Cyber Crimes Unit

A top EU data privacy advocate has criticised the European Union’s plans to combat cybercrime, saying they don’t provide enough protection for personal data.

In the same statement, the European Data Protection Supervisor (EDPS) Peter Hustinx suggested that too little attention has been paid to existing regulations and agencies, and that it would be useful to have tighter definitions of what exactly the European Commission means by “cybercrime” and related terms.

The statement comes as an official “opinion” document [PDF] responding to the EU’s Cybersecurity Strategy [PDF] plan.

The strategy was issued in February alongside proposals for a set of unified network and information security rules, referred to as the “NIS Directive [PDF]“.

The strategy document got a lukewarm reception at the time, with general approval that the EC was heading in the right direction but worries that the proposals were too vague and open-ended. The opinions from the EDPS seem to echo this, welcoming the existence of the strategy but pointing out some potential problems.

The main thing the EDPS finds “regrettable” (a term repeated many times in the opinion document) is that the strategy does not adequately emphasize privacy as a key part of any planned dealing with personal data.

While acknowledging that privacy issues are covered in some parts of the strategy, there is little mention of them in the sections covering cybercrime, where privacy is pivotal.

Most cybercrime involves theft or abuse of personal data in some way, and any effort to tackle it must inevitably involve the collection and sharing of private data, by police and other bodies.

Data shared may include information on victims, suspects and innocent bystanders, so ensuring that this gathering and sharing is done within well-defined and regulated boundaries is a prime concern.

These worries tie in with another point regretted by the EDPS – the lack of mention, or indeed apparent awareness, of existing parallel plans and bodies in the field of digital data protection.

These include a proposed General Data Protection Regulation from last year, and also cover existing national Data Protection Authorities, such as the UK’s Information Commissioner’s Office.

The EDPS believes these bodies should be playing a major role in ensuring plans to combat cybercrime do not infringe on privacy, but they are omitted from the strategy document. Many of the same criticisms are also leveled at the NIS Directive.

Another point of criticism is the rather broad definition of cybercrime given in a footnote to the strategy:

Cybercrime commonly refers to a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target.

Cybercrime comprises traditional offences (e.g. fraud, forgery, and identity theft), content-related offences (e.g. on-line distribution of child pornography or incitement to racial hatred) and offences unique to computers and information systems (e.g. attacks against information systems, denial of service and malware).

The EDPS points out that cybercrime and related terms “are used as a justification for certain special measures which could cause interference with fundamental rights, including the rights to privacy and data protection.”

It is clearly more than a little worrying that the EU might be granting police and other bodies special powers in cases where a “cybercrime” may have occurred, if a “cybercrime” is defined as any of an unlimited “broad range” of generally bad things with some sort of association with computers.

It would seem more sensible in this case to have a very restrictive definition of “cybercrime” as only crimes of a type which could only occur digitally, and to treat “normal” crimes – theft, fraud, porn or hatred offences etc – as mere variations on their “real-world” equivalent, which just happen to take place online.

The other option would be to stick with the vague definition, but not allow it to be used as the basis of any special legal powers.

If the investigation of any crime or other issue involves the gathering, processing or sharing of private information, then there should be comprehensive and strongly-enforced rules on what data can be dealt with, how, and by whom. This should apply regardless of whether it relates to a “cybercrime” or any other kind of incident.

Despite the raised profile of data protection issues lately, there does seem to be some way to go to ensuring that those in political circles pay enough attention to data privacy. It’s good to hear someone out there is pushing the right agenda.

Follow @VirusBtn
Follow @NakedSecurity

Image of EU fingerprint and handcuff on keyboard courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZCJVyVqw9qU/

Apple, like its giant internet company comrades, has already denied having the foggiest notion of what PRISM is.

When the “they’re spying on everybody and everything” PRISM story broke two weeks ago, Apple told The Wall Street Journal in a statement that:

“We have never heard of PRISM. We do not provide any government agency with direct access to our servers.”

On the morning of June 17, Apple went beyond that terse statement to make a rare public statement insisting that customer privacy data is a priority for the company.

Apple says that it first heard of the government’s PRISM program when news organizations asked the company about it on June 6.

Apple, Google, Microsoft and Facebook well may never heard of PRISM because that moniker, in fact, turned out to be the name of the computer system that runs the surveillance program.

Nobody can pronounce nor wants to type out its real name – Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act – so we’re all still calling it PRISM.

At any rate, Apple is now clarifying, as Google and Facebook have done, that it doesn’t provide direct access to its servers, nor to any government agency requesting customer content, unless the request comes with a court order:

Regardless of the circumstances, our Legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities. In fact, from time to time when we see inconsistencies or inaccuracies in a request, we will refuse to fulfill it.

Google, Facebook, Microsoft, and Twitter have all beseeched the government to loosen the gag orders that prevent them from being transparent about the number of information requests they get and comply with, along with how many users and accounts are affected.

Apple’s with them in the desire for more transparency. In fact, it requested, and received, authorization to reveal that from December 1, 2012 to May 31, 2013, it received between 4,000 and 5,000 requests from US law enforcement for customer data.

Those data demands specified between 9,000 and 10,000 accounts or devices. The requests came from federal, state and local authorities and included both criminal investigations and national security matter.

In fact, the most common form of request Apple received in that time period came from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide, the company said.

In a somewhat indignant, “who do you think we are, Google or something?” tone, Apple went on to say that it doesn’t “collect or maintain a mountain of personal details about our customers in the first place.”

Apple says:

There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it.

That means conversations on iMessage and FaceTime, which are protected by end-to-end encryption so no one but the sender and receiver can see or read messages, Apple says.

Apple can’t decrypt that data, it says. And it doesn’t store data related to customers’ location, Map searches or Siri requests “in any identifiable form.”

What do you think?

Did the media overreact over PRISM? Or was it a welcome spotlight to shed light on a surveillance-happy age?

Follow @LisaVaas
Follow @NakedSecurity

Image of prism courtesy of Shutterstock and image of Apple logo courtesy of skyme / Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vfX26X65ljI/

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

General interest

• Dozing bank clerk turns €64 into €22 million – and teaches us all a security lesson!

• Google files patent to let you unlock your phone by grimacing at it

• PRISM, UK Surveillance, Sweden vs. Google, Blackberry Z10 – 60 Sec Security [VIDEO]

• Naked Security’s Graham Cluley and Carole Theriault say goodbye

Law and order

• Hacker who helped to expose Steubenville attack could face more prison time than rapists

• EU to vote on harsher penalties for hackers

Malware and exploits

• Was Microsoft’s takedown of Citadel effective?

• Guntior bootkit up to new tricks

Social networks

• Facebook gets #hashtags, which does #WTF to your #privacy?

OS and software

• Get ready! Oracle to fix 40 holes in Java on Tuesday, 18 June 2013

• Blackberry releases first security fixes for new Z10 smartphone

• Patch Tuesday June 2013 – Office, Windows and Flash

Privacy and online safety

• UK political bigwigs demand return of snoopers’ charter. Seriously? Today?

• “Nej till Google!” – Sweden tells a local council that Google’s cloud is a no-go area

• Internet giants call for transparency in government surveillance requests

• PRISM – not as bad as you thought? (And don’t call it PRISM!)

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Days of the week image from Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5Lvw86phRAQ/

The US government in October told the Food and Drug Administration (FDA) to finally start taking medical device security seriously, whether we’re talking about intentional hacking, unencrypted data transfer that can be manipulated or a host of other threat vectors.

Eight months later, the FDA has complied.

On Thursday, the agency put out a call to medical device manufacturers and health care facilities to start addressing medical devices’ vulnerability to cyberattack, be it by malware or unauthorized access to configuration settings in either the devices themselves or in hospital networks.

Although the FDA hasn’t seen patient injuries or death, it has seen botched security, equipment manufacturers who more or less ignore the concept of updating or patching, and passwords passed around like so many after-dinner mints.

Here’s a list of the cybersecurity vulnerabilities and incidents to which the FDA says it’s been made aware:

• Malware infection or outright disabling of network-connected/configured medical devices;
• Malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices [for example, defibrillators];
• Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);
• Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models;
• Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.

The FDA suggested various means of limiting unauthorized device access that manufacturers should consider, particularly if their products are life-sustaining or could be directly connected to hospital networks:

• User authentication such as user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
• Timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code.
• Design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
• Methods for retention and recovery after an incident where security has been compromised.
• Incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

The FDA also gave suggestions for securing hospital systems:

• Restrict unauthorized access to the network and networked medical devices.
• Keep anti-virus software and firewalls up-to-date.
• Monitor network activity for unauthorized use.
• Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
• Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
• Develop and evaluate strategies to maintain critical functionality during adverse conditions.

Medical device hacking can be hard to take seriously in lieu of patient death and injury.

But it’s not just terrorism or other homicidal deeds – such as the Tylenol poisonings of the 1980s – we’ve got to worry about.

Also at play, for example, as the FDA made clear, is conventional malware that’s been described as “rampant” in hospital medical devices that use unpatched operating systems.

The MIT Technology Review in October reported on potential consequences of real-life medical device security as recounted at the National Institute of Standards and Technology Information Security Privacy Advisory Board, in Washington, DC.

One such incident involved malware that slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive care wards.

Experts point to issues in a wide variety of devices, including compounders, which prepare intravenous drugs and intravenous nutrition; picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging (MRI) devices; insulin pumps; defibrillators; blood gas analyzers; radiology equipment; and nuclear-medical delivery systems.

It’s way past the time when the FDA should have been taking these matters seriously.

Now, it’s up to device manufacturers and those responsible for securing hospital systems to take up the FDA’s call to secure these overlooked technologies.

Follow @LisaVaas
Follow @NakedSecurity

Image of emergency sign and medical equipment courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/i8pGsSbSPkk/

US law enforcers are demanding a kill switch on our smartphones that would theoretically brick them after they’re stolen.

New York’s top prosecutor, State Attorney General Eric Schneiderman, together with San Francisco District Attorney George Gascón, put out a statement on Thursday about the launch of an initiative devoted to drying up the secondary market on which stolen devices are sold.

The initiative, dubbed Secure Our Smartphones (SOS), is a coalition of law enforcers from across the country: state attorneys general, district attorneys, major city police chiefs, state and city comptrollers, as well as public safety activists and consumer advocates.

The announcement came on the same day that Gascón and Schneiderman co-hosted a “Smartphone Summit” with representatives from smartphone makers Apple, Samsung, Google and Microsoft.

Schneiderman said in the statement that about 113 smartphones are stolen or lost every minute in the US, with many of the thefts turning violent.

Here’s how the SOS coalition describes this “epidemic”:

In 2012, 1.6 million Americans were victimized for their smartphones. This is a growing epidemic
affecting all corners of our nation and accounting for a majority of the robberies in our cities.

Last year, 50 percent of the robberies in San Francisco involved a stolen mobile communications
device.

Washington D.C Police report smartphone theft accounting for 38 percent of their
robberies, with Philadelphia Police reporting this type of theft accounting for 33 percent of all
robberies.

In New York City, 20 percent of all robberies involved the theft of a smartphone; a 40
percent increase in the past year.

These crimes have led to severe injuries and the loss of life. The trend indicates that the problem will only get worse if manufacturers and carriers do not take immediate action.

The coalition aims to curb the problem of mobile phone theft by focusing on five things:

• Analyzing patterns, causes and trends behind device theft;
• Investigating the capability of manufacturers to develop technology that would deter theft, including a kill switch that would brick stolen devices permanently, eliminating the economic incentives for would-be thieves;
• Understanding how the economics of device theft have affected decision-making by the smartphone industry;
• Working with device manufacturers to make a kill switch, or equally effective deterrent technology, a standard feature of their products; and
• Investigating impropriety on the part of manufacturers, raising public and shareholder awareness about industry practices in this area, and using all available tools to press for safety-oriented innovation and responsible corporate citizenship.

The concept of a kill switch plays nicely with Apple’s just-announced mobile operating system, iOS 7, which features exactly that: an activation lock.

Apple previously did have a Find My iPhone feature, but the new activation lock takes it a step further by not only tracking the lost phone but also enabling users to remotely nuke it.

(And, of course, Sophos has a free Mobile Security app for Android that lets you remote-lock or remote-wipe your phone.)

Samsung has reportedly promised a similar feature, while Google and Microsoft apparently talked about the concept at the Smartphone Summit.

Would this type of kill switch actually work?

The Register’s Bill Ray, for one, thinks that it might have less impact than you’d imagine.

Ray notes that, at least as far as the UK goes, while most muggers do steal mobile phones, it’s not so much the phone they’re after as a delay in the time when muggees can call the police – a delay that gives crooks more time to turn stolen credit cards into cash.

Not that stolen phones can’t be sold, if a thief manages to change a handset’s International Mobile Station Equipment Identity (IMEI) number – a unique 15 digit code assigned at production to GSM and other phones.

That’s illegal in the UK, Ray points out, but it’s still possible to do on most handsets. A quick online search will reveal how easy it is.

Most mobile networks subscribe to a system – the Central Equipment Identity Register (CEIR) – that blocks stolen IMEI numbers from their networks. But given a changed IMEI on a handset, all bets are off that its original owner can track it down.

That means that once a thief has changed a handset’s IMEI, the phone can be used anywhere.

A kill switch, in short, might be a good addition to the tools already in existence to protect our smartphones.

If we do see manufacturers install kill switches on all smartphones, I’d still suggest that it’s a ton of fun to install an app that lets you snap photos of people trying to unlock your phone.

Wait until you’ve snapped a photo of a suspect – like this one! – I say, before you brick the thing.

Follow @LisaVaas
Follow @NakedSecurity

Image of red button and mobile phone thief courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fN2ME43yJOU/