Category: Cyber security

CIA´s circumvention methods on Wikileaks

10. March 2017

Tuesday, 7th March on Wikileaks there was a release of around 9,000 pages of documents on the U.S. Central Intelligence Agency hacking methods, called “Year Zero”, which revealed CIA´s hardware and software world´s top technology products circumvention methods (including smartphone operating systems exploitation). These methods are believed to allow agents to circumvent encryption apps.

According to a Reuters report U.S. government contractors are suspected by the law enforcement and U.S. intelligence to have likely handed over the information to Wikileaks.

However, after it has already occurred in government contractor employees´ cases (Harold Thomas Martin´s and Edward Snowden´s), sensitive government information leak nowadays remains no wonder anymore.

Google Director, Apple, Microsoft and Samsung believe that they are continuously and accurately looking into any identified vulnerabilities in order to implement necessary protections.

Even though the authenticity of the leaks still awaits the confirmation, the CIA has expressed its concern about the topic.

Open Whisper Systems confirm that there was no Signal protocol encryption break, even though the New York Times originally reported that the CIA could break the encryption of WhatsApp, Signal and Telegram apps.

Category: Cyber security · Encryption · USA
Tags: ,

CISPE published Code of Conduct

5. October 2016

The Cloud Infrastructure Services Providers in Europe, CISPE, published a Data Protection Code of Conduct for Cloud Infrastructure Service Providers.

CISPE is a relatively new accosiation including more than 20 cloud infrastructure providers that operate within Europe.

The CISPE Code of Conduct focuses on transparency and compliance with EU data protection laws. Therefore, the CISPE Code of Conduct has been designed in such a way that it will be compliant with the GDPR coming into force in May 2018. The CISPE Code of Conduct has been built on internationally recognised state-of-the-art of security measures increasing the data security for cloud customers.

In the press release, Axelle Lemaire, French Minister for Digital Affairs and Innovation, commented that “The CISPE Code of Conduct show that the European cloud computing industry is capable to provide secure and compliant services for all personal and technical data in Europe and improve trust in digital services.”

Apple offers hackers up to $200,000

29. September 2016

Forbes just released an article saying that Apple invited some of the best hackers to its headquarter in Cupertino.

Among them:

  • the 19-year-old teenage prodigy who was the first to jailbreak an iPhone 7, and therefore now being a world-renowned iOS hacker as well as an
  • ex-NSA employee who has repeatedly found security lacks concerning Mac OS X  Luca Todesco.

The meeting should have been secret and kept confidential, but unfortunately some details leaked. So for example that Apple plans to brief them on the launch of its bug bounty program. The hackers will be rewarded with up to $200,000 in case they can provide Apple with information on vulnerabilities about its laptops and phones. Furthermore, the mentioned program is expected to be put into effect before the end of the month due to the fact that this has been promised at the Black Hat security conference in Las Vegas last months. Nevertheless, Apple pursues an invite-only list-strategy in order to get quality over quantity.

NIS Directive has been adopted by the EU Commission

12. July 2016

On the 6th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and Commissioner Günther H. Oettinger announced the approval of the NIS Directive, this is the Directive on Security of Network and Information Systems.

NIS Directive is one of the main legislative proposals in the context of the Cybersecurity Strategy developed by the EU and focuses on the following aspects:

  • The development of a national system to face cybersecurity attacks such as a Computer Security Incident Response (CSIRT) and a competent authority in cybersecurity issues.
  • A strategic cooperation mechanism between Member States and a development of a CSIRT Network in order to share information about risks.
  • To promote a culture of IT-security in all industry sectors, especially those identified as being “operators of essential services”. This also means to adopt adequate incident response plans. The Directive will apply also to digital service providers such as cloud computing, search engines and e-commerce businesses.

The Directive will enter into force in August 2016 and EU Member States will have 21 months to implement it into their national laws.

Agreement on cybersecurity signed between the EU Commission and the industry

7. July 2016

On Wednesday, the EU Commission announced the launch of a public-private partnership with the cybersecurity industry as part of its Digital Single Market strategy. This partnership aims at providing the industry with better equipment and infrastructure to reduce cybersecurity threats.

Recent surveys have revealed that around 80% of European companies have suffered at least one cybersecurity incident during 2015. Worldwide, the number of cybersecurity incidents increased up to 38%. Andrus Ansip, Vice-President for the Digital Single Market, stated that “without trust and security, there can be no Digital Single Market”. Therefore several measures haven been proposed in order to tackle the increasingly sophisticated threats.

The initiative focuses on the following aspects:

  • Reinforcement of cooperation across borders and between all sectors of the cybersecurity branch
  • Support the development of innovative and secure products and services
  • Creation of a possible certification framework for information and communications technology security products
  • Ease access to the cybersecurity market for smaller business
  • Assessment of the capabilities and mandate of European Union Agency for Network and Information Security (ENISA) to achieve its mission to support EU Member States in reinforcing cyber-resilience
  • Evaluation of methods to strengthen cybersecurity cooperation, trainings and education

Both, the EU and the cybersecurity industry actors, represented by the European Cybersecurity Organization (ECSO), will invest around €1.8 billion in this initiative. Members from national, regional and local public administration, as well as research centres and academies will also participate.

The main industry sectors to which this partnership is focused are finance, health, energy and transport.

The EU Digital Single Market strategy also includes the 2013 EU Cybersecurity strategy and the Network and Information Security Directive (NIS Directive), which is expected to be approved within the next weeks.

Verizon publishes Data Breach Investigations Report 2016: Phishing attacks trend upwards

20. June 2016

Verizon, a company that provides communication and technology services, has recently published the 2016 Data Breach Investigations Report (DBIR). The report reveals the trends regarding the sources and reasons for incidents and data breaches. It also provides recommendations on how to prevent or minimize the risk to be victim of a data breach.

The study has been developed by using data from 100.000 occurred data breaches provided by different industries. The study showed that the most affected industries are such as accommodation, finance, retail or the public sector. According to the report, the most common cause for attacks is directly or indirectly financial. Additionally, when it comes to a data disclosure, the attacker is usually an external person, not directly from inside.

The report describes nine main types of vulnerabilities that involve a risk for companies and persons. Phishing attacks have increased considerable in the last year and constitute together with stolen credentials the main cause of data breaches. Phishing attacks aim at tricking the victim by sending an e-mail so that he/she clicks on a link that contains malware in order to obtain certain personal or confidential information.

The report remarks that 30% of the phishing messages were opened and even 12% of people tested clicked on the phishing attachment. Moreover, only 3% reported management about the phishing e-mail. Phishing messages mostly aim at stealing credentials such as ID and password authentication. 63% of the confirmed data breaches involved stolen passwords.

In order to minimize the risk of being victim of a phishing attack, the report gives the following recommendations:

  • Filter your e-mail and test its implementation
  • Rise employee awareness and offer means to report such events
  • Protect your network by segmenting it and implement strong authentication mechanisms between the user and the networks
  • Monitor external connections

McAffee also provides useful recommendations regarding the identification and prevention of phishing attacks and the use of effective passwords.

EU Directive on Cyber Security to be expected in August 2016

19. May 2016

The EU Council adopted this week the Network and Information Security Directive (NIS Directive) at first reading. The NIS Directive is part of the EU cyber security strategy, which main objective is to prevent and respond to disruptions and cyber-attacks in telecommunications systems located in the EU.

The Directive aims at achieving a minimum level of IT security and implementing an effective risk management culture for digital technologies. Furthermore, it also aims at dealing with IT security breaches by imposing the obligation to report significant incidents without delay, especially for business or organizations whose main activity is subject to a higher risk, such as cloud providers or social networks.

The five main goals of the NIS Directive are:

  • To achieve cyber resilience
  • To reduce cybercrime significantly
  • To develop a cyber defense policy at EU level by creating authorities at national level
  • To promote the development of technological resources
  • To implement a solid international cyberspace policy

After the EU Council has adopted the NIS Directive at first reading, the draft must be approved by the EU Parliament at second reading. If the EU Parliament approves the Directive, it might enter into force in August 2016.

Pages: Prev 1 2 3 4 5
1 3 4 5