Saturday 6 July 2013

PRISM: EU warns of serious consequences for cloud computing vendors in the wake of spy scandal

European Parliament
Neelie Kroes has warned of "multi-billion euro consequences" for cloud service providers if customers can no longer trust their security measures in the wake of the PRISM hacking scandal.
"If businesses or governments think they might be spied on, they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out," said Kroes, the vice president of the European Commission (EC) who speaks regularly on digital issues.
She said that customers who allow their cloud suppliers to hold sensitive information will find themselves in a difficult position: "Why would you pay someone else to hold your commercial or other secrets, if you suspect or know they are being shared against your wishes?" she asked.
Customers would see sense and look elsewhere, according to Kroes, with US vendors bearing the brunt of the damage: "Front or back door - it doesn't matter - any smart person doesn't want the information shared at all," she said. "Customers will act rationally, and providers will miss out on a great opportunity.
"In this case it is often American providers that will miss out, because they are often the leaders in cloud services."
But she said that while privacy is a "fundamental right", it should not be entirely down to policy makers to produce legislation for cloud providers to put stronger security measures in place. Instead, she said in the interest of an open and competitive market, cloud vendors should put their own security measures in place as they see fit, saying "privacy is not only a fundamental right, it can also be a competitive advantage."
"Companies focused on privacy need to start coming forward into the light... 2013 is the year," she concluded.
This week, allegations emegered suggesting EU buildings were bugged and EU computer equipment was hacked, with the EC labelling the incidents "deeply disturbing".

Google unmoved by ICO £500,000 fine threat over privacy policy changes

google logo search engine seo
Google appears unmoved by the threat of a potential fine of up to £500,000 from the Information Commissioner's Office (ICO) after it was told that it needs to update its privacy policies.
Google pushed ahead with a number of major policy changes last year, causing uproar at the time, and the Information Commissioner’s Office (ICO) vowed to investigate.

Now, in an update on its work, the data watchdog said it believes Google’s policies are not in line with UK law and should be updated. 

“We have today written to Google to confirm our findings relating to the update of the company’s privacy policy,” an ICO spokesperson said in a statement. “In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act.”
However, in response, Google issued a vague statement claiming it does adhere to UK laws, but it made no direct comment about the ICO's letter or its contents, or an intention to make any changes.

The statement said: “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we’ll continue to do so going forward."

The ICO said that its main issues with Google's changes related to the clarity of the policies in place.

“In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products,” they said.

As a result, it must update the policies or face a potential fine from the watchdog. “Google must now amend their privacy policy to make it more informative for individual service users,” the ICO said.
“Failure to take the necessary action to improve the policy's compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.”
While the ICO's stance is likely to be welcome by privacy campaigners and shows the regulator baring its teeth, the threat of a £500,000 fine is unlikely to have executives at the firm worried, although the reputational damage from such an outcome could be more of an issue.
Chris Watson, head of Communication, Media and Technology at law firm CMS underlined this point by saying the breadth of Google's offerings and reach into all markets made it hard for regulators to keep the company in check.
“Google's business model and multi-faceted strategy means that its power is spread across several pillars," he said.
"This will make it difficult for the ICO, and indeed the European Commission, to find an appropriate remedy that will act as a deterrent. Fining alone is not enough, there will have to be a mixture of fines and prohibitions."
The move is the second time in recent weeks that the ICO has taken action against Google. It has already told the organisation it must delete Street View WiFi data by the 25 of July.

MoD reveals cyber defence plans including alliances with industry giants to combat hacker threats

uk parliament
The UK government has reaffirmed its plans to ally with industry to combat cyber threats, announcing a new partnership to protect British supply chains from rising cyber attacks as it continues to make cyber defence a key part of its future strategy.
Minister for Defence Equipment, Support and Technology, Philip Dunne announced the partnerships, confirming nine of the country's largest contractors have already signed up.
"I am pleased to be able to announce that we have established a partnership with industry that will strengthen our defences throughout the supply chain. The defence cyber protection partnership brings together nine of our largest contractors to get those basics right," he said.
Confirmed partners include BAE Systems, British Telecom, EADS, Hewlett Packard, Lockheed Martin, Logica (CGI), Rolls Royce, Selex ES and Thales. Dunne said further contractors are expected to sign up soon.
Dunne said the partnership is designed to offer similar services to the government's Cyber Security Information Sharing Partnership (CISP), facilitating the sharing of cyber attack information between the public and private sector, letting companies and agencies get a more holistic view of the threats facing them.
"They have committed to: raising awareness of cyber security as an issue, both internally and amongst their sub-contracting supply chain; exchanging information on threats and vulnerabilities; and working with us to drive up the standards of cyber security throughout the supply chain," he said.
"That also means being frank about how mature and effective our arrangements are, and learning from each other's experiences. It is a vital part of our strategy to secure the Defence supply chain."
The UK MP said the move will help increase cyber education within the country. "This is not just about structures and resources. It is fundamentally about changing behaviour. Many of the threats to our cyber security can be mitigated by changes in behaviour, getting the basics right through instilling a culture of ‘cyber hygiene'," he said.

Education has been a key concern for both the public and private sector, with numerous bodies warning the UK is on the brink of a crippling cyber skills shortage. Earlier this year the National Audit Office (NAO) estimated the skills gap will last 20 years costing nation £27bn a year. More recently Sophos director of technology, James Lyne listed a lack of education as a key reason small business websites have overtaken porn and gambling sites as cyber criminals' malware distribution tools of choice.
Despite the education push, Dunne indicated the majority of the newly announced government cyber funding will go towards military and technical projects. "As part of this commitment we are extending our National Cyber Security Programme by a further year, investing an additional £210 million on top of the £650 million provided in the Strategic Defence and Security Review in 2010," he said.
"Staying ahead of the curve on cyber technology is essential to preserving the operational advantage of our armed forces, so the MOD continues to invest in cyber research and development.
"On top of the money allocated to the MOD from this fund in 2010, we have also allocated a further £70m over the next four years from within our own budget for improving our cyber defence capabilities."
The strategy is a marked move away from the UK Cyber Strategy's positive focus on education. Prior to it the strategy has seen the creation of several higher education cyber security research centres. Most recently the UK government pledged to pledged to invest £7.5m to create two new higher education centres at Oxford University and Royal Holloway University London.

EU approves stricter laws for punishing cyber crooks and botnet creators


european-parliament
The European Parliament has voted in a new directive designed to increase the maximum sentences hackers can receive.
The legislation focuses on attacks designed to harm areas of critical national infrastructure or hijack company computer systems. Under the draft reform attacks on areas of critical infrastructure can now carry a maximum sentence of five years, while attempts to illegally access information systems can accrue a two year sentence in all European Union member states.
The directive also address Europe's growing Botnet problem. "When a significant number of information systems have been affected through the use of a tool (eg botnets) there is a maximum penalty of at least three years," reads the Commission's report on the legislation.
Botnets have been a massive issue across the world for many years now. The operations enslave computers using various malwares, letting hackers steal control of them and use them for a variety of nefarious schemes, including denial of service attacks and phishing scams.
Numerous technology firms, including Microsoft, have mounted joint operations with law enforcement to take down the zombie networks command and control servers. Most recently Microsoft teamed up with the FBI to take down the Citadel botnet. At its peak the botnet is believed to have controlled millions of infected PCs and stolen more than $500m in bank fraud.
Interestingly the move will allow nation states to take action against businesses selling botnet and hacking tools as well as those using them. It will also grant law enforcement the power to punish firm's paying or hackers to use the tools to steal information for them.
The Parliament in Strasbourg approved the legislation with a final vote count of 541 to 91 with nine abstentions on the proposal by the European Commission. Only Denmark has chosen to opt out of the rules preferring to keep its current cyber legislation. Other participating governments will now have two years to translate the decision into national law.
The news has been welcomed by European Commission, with Commissioner for Home Affairs, Cecilia Malmström said the move is a key step in the European Commission and Parliament's ongoing efforts to bolster the region's cyber defences.
"This is an important step to boost Europe's defences against cyber-attacks [...] The perpetrators of increasingly sophisticated attacks and the producers of related and malicious software can now be prosecuted, and will face heavier criminal sanctions. Member States will also have to quickly respond to urgent requests for help in the case of cyber-attacks, hence improving European justice and police cooperation," she said.
However, in the private sector many security companies have been less positive. Alienvault research team engineer, Conrad Constantine said the legislation will cause more harm than good as the people creating it do not understand cyber threats.

"Cybercrime is an oxymoron - we already have a word for it - 'Crime' - the reason 'cyber crimes' are criminal acts, is because they were criminal acts before computers were involved. Every time law tries to encode some particular use of technology into law, the result is inevitably fair poorly for civilians," he said.
"This is not to say that there are not edge cases that require some extension - determining how to prosecute a botnet operator may be difficult under current law, but not impossible, since whatever (existing) crimes the botnet is being used for, the botnet operator is complicit in. Having said that, more laws do not capture more criminals, they only turn more people into criminals."

PRISM spy storm could see UK and US cloud computing customers flee overseas

Dark storm clouds and lightning broken by the sun shining down onto a calm sea
Almost a month ago, allegations of widespread NSA surveillance sent shockwaves around the world. Cautious web users started thinking a little more carefully about what they do online, with social networks such as Facebook coming under fire for allegedly providing ‘backdoor' access for security services. Even the EU had to begin considering holding meetings in the Brussels sunshine as "disturbing" claims emerged accusing the NSA of bugging EU offices and hacking EU computers.
One of the other lasting consequences could be a dwindling trust in secure cloud providers. Neelie Kroes' EU speech warning of multi-billion euro consequences for cloud providers highlighted a very interesting point. In the wake of this scandal, there is an enormous opportunity for IT vendors to sell beefed-up secure servers to clients who hold sensitive information.
Kroes' extensive work on the EU's Digital Agenda puts her right up there as one of the most respected technology speakers in Europe, and her words on the cost of the scandal carry a lot of weight. "If businesses or governments think they might be spied on, they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out," she said. "In this case it is often American providers that will miss out, because they are often the leaders in cloud services."
Indeed, European corporations have always eyed US-based cloud companies with a little suspicion; taking all of your data and outsourcing it to a huge cloud corporation does rather take away control, something many CIOs do not enjoy.
But it's not just providers across the pond who are going to suffer. In a discussions in the House of Commons last week, former shadow home secretary David Davis alluded to the fact that countries with more stringent privacy laws, such as Germany, would see a benefit when it comes to data hosting, while countries the UK, where data spying concerns now exist, would see interest disappear. He also made very clear that he thinks current UK law was "completely useless" for UK citizens.
Countries outside of the EU also reportedly benefit from this. Switzerland, for example is well-known for its offshore-style private banking system, and this attitude is reflected in the IT sector. Outside of the EU, pan-European agreements for data sharing do not apply, with data only accessible after liability or guilt is proven.
Simply, in the same way anonymous search engines such as DuckDuckGo are rapidly gaining popularity, cloud solutions based in countries with better privacy laws seem to be gathering momentum.
One such company benefitting from a heightened level of paranoia is Artmotion, which touts itself as Switzerland's biggest offshore cloud provider. The company saw a 45 percent rise in demand for secure cloud services in the wake of the PRISM scandal, and while correlation does not mean causation, it certainly made for interesting reading.
With companies ranging from tobacco to tech, from oil to security firms, security and data privacy sit right at the top of their priorities list. Mateo Meier, the company's chief executive isn't surprised by the rise in demand for secure cloud systems outside of the EU.
"We have many clients saying they don't know what the government is doing, and those companies usually pay very little attention to the details of privacy," he explained. A staggering 80 percent of companies who host with Artmotion turned to them after a security breach, so turning to secure solutions seems to be much more like damage control than an initial priority.
In particular, Meier is noticing a large influx of UK-based companies requesting his services; he estimates in recent weeks that roughly 25 percent of calls have come from UK numbers.
"We fight for protection and honest business, and I think that's going to continue for the next few years," explains Meier. "Privacy is important but it will be more so in five or ten years. Money is replaceable but data is not."
The only problem with this is that just because laws exist doesn't mean they won't be broken. If proven true, the spying and wiretapping allegations from the last month are very close to the edge of the law, if not rather over it. The fact that strict privacy laws exist in Germany and Switzerland does not mean that government teams won't give it a go; it's just that the diplomatic consequences would be rather stronger with these laws in place.
If the revelations of unabated data access continue, it's entirely feasible that cloud vendors in countries without strict data laws could see their customer base dented. It just depends on how many more nasty surprises there are to come

South Korean MoD bans smartphone use following DarkSeoul attacks

south-korea-from-an-arial-veiw-south-korea-south-korea-1152-12960989902-tpfil02aw-1927
The South Korean Defense Ministry has banned agents and workers from using the camera and internet functions on their smartphones, following a wave of cyber attacks targeting the nation.
The local Yonhap News Agency reported the reworked device policy will take effect from 15 July. The policy will force workers to install a custom application designed to forcibly deactivate all major functions like, the devices internet connectivity and camera while in ministry buildings. At the time of publishing the Defense Ministry had not responded to V3's request for comment on the report.
Yonhap reported the ministry created the policy fearing hackers would use rooted phones to steal sensitive information, following widespread cyber attacks on the country's networks. The South Korean cyber pandemic began earlier this year, when hackers operating under the DarkSeoul alias claimed responsibility for a wave of attacks on several of the nation's banks and broadcasters.
The attackers returned later this year on the anniversary of the Korean War. The attacks have seen hackers target numerous South Korean government agencies with denial of service attacks. The DarkSeoul hackers are also believed to be responsible for a data breach allegedly revealing the names and personal details of 40,000 active US servicemen.
The move follows widespread reports hackers are increasingly using mobile devices as an access point into companies' and government networks. The attacks are generally believed to target the Android ecosystem, using Trojanised applications and nefarious phishing messages.
However, security firm Bluebox recently reported this trend could soon end, claiming it has discovered an "Android Master Key" that could be used by hackers to infect 99 percent of all Google smartphones and tablets.

PRISM: France accused of running its own surveillance network

Hacker's hands on keyboard
The government of France is reportedly operating its own PRISM-like data retention facility.
A report from the French publication La Monde claims that intelligence officials with the country's DGSE agency maintain a massive database at the agency's Paris headquarters. Officials have yet to provide any formal acknowledgment or denial of the report.
Much like the US PRISM database, the French system is said to include logs of user activity from popular internet services including those run by Microsoft, Apple, Yahoo, Facebook and Twitter. The archive is also said to hold metadata on content, allowing intelligence agencies to spot larger trends in activity.
If true, the revelation will add to the public outcry and backlash against government intelligence agencies in the wake of the US PRISM discovery. Leaked by whistleblower-turned-fugitive Edward Snowden, the PRISM system was said to have been compiled by the US National Security Agency (NSA) without the knowledge of internet service providers who contributed much of its contents.
In addition to the NSA, the UK GCHQ is said to have accessed the PRISM database for help in numerous investigations.
While government officials have defended the programme and denied listening in on specific conversations without first obtaining a warrant from a judge, many groups have demanded Congress launch a full investigation to learn the true scope of the surveillance.
The incident has also inspired companies such as Google to demand greater transparency and more freedom to communicate with users on how the company works with government agencies and handles requests for user data.

Microsoft readies six critical security updates for Patch Tuesday


New Microsoft logo
Microsoft is advising users and administrators to prepare for a July Patch Tuesday release which will include a half-dozen critical security fixes.
The company said that the monthly release would include six patches rated as 'critical,' the most severe of its security levels often designated for high-priority deployments. The critical fixes will affect all supported versions of Windows ranging form XP to Windows 8 and Windows RT as well as supported versions of Windows Server.
All six of the critical flaws will address remote code execution vulnerabilities while a seventh patch, rated as 'important' will fix an elevation of privilege flaw in the Microsoft Security Software package.
Often targeted by attackers to perform drive-by malware download attacks, remote code execution flaws allow an attacker to crash an application and launch malware payloads often without any sort of notification or interaction form the user. Such flaws are widely regarded and the most dangerous for end users and are often singled out as top priorities for deployments.
Among the six critical fixes Microsoft is planning for the July release are updates to remote code execution flaws in the .Net Framework and Silverlight. Other platforms which will receive critical fixes include Office, Internet Explorer, Lync Visual Studio and the Windows platform itself.
While Microsoft did not state specific details on the vulnerabilities themselves, the company noted that the critical Internet Explorer flaw was considered a lower risk for Windows Server systems, while at least one of the critical Windows vulnerabilities was not applicable to ARM-based Windows RT tablet systems.
The company is planning to release the update on 9 July with updates usually arriving in the late afternoon to early evening UK time.

Where did the Cojones go? Edward Snowden needs refuge

First things first - why do people get chased all over the world for simply leaking information that is already known by the most of the people? PRISM is not something that should have shocked the world - why did it shock you? have you never heard about FinSpy or BlueCoat? Did you seriously believe in the fact that you are Anonymous after spending the most of your lifetime on the internet?

Then tell me why all countries have lost their Cojones

Russia declined, China declined, The Netherlands declined and the list goes on. Why is it so hard to provide Snowden a place to stay? He may have stolen information but that was because he was made capable to obtain that information. It is not only Snowden that did not follow protocol. No personal USB sticks means that the devices and data need to be hardened.

Do we want to see the pain that Manning experienced to happen again?

Whistleblowers are seen like terrorists by many states - Bradley Manning has been tortured because he released classified information about the fact that the government was shooting down innocent people. Edward Snowden released information about the fact that the government is actually spying on you. What will happen to him? Are we waiting to see him get tortured?

China and Russia do not see him as a value

China and Russia denied to hand him over - that means that Snowden has no information that other countries are interested in. Face it - he has successfully leaked information and as each government or company - they need to face the fact that they got owned and they need to make sure that it does not happen again.

If Snowden did it - how are the paid spies doing it?

BAM - if Snowden can get his hands on classified information - then it should be easy for each spy to gain classified information. How are they being dealt with?

'Rude Russians' spying on the Netherlands

Espionage is being carried out by multiple countries but the Russians are the boldest. These are the words of the deputy head of the the Dutch secret service Marc Kuipers.

Espionage is relatively simple 

According to Kuipers Netherlands is an attractive and easy target. Governments and companies do not realize that they have valuable information in their hands and that people are interested in obtaining that information.

Not the government that is being targeted

The deputy head stressed that many countries does not involve state secrets. It is vital information from a company, municipality or joint venture. Therefore, many municipalities are also affected.

Danger the relationship

He argues that the Russian secret services are willing to upset relations between the Netherlands and Russia in the game to set up because the yield is many times greater than the risks.
Read the post by the AIVD here.

Anna Chapman ​Russian (ex?) Spy

Russian spy anna chapman

Snowden revelations imperil cyber hacking talks with China

Revelations of U.S. spying on Chinese universities and businesses risk undermining cybersecurity talks with China scheduled for next week.
The Obama administration had hoped to press China on the issue during the fifth round of the U.S.-China Strategic & Economic Dialogue. Instead, it finds itself on the defensive amid former contractor Edward Snowden's allegations that the National Security Agency has been spying not only on the Chinese government but on universities, students and businesses as well.
“The U.S. in the cyber arena is trying to draw a bright red line,” said Kenneth Lieberthal, a former senior director for Asia at the White House who's now with the Brookings China Center. “I think the Snowden revelations clearly give China an increased opportunity to muddy the waters.”
President Obama put newly elected Chinese leader Xi Jinping on notice when he hosted him at Sunnylands in California last month that the United States wants an end to Chinese hacking. Next week's summit was expected to be an opportunity for officials from the State and Treasury departments to make concrete progress on that front.
“Effectively the U.S. position is, everyone conducts espionage. We don't object to Chinese espionage, they shouldn't object to ours,” Lieberthal said in a call with reporters previewing next week's meeting. “But the U.S. does not do commercial espionage to benefit our own firms' competitive position; the Chinese side does, and we insist that they stop.
“Part of Snowden's revelations that are most damaging in our discussion of cybersecurity with China is his making it clear that we have gone well beyond penetrating China's government and military networks; we've gotten into their universities, their research centers and presumably into major enterprises, too. I think the distinction that we want to draw is still a valid distinction, which is that none of that is done to increase the competitiveness of American firms … while the Chinese are using their commercial knowledge for direct competitive advantage.”
The administration has sought to minimize the damage since Snowden first made his revelations to Hong Kong media last month by distinguishing between U.S. and Chinese practices. The Chinese view, Chairman of the Joint Chiefs of Staff Martin Dempsey told a Brookings conference last week, “is there are no rules of the road in cyber, there are no laws they are breaking, there’s no standards of behavior.”
Secretary of State John Kerry told CNN that NSA operations in China had “nothing to do with hacking.”
“Nothing to do with illegality. Nothing to do with stealing. Everything to do with national security,” he said. “In fact, their national security is at risk and at stake in the very same way.”
And the top Democrat on the House intelligence panel said U.S. spying was done to monitor that country's cyber hackers.
“We're not stealing information, business records, patents and everything else,” Rep. Dutch Ruppersberger (D-Md.) told The Hill. “Every country has security, every country has intelligence.
But when you start stealing private information, that's a different story.”
Some experts, however, suggest it's too late to draw that distinction.
Fiona Hill, director of the Center on the United States and Europe at Brookings, in a recent interview with The Hill called the Snowden revelations a “wonderful opportunity that has fallen into their laps to turn back against the U.S. all the accusations the U.S. has been making against China and Russia about massive surveillance and cyber espionage and hacking and violations of this, violations of that.”

UK ICO Mandate Google to change privacy policy

United Kingdom  Information Commissioner’s Office (ICO) ordered Google to change privacy policy  it introduced in March 2012 to make it more informative for users.
We have today written to Google to confirm our findings relating to the update of the company’s privacy policy. In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act.(ICO spokesperson).
In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.
“Google must now amend their privacy policy to make it more informative for individual service users. Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.
If Google does not change its policy to comply with the U.K. Data Protection Act by Sept. 20, it could face formal enforcement action, ICO can issue monetary penalties of up to £500,000 (US$752,000) for serious breaches of the Data Protection Act.

Cyber war between Afgan Taliban and intelligence agencies

Ramadan in 2013 will start on Tuesday, the 9th of July and will continue for 30 days until Wednesday, the 7th of August.
The Afghan Taliban promised on Friday to continue attacks over Ramadan, rejecting as a fake an insurgent email promising a halt in violence over the coming Muslim holy month and saying it was the work of government intelligence.
Taliban spokesman Zabihullah Mujahid said the message sent in his name promising a temporary cessation of violence with next week's start of Ramadan was the latest incident in a simmering cyber war between intelligence agencies and the insurgents.
"In that mail the enemy losers have tried to influence attacks by mujahideen fighters," Mujahid said. "We strongly reject sending any such email on a stoppage of operations."
Afghan spy agency the National Directorate of Security has increasingly targeted the Taliban's sophisticated messaging network, which includes websites and email accounts, social media and spokesmen using noms de guerre.
The Taliban use Afghanistan's improving phone network to distribute anti-government messages and use Twitter to claim largely improbable successes as most foreign combat troops look to leave the country by 2014.
The Taliban, who ruled Afghanistan with an iron fist from 1996 to 2001, are seeking to overthrow the U.S.-backed government and end foreign occupation.
While Ramadan is usually a relatively quiet month for insurgent attacks marked mainly by the use of roadside bombs rather than direct assaults by armed fighters, Zabihullah said the month also carried extra religious significance for insurgents.
"During the holy month of Ramadan, jihad has major rewards. And mujahideen will continue to employ all their fighting techniques to mount attacks on the enemy," he said.
Taliban fighters in 2011 used car bombs to attack a British government cultural center in the Afghan capital over the Ramadan period, killing almost a dozen people.
This year the militants have stepped up attacks ahead of the Afghan summer months. Insurgents including a suicide bomber attacked a foreign logistics and supply company last week in Kabul, the latest in a string of daring assaults in the capital.
Kabul's police chief General Mohammad Ayoub Salangi said on Friday that security forces had arrested three people in a night raid and seized five suicide bomb vests.