort to manage exposure to cyber insecurity. These diplomatic discussions are emerging in dozens of international bodies, including: the United Nations, the Group of Eight (G8), the Organization for Security and Co-operation in Europe, the North Atlantic Treaty Organization, the European Union, the Council of Europe, the Asia-Pacific Economic Cooperation forum, the Association of Southeast Asian Nations, the Organization of American States, the Organisation for Economic Co-operation and Development (OECD), the International Telecommunications Union (ITU) and the International Organization for Standardization. Unfortunately, these fora are suffering from an operational collision of competing interests — privacy, piracy (for example, intellectual property protection), sovereignty and security (for example, corruption, theft, crime, espionage, war) — that are stifling progress.[7] The cacophony of voices and lack of clarity of an action agenda of what to do suggests that it is time to change the conversation and establish executive ownership among those who have the most to lose. Many governments now realize that their GDP growth is being eroded by a wide range of nefarious cyber activities. Why not then place this agenda item on the G20 table?[8] It is time to couple diplomacy with our national interest. The G20 represents 90 percent of global GDP, 80 percent of international trade and 64 percent of the world’s population. The leaders of the G20 could simplify the cybersecurity conversation and focus the world on enabling GDP growth, while limiting GDP erosion. This approach has a built-in

advantage in that its membership includes Brazil, Russia, India, China and South Africa (the BRICS) with equal voices at the diplomatic table. In fact, it may be the only international forum that could propagate a simple narrative that communicates why a sustainable cyberspace is linked to GDP growth for every nation.

Currently, Russia is at the helm of the G20 and it has organized the agenda around three overarching priorities aimed at starting the new cycle of economic growth: growth through quality jobs and investment; growth through trust and transparency; and growth through effective regulation. Russia could leave its mark on the world by leading this conversation in the G20 now, and shepherd it forward as it assumes the presidency of the G8 in 2014. It could also lay the foundation for Australia to build upon as it assumes the presidency of the G20 in 2014. [9] Brazil could echo the need for this leadership as it steps on to the world’s stage to host the FIFA World Cup in 2014 and the 2016 Olympic Games. Practical steps could be taken to add cybersecurity to multiple tracks of the current G20 program, including: • Building infrastructure and providing inclusive access to basic amenities (such as high-speed broadband communications) to spur economic growth. Agenda item: Development for All. • Support the Financial Stability Board with an information sharing forum/methodology to enable banks to better protect themselves from malicious cyber activities. Agenda item: Strengthening Financial Regulation. Alternatively, this same item could be addressed in the Agenda item: Fighting Corruption. Cybersecurity, fraud and e-crime could fit into the sub-tracks of deepening the engagement of the business community or eradicating corruption in major international events. • Curbing protectionism and strengthening the development of multilateral trade (by limiting e-crime, especially across borders). Agenda item: Enhancing Multilateral Trade. The G20 has an opportunity to articulate a vision for shaping the Internet economy for the next five to 10 years. The power of the leadership of this body, combined with its ability to assemble and speak to a simple, positive narrative for cybersecurity anchored in our collective economic well-being (and GDP growth), could be a watershed event. The GDP erosion that all

nations are suffering places cybersecurity within the legitimate processes and “architecture” of international economic governance. By changing the conversation to being about the economy and growth, this approach would enable the G20 to de-escalate the militarization and balkanization of the Internet. It has the added benefit of enabling Russia to demonstrate executive ownership of the topic (especially cybercrime), potentially changing the dynamics between the United © 2013 Hathaway Global Strategies, LLC Melissa Hathaway is president of Hathaway Global Strategies LLC and a senior advisor at Harvard Kennedy School’s Belfer Center. She served in two US presidential administrations, where she spearheaded the Cyberspace Policy Review for President Barack Obama and led the Endnotes: [1] From David Dean et al., (2012). The Digital Manifesto: How Companies and Countries Can Win in the Digital Economy. Boston Consulting Group report. Perspectives, 27. January. [3] Services and applications include, but are not limited to: e-mail and text messaging; voice-over-IP-based applications; streaming video and real-time video-conferencing; social networking; e-government; e-banking; e-health, e-learning; mapping; search capabilities; e-books; and IPTV over the Internet. [5] From UK Cabinet Office and Detica (2011). Cost of Cyber Crime. A Detica report in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office. Available at: www.gov.uk/government/uploads/system/uploads/attachment_data/file/60942/.... [7] Another view regarding the ideological disagreements regarding the Internet by Michael Joseph Gross can be found at: www.vanityfair.com/culture/2012/05/internet-regulation-war-sopa-pipa-defcon-hacking. [9] A schedule of forthcoming G20 meetings is available at: www.uschamber.com/sites/default/files/international/files/G20_RUSSIAN_PR.... It is an old story and everybody in ICT security keeps warning us: passwords are insecure. To be precise, access control mechanisms that are based exclusively on passwords are not secure nor desirable. Nevertheless, everybody keeps using password-based authentication, even developers of new services. The main reason to use passwords lays in their simplicity. In the early days of ICT, when a black and green screen with a keyboard was the only way to interact with a computer service, and a user had only a couple of secrets to remember, password-based mechanisms was probably the best way to keep unauthorised people away. Simple and very effective. Nowadays this is not the case any more, because of the bigger spectrum of users, the wider attack surface of web-

States and China, and changing the conversation from attack and war to economic well-being and GDP growth. Perhaps we should take a lesson from Sun Tzu, who instructs in The Art of War that “on the ground of intersecting highways, join hands with your allies.” The United States and other global leaders must marshal political will to change the cybersecurity conversation. As the main economic council of wealthy nations, the G20 is the right venue to move forward. Comprehensive National Cybersecurity Initiative for President George W. Bush. Ms. Hathaway is a frequent keynote speaker on cybersecurity matters, and regularly publishes papers and commentary in this field. [2] From Peter C. Evans and Marco Annunziata (2012). Industrial Internet: Pushing the Boundaries of Minds and Machines. General Electric report. 26 November. Page 13. [4] From Frontier Economics London (2011). Estimating the Global Economic and Social Impacts of Counterfeiting and Piracy. A report commissioned by Business Action to Counterfeiting and Piracy. Paris: ICCWBO. Page 47. [6] The research article is available at: www.tno.nl/content.cfmcontext=overtno&content=nieuwsbericht&laag1=37&laag2=69&item_id=2012-04-10%2011:37:10.0&Taal=2. [8] This has the added benefit in that it provides a more focussed international venue in which to bring the cybersecurity conversation, while at the same time complementing other agendas of the ITU, OECD and similar fora. exposed services, and the ever-growing number of passwords we have to remember. We have already written about this topic in a previous issue of this newsletter, talking about the notorious case of Linkedin password compromission in 2012 and the related technical aspects. However, there is a non-technical and crucial reason why passwords are not the best way of securing our data and systems: people choose passwords, which are as strong as they decide, and little can be done to enforce wise choices. This means that there will always be thousands of mothers using their children's birthday as a password, and they will use it for all their accounts. Of course it is possible to improve security awareness, but assuming that a user will use a long and complicated password,

“Same ol'... password” by Alessio Coletta - GCSEC

unique for each service, and that he/she will remember and change it every six months, sounds just naïve. Hence, every system relying only on passwords is intrinsically insecure and alternative solutions should be found. So, why do we still use passwords for identity authentication and access control? Actually, several alternatives already exist. Authentication credentials are generally divided in three categories: something that we are (biometrics), something that we have (secure tokens, mobile-generated codes), and something that we know (passwords and secrets). Combining two out of these categories is commonly known as two factor authentication (2FA). For instance, a service may ask username and password as usually, and also a number generated by the mobile phone just afterward. This is the way Google hardened its services through Google Authenticator (http://en.wikipedia.org/wiki/Google_Authenticator). And the user experience is still quick and easy, thanks to a proper use of cookies preventing us to take the phone every single time we want to use Google services. Early this year Google Vice President of Security Eric Grosse and engineer Mayank Upadhyay disclosed information about experimenting the use of certain tiny usb keys in order to log into google services. The usb device is used in place of the google authenticator in order to generate one time password. But in an era when companies can monetize the number of their affectionate customers, any security measure that bothers a user and prevents him from signing up is just a hassle and is avoided, if not strictly necessary. Maybe that is why Facebook does not really suggest to use two factor authentication, even if provided. Two factor authentication based on password are only a partial solution. Some security experts claim that 2FA is perceived as more secure while it is not. The argument is that the server side has to handle and to store more information, one piece for each factor, and an attacker able to compromise the server might still access both pieces of information, with no security improvement in the end of the day. Moreover, proper malware on desktops and mobile phones can get around many 2FA mechanisms. In some cases 2FA is based on hardware devices like fingerprint readers or smart cards, and the availability of this devices slows down the spreading of 2FA solutions. Many experts are keen to completely replace authentication passwords. There have always been possible replacements, e.g. authentication methods based on SSL certificates or PGP keys. However, keys and certificates must be stored in external secured devices like smart cards, because simple local encrypted storage is not an option as it requires a password. These devices can be stolen, and then require another factor of security. In order to completely replace

passwords, it seems appropriate to use biometrics solutions. The disadvantages of biometric is that some solutions are not mature enough, are more expensive, and the supporting hardware is usually not widespread. Moreover, sometimes higher security is not worth: in 2005 there was a case in Malaysia of thieves that stole an expensive car with fingerprint-based starting system and they also cut off the owner's index finger. Creepy but true story that makes us think deeper about the consequences of security measures. (http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm). While we wait for good and feasible solutions for replacing passwords, most computer users can use password managers. Mac OS users can use the one provided by the system and integrated in several core applications. Linux provides similar managers by default as well. Windows user should use third party open-source software like KeePass (also available for Linux and Mac OS): it manages password databases which can be encrypted via master password and/or with a file that can be stored on external usb keys for security reasons.

This solution should be good enough for most users, until feasible password replacements will be available. Geek Linux users can also try different combinations of authentication methods provided by PAM modules. And of course for web applications there are online password managers, like LastPass, that use client side encryption and are considered secure enough for most people. For people who really wants to choose and remember their passwords, an old but good picture can give some hints. Most readers have already seen it. If you haven't, here it is http://xkcd.com/936/

GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy www.gcsec.org

It is well recognized that information systems may have vulnerabilities. Accidents may occur due to human error, natural disasters, technical failures or malicious attacks. The Commission has repeatedly stressed that a lack of Network Information Security (NIS) can compromise services of extraordinary importance, resulting in significant financial losses for the EU economy and may adversely affect social welfare. The Directive is a key component of the overall strategy and will require all Member States, key internet enablers and critical infrastructure operators -such as e-commerce platforms, social networks, energy operators, transport systems, banking and healthcare services- to ensure a secure and trustworthy digital environment throughout the EU. According to a study conducted by Symantec and the Ponemon Institute, data breaches are relevant threats that could cost a companies millions of euros, with equally significant potential side effects like reputational damage, loss of customers and market share. The report takes into account a wide range of direct business costs including forensic experts, outsourcing hotline support and indirect costs such as in-house investigations and communication. A 2012 PwC survey found that 93% of large corporations and 76% of small businesses had a cybersecurity breach in the past year. The proposed Directive is a pillar of the EU global strategy, involving all Member States, the main Internet providers and critical infrastructure (platforms for e-commerce and social networks), the sectors of energy, transport, banking and healthcare, to do their very best to ensure a reliable and secure digital environment throughout the Union. The Council of Ministers of the European Union, on the occasion of the Ministerial Conference on the protection of information infrastructures (Balatonfüred, April 2011) had already called on Member States to set up national CERTs, to adopt national security strategies, and to develop contingency plans for national cyber incidents. The proposed directive draws directly from these considerations and includes: a) the establishment by Member States of a strategy for the security of networks and a national plan for collaboration on SRI (Article 5).

b) The designation of a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents (Article 6). c) The establishment of emergency response teams (CERTs), with the task of dealing with accidents and risks on the basis of a specific procedure. d) The establishment of a mechanism for cooperation between the Member States (through the competent authorities), the Commission, and possibly ENISA, with different purposes, including the exchange of sensitive and confidential information through a secure infrastructure. e) A warning system regarding risks and serious accidents as well as a coordinated response plans in accordance with the Union of collaboration on SRI. The need for all Member States to have a minimum level of capacity is becoming more and more important. Consequently the Public Administrations and operators of critical information infrastructures will have to implement risk management practices and report major security incidents on their core services. This network of collaboration can also become the stage for discussions and assessments on different issues raised by one or more Member States or by the Commission itself, in terms of effectiveness of CERT teams, national strategies, national plans for collaboration, best practices and capabilities. In the same context, the competent authorities may organize drills at a Union level (Articles 9 et seq.). f) Member States shall ensure that public administrations and market operators notify incidents that have a significant impact on the security of the core services they provide to the competent authority. The Commission shall be empowered to define, by means of implementing acts, the formats and procedures applicable for this purpose (Article 14). Member States will have to implement the Directive within 18 months of its adoption by the Council and European Parliament.

 

 

“EU’s proposal of Directiv for ensuring high common level of security across the Union” by Alessandra Lonardo - GCSEC