QuickLinks - Security and encryption

recent items

Issue no. 411 - 3 October 2010

• EU - Commission to boost Europe's defences against cyber-attacks (RADPI)
  The European Commission has unveiled two new measures to ensure that Europe can defend itself from attacks against its key information (IT) systems. A proposal for a Directive to deal with new cyber crimes, such as large-scale cyber attacks, is complemented by a proposal for a Regulation to strengthen and modernise the European Network and Information Security Agency (ENISA). see Proposal for a Directive on attacks against information systems, repealing Framework Decision 2005/222/JHA.

• The Stuxnet outbreak: A worm in the centrifuge (Economist)
  An unusually sophisticated cyber-weapon is mysterious but important.

Issue no. 410 - 6 August 2010

• Saudi Arabia announces BlackBerry ban (CNET)
  Saudi Arabia has ordered the country's cell phone service providers to halt all BlackBerry services, the latest Mideast nation to announce moves to exercise greater control over data sent by the Research In Motion phones. The country's Communications and Information Technology Commission (CITC) asked Saudi Telecom, Mobily, and Zain Saudi Arabia to suspend service to BlackBerry phones. The suspension was being implemented because BlackBerry The suspension was being implemented because BlackBerry service "in its present state does not meet regulatory requirements". "CITC has informed the three mobile telecommunications providers more than a year ago of the need to quickly fulfill with the manufacturer of BlackBerry handsets the required regulatory requirements". The prohibition is expected to impact about 700,000 BlackBerry users in Saudi Arabia. The announcement comes just days after Saudi Arabia's neighbor, the United Arab Emirates, announced it would block e-mail, instant messaging, and Web browsing on BlackBerry devices starting October 11 if it fails to reach an agreement with RIM to bring BlackBerry services in the region in line with UAE telecommunications regulations. The UAE has complained that the security used to encrypt the BlackBerry data violates its regulations and prevents it from monitoring such data in the name of national security.

Issue no. 408 - 25 April 2010

• At Internet Conference, Signs of Agreement Appear Between U.S. and Russia (New York Times)
  For the 140 computer network specialists, law enforcement agents and diplomats from eight countries who met in this German ski resort for a Russian-sponsored conference on Internet security, the biggest challenge was finding a common ground to discuss their differences. The barrier was not the variety of native languages but deep differences in how governments view cyberspace. Americans speak about computer security and cyberwarfare; the Russians have a different emphasis, describing cyberspace in a broader framework they refer to as information security. What has changed, however, is the Obama administration’s decision this year to begin actively discussing these differences with the Russians. The two nations, according to Russian officials, have agreed to renew bilateral discussions that began last November in Washington. But see also Cyber-crime Ne'er the twain (Economist).

Issue no. 407 - 28 March 2010

• EU - Trust in the information Society (INTECO)
  The participants of the Conference "Trust in the information Society" announce the Conclusions of Leon, a document that addresses the European Commission and Member States with the aim to draw the attention to the conclusions for the consideration of them in the development of the future European Digital Agenda. Trust in the Information Society” was divided into five sessions: Digital Life and Trust; Trustworthy networking and computing services; Management of Digital Identities in the Common European Framework; Development of the Legal Framework of the EU with regard to the Protection of Data and Privacy; International Cooperation and e-Trust.

• UK - Trust in the digital age: survey analysis (Guardian)
  Britons online are a discriminating bunch who trust specialist advice sites and their friends' social content more than the views of celebrity bloggers or tweeters, according to a survey conducted by ICM on behalf of the Guardian and first direct. The survey, of a random sample of 752 adults, asked Britons from a nationally representative online panel for their opinions on trust in the digital age. The over-riding conclusion is that we're a cautiously trusting bunch - 56% of respondents thought that "most people can be trusted", whether online or in the real world.

Issue no. 405 - 24 January 2010

• Secret mobile phone codes cracked (BBC)
  A German computer scientist has published details of the secret code used to protect the conversations of more than 4bn mobile phone users. Karsten Nohl, working with other experts, has spent the past five months cracking the algorithm used to encrypt calls using GSM technology. The work could allow anyone - including criminals - to eavesdrop on private phone conversations.

Issue no. 404 - 21 December 2009

• 'Iranian cyber army' hits Twitter (BBC)
  A group claiming to be the Iranian Cyber Army managed to redirect Twitter users to its own site displaying a political message. Twitter said the attack had been carried out by getting at the servers that tell web browsers where to find particular sites. The site said it would start an investigation into what allowed the "unplanned downtime" to take place. see also Twitter hack by 'Iranian Cyber Army' is really just misdirection (Guardian).

Issue no. 401 - 26 July 2009

• AE - BlackBerry maker: UAE partner's update was spyware (Associated Press)
  BlackBerry users in the Mideast business centers of Dubai and Abu Dhabi who were directed by their service provider to upgrade their phones were actually installing spy software that could allow outsiders to peer inside, according to the device's maker. The Abu Dhabi-based mobile service provider Etisalat, which is majority owned by the United Arab Emirates government, earlier sent text messages to BlackBerry customers in the country instructing them to follow a link to update their phones. Etisalat says it has more than 145,000 BlackBerry users in the UAE.

• Have chip, will travel (Economist)
  Why chips in passports and ID cards are a stupid idea.

• US - Twitter hacked by old technique - again (Associated Press)
  For the third time this year, Twitter was the victim of a security breach stemming from a simple end-run around its defenses. In the latest case, a hacker got the password for an employee's personal e-mail account - possibly by guessing, or by correctly answering a security question - and worked from there to steal confidential company documents. see also Twitter/Google Apps hack raises questions about cloud security and Another Security Tip For Twitter: Don't Use "Password" As Your Server Password and The Anatomy Of The Twitter Attack (TechCrunch).

Issue no. 400 - 5 July 2009

• UK - Government sets up two new cyber security bodies (OUT-LAW News)
  The Government will create two new public bodies to help protect Government and citizens from digital security threats. It will set up one strategy body -the Office of Cyber Security (OCS) - and one operations centre to increase the UK's cyber security - the Cyber Security Operations Centre (CSOC). They will be functional by March 2010.

Issue no. 399 - 7 June 2009

• EU - Reding calls for 'Mister Cyber Security' (RAPID)
  In a video posted on her website, Viviane Reding, the European Union's Commissioner for Information Society and Media, called on Member States to act to ensure that Europe's electronic communication networks are well protected. "So far, the EU's 27 Member States have been quite negligent. Europe needs a 'Mister Cyber Security', a security tsar with authority to act immediately if a cyber attack is underway, a Cyber Cop in charge of the coordination of our forces and of developing tactical plans to improve our level of resilience." See text of message. See also website of the EU Ministerial Conference on Critical Information Infrastructure Protection, Tallinn, 27-28 April 2009.

• Pornographic videos flood YouTube (BBC News)
  Video-sharing website YouTube has removed hundreds of pornographic videos which were uploaded in what is believed to be a planned attack. Many started with footage of children's videos before groups of adults performing graphic sex acts appeared on screen. YouTube owner Google said it was aware and addressing the problem.

Issue no. 398 - 13 April 2009

• EU - Commission acts to protect Europe from cyber-attacks and disruptions (RAPID)
  The Commission has released a new Communication on Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience COM (2009)149. The Commission called for action to protect critical information infrastructures by making the EU more prepared for and resistant to cyber attacks and disruptions. At the moment Member States' approaches and capacities differ widely. A low level of preparedness in one country can make others more vulnerable, while a lack of coordination reduces the effectiveness of countermeasures.

Issue no. 397 - 8 March 2009

• Microsoft bounty for worm creator (BBC)
  A reward of $250,000 has been offered by Microsoft to find who is behind the Downadup/Conficker virus. Since it started circulating in October 2008 the Conficker worm has managed to infect millions of computers worldwide. The Conficker worm is a self-replicating program that takes advantage of networks or computers that have not kept up to date with Windows security patches. It can infect machines via a net connection or by hiding on USB memory drives used to ferry data from one computer to another. Once in a computer it digs deep, setting up defences that make it hard to extract.

Issue no. 395 - 27 December 2008

• Facebook users hit by virus (BBC)
  Facebook's 120 million users are being targeted by a virus designed to get hold of sensitive information like credit card details. 'Koobface' spreads by sending a message to people's inboxes, pretending to be from a Facebook friend.

Issue no. 394 - 7 December 2008

• EU - European Commission consults on network and information security (OUT-LAW News)
  The European Commission has launched a consultation on how it can strengthen the European Union's response to computer attacks. The Commission is canvassing views ahead of a debate about an EU-wide co-ordination of computer security.

Issue no. 393 - 9 November 2008

• EU - Commission proposes a new tool to protect critical infrastructure (RAPID)
  The European Commission has proposed legislation on establishing a Critical Infrastructure Warning Information Network (CIWIN) to strengthen information-sharing on critical infrastructure protection between EU Member States. The proposed legislation sets up a secure information technology system managed by the Commission and hosted by the Joint Research Centre in Ispra - CIWIN - with the aim of assisting EU Member States in exchanging good practices and information on shared threats, vulnerabilities and activities to protect critical infrastructure, such as for example in the transport and energy sectors.

Issue no. 392 - 5 October 2008

• UK - Who's to blame for data loss? (Silicon News)
  To prevent the loss of sensitive data, organisations must change their cultures. Safeguarding data for government departments has never been an easy task but the last few weeks could lead to greater regulatory and commercial scrutiny than ever before.

Issue no. 388 - 1 June 2008

• EE - Battling Botnets and Online Mobs - Estonia's Defense Efforts during the Internet War (Georgetown Journal of International Affairs)
  by Gadi Evron. What would happen if tomorrow the Internet ceased to function? To most critics, and particularly state officials and policy makers, the possibility that the Internet could one day suddenly disappear is no more than a mere speculation, a highly improbable concept. On May 2007, the events that took place in Tallinn, the capital of Estonia, proved everyone wrong. On that day, Estonia fell victim to the first-ever, real Internet war. This article delves into the political context that shaped the incident and analyzes some of the key lessons and policy implications that emerged as a consequence.

Issue no. 387 - 12 May 2008

• Thieves set up data supermarkets (BBC News)
  Web criminals are stepping back from infecting computers themselves and creating "one-stop shops" which offer gigabytes of data for a fixed price. Speaking at InfoSecurity Europe, security firm Finjan said it had seen thousands of such online services. Experts at the conference said web fraud was skyrocketing and called for police to urgently address the problem. Security guru Bruce Schneier said anti-cyber crime efforts needed to be closely allied to the scale of threats. See also Economist article.

Issue no. 386 - 20 April 2008

• UK - 'Illegal' ad system scrutinised (BBC)
  Technical analysis of the Phorm online advertising system has reinforced an expert's view that it is "illegal". The analysis was done by Dr Richard Clayton, a computer security researcher at the University of Cambridge. What Dr Clayton learned while quizzing Phorm about its system only convinced him that it breaks laws designed to limit unwarranted interception of data.

• UK - People are mugs over identity theft (Silicon News)
  Social network data makes life too easy for fraudsters. Identity theft is rife. Perhaps it's time individuals took a leaf out of business's book and adopted a personal information policy that will make life harder for criminals.

• Paypal to block 'unsafe browsers' (BBC)
  Web payment firm Paypal has said it will block "unsafe browsers" from using its service as part of wider anti-phishing efforts. Customers will first be warned that a browser is unsafe but could then be blocked if they continue using it. Paypal said it was "an alarming fact that there is a significant set of users who use very old and vulnerable browsers such as Internet Explorer 4".

Issue no. 384 - 24 February 2008

• EE - Estonia fines man for 'cyber war' (BBC)
  A 20-year-old ethnic Russian man is the first person to be convicted for taking part in a "cyber war" against Estonia. Dmitri Galushkevich was fined 17,500 kroons (£830) for an attack which blocked the website of the Reform Party of Prime Minister Andrus Ansip. The assault, between 25 April and 4 May 2007, was one of a series by hackers on Estonian institutions and businesses. At the time, Estonia accused the Russian government of orchestrating the attacks. Moscow denied any involvement. Kremlin spokesman Dmitry Peskov told the BBC in May 2007 that the allegations were "completely untrue".

• Hackers Rig Google to Deliver Malware (PC World)
  Hackers loaded up more than 40,000 Web pages with malicious software and thousands of common search terms. They then employed an automated network of malware-infected computers--known as a botnet--to link to those sites in blog-comment spam and other places. The mentions elevated the position of the poisoned sites in search results, often to the first page.

• RU - Russia edges China as top malware source (Techworld.com)
  For the second time in a week, Russia has been named and shamed for its rising profile as a global malware hub. Last week, Sophos ranked Russia as number 2 on its league table of spam-relaying countries, behind the U.S., but well ahead of the usual suspect, China. Now Australian security company PC Tools reckons that Russia has overtaken China again, but this time as a producer of active malware such as viruses, Trojans and spyware.

Issue no. 383 - 27 January 2008

• Web vigilantes attack Scientology website (Times)
  A shadowy internet group has succeeded in taking down a Scientology website after effectively declaring war on the Church and calling for it to be destroyed. The group, which goes by the name of Anonymous, is a disparate collection of hackers and activists. It called for a wave of attacks against Scientology after accusing the Church of "campaigns of misinformation" and "suppression of dissent."

Issue no. 382 - 6 January 2008

• EU - Commission welcome intervention by Dutch regulator OPTA against spyware and malware (RAPID)
  The Dutch Telecom Regulator OPTA has imposed a fine totalling 1 million euro on three Dutch enterprises for illegally installing software - so called spyware and adware - on more than 22 million computers in the Netherlands and elsewhere. The companies fined now by OPTA operated together under the name DollarRevenue, which was considered to be among the 10 largest spyware distributors in the world. They managed to install the software on personal computers via downloads from the Internet and by exploiting security loopholes in computer programmes. The illegally installed software allowed the companies to spy on the consumer's on line behaviour and triggered pop-up windows containing specific advertising material. Unlawful access to a personal computer to stall information such as spyware and adware is prohibited under European law, namely article 5(3) of the EU's ePrivacy Directive of 2002. National regulators are called upon to enforce this prohibition by deterrent measures. Yesterday's decision by OPTA is the first time that a national regulator has resorted to drastic fines against a company acting in violation of the EU ban.

Issue no. 381 - 8 December 2007

• UK - Campaigners hit by decryption law (BBC)
  Animal rights activists are thought to be the first Britons to be asked to hand over to the police keys to data encrypted on their computers. The request for the keys is being made under the controversial Regulation of Investigatory Powers Act (RIPA). Police analysing machines seized during raids on activist's homes carried out in May have asked for the keys. The activists could face jail if they do not comply and snub a further formal request to hand over the keys.

• UK - Law requiring disclosure of decryption keys in force (OUT-LAW)
  Users of encryption technology can no longer refuse to reveal keys to UK authorities after amendments to the powers of the state to intercept communications took effect yesterday. The Regulation of Investigatory Powers Act (RIPA) has had a clause activated which allows a person to be compelled to reveal a decryption key. Refusal can earn someone a five-year jail term. The measure has been criticised by civil liberties activists and security experts who say that the move erodes privacy and could lead a person to be forced to incriminate themselves.

Issue no. 380 - 30 September 2007

• Virtually clean (Economist)
  Hacking used to be done by kids for kicks or bragging rights. Nowadays, it's big business for organised crime, often out of reach of the law, on the far side of the world. Connect an unprotected personal computer to the internet for more than 15 seconds and it will almost certainly be attacked by a virus or worse. That's how ruthlessly effective the army of malicious robots, dispatched by criminals to scour the net for vulnerable computers, has become.

Issue no. 379 - 2 September 2007

• EU - Information security awareness raising activities. (ENISA)
  ENISA presents the 1st European report on current practices on measuring successful awareness raising initiatives in information security across the EU, with responses from 67 European organisations headquartered in 9 different countries. The main areas studied are: The importance of information security awareness, Techniques to raise information security awareness, and Mechanisms to measure the effectiveness of awareness programmes.

• Facebook's code leak raises fears of fraud (Guardian)
  Experts are warning internet users to be more careful with their private information after secret code from the popular social-networking site Facebook was published on the internet. This is the first time that some of the site's secret operational code has been made public. Although it does not allow hackers to access private information directly, it could help criminals close in on personal data, according to one expert.

Issue no. 378 - 5 August 2007

• Net criminals shun virus attacks (BBC)
  Hi-tech criminals have found novel ways to carry out web-based attacks that are much harder to spot and stop, warn security experts. Some cyber criminals have exploited file-sharing networks and popular webpages to attack targets.

• The bounty hunters (Economist)
  Suppose you are a computer hacker and you discover a bug in a piece of software that, if it were known to the bad guys, would enable them to steal money or even a person's identity. How might you sell your discovery for the highest price? A service has been launched intended to make the whole process of selling bugs more transparent while giving greater rewards to hackers who do the right thing.

• US - Identity theft? What identity theft? (Infoworld)
  The GAO reports that identity theft really isn't a problem. The problem, apparently, is that the process of notifying consumers whenever their personal financial information has been compromised is confusing us simple-minded folks.

• US - Peer-to-peer networks can pose a "national security threat" (CNET News)
  The US Congress really doesn't get tech. Politicians charged that peer-to-peer networks can pose a "national security threat" because they enable federal employees to share sensitive or classified documents accidentally from their computers.

• Warning of webmail wi-fi hijack (BBC)
  Using public wi-fi hotspots has got much riskier as security experts unveil tools that nab login data over the air. Demonstrated at the Black Hat hacker conference in Las Vegas, the tools make it far easier to steal account details, said Robert Graham of Errata Security. Identifying files called cookies are stolen in the attack which let hackers pose as their victim. This gives attackers access to mail messages or the page someone maintains on sites such as MySpace or Facebook.

Issue no. 377 - 5 July 2007

• ENISA and ITU launching Security Standards Portal (Euroap)
  ENISA, the European Network and Information Security Agency together with the International Telecommunication Union (ITU), is launching a new portal for IT security standards, for the first time giving Europe one, single access point for IT security standards. The project, called 'ICT Security Standards Roadmap', was initiated by the ITU Telecommunication Standardisation Sector (ITU-T). From the beginning of 2007, it became a collaborative effort between ENISA, ITU-T, and the Network and Information Security Steering Group (NISSG). One of the objectives of this security standards portal is to provide a central tracking facility for NIS standards. It facilitates identification of standards and standardization activities, as well as coordination among standardization bodies, reduction of duplicate work and easier identification of existing gaps.

• EU - Evaluation of the European Network and Information Security Agency (ENISA) (Europa)
  A public consultation has started on the future of ENISA, the European Network and Information Security Agency. This public consultation was announced on 1 June in a Commission Communication on the evaluation of ENISA. ENISA was established in order to enhance the capability of the Community, the Member States and consequently the business community to prevent, to address and to respond to major network and information security risks, from 14 March 2004 for an initial period of five years.

• NATO says addressing cyberattacks is urgent (Reuters)
  NATO defense ministers agreed that fast action is needed to tackle the threat of cyberattacks on key Internet sites. Estonia suffered an onslaught of cyberattacks on private and government Internet sites, peaking in May after a decision to move a Soviet-era statue from a square in Tallinn prompted outrage from Russian nationals in Estonia and a diplomatic row with Moscow.

• US - Hacker attack on Pentagon e-mail (BBC)
  A hacker has managed to penetrate one of the Pentagon's e-mail systems, leading officials to take up to 1,500 accounts offline. The e-mail system did not contain classified information relating to military operations, a spokesman said.

Issue no. 376 - 10 June 2007

• Cyberattack in Estonia--what it really means (CNET News)
  On April 27, officials in Estonia relocated a Soviet-era war memorial. The move incited rioting by ethnic Russians and the blockading of the Estonian Embassy in Moscow. The event also marked the beginning of a large and sustained distributed denial-of-service attack on several Estonian national Web sites, including those of government ministries and the prime minister's Reform Party. A distributed denial-of-service, or DDoS, attack occurs when hundreds or thousands of compromised computers are enlisted.

• Google searches web's dark side (BBC)
  One in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user's PC. Researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to "in-depth analysis". About 450,000 were capable of launching so-called "drive-by downloads", sites that install malicious code.

• RU - Russia accused of unleashing cyberwar to disable Estonia (Guardian)
  A three-week wave of massive cyber-attacks on the small Baltic country of Estonia, the first known incidence of such an assault on a state, is causing alarm across the western alliance, with Nato urgently examining the offensive and its implications.

Issue no. 373 - 11 March 2007

• EU - What role for government, security providers and users? (Europa)
  Viviane Reding, Member of the European Commission responsible for Information Society and Media, Enhanced information security in software and services. European Information Security Awareness Day, Brussels, 27 February 2007.

• New shield foiled Internet backbone attack (CNET News.com)
  An attack in early February on key parts of the backbone of the Internet had little effect, thanks to new protection technology. The distributed denial-of-service attack on the Domain Name System proved the effectiveness of the Anycast load-balancing system, the Internet Corporation for Assigned Names and Numbers(ICANN) said. see also: ICANN has released a factsheet concerning the recent attack on the root server system on 6 February 2007. The factsheet is intended to provide an explanation of the attack for a non-technical audience in the hope of enlarging public understanding surrounding this and related issues. [Ed: it does - very clearly written]

Issue no. 372 - 25 February 2007

• EU - Is a communications collapse possible in Europe? (RAPID)
  The European Commission is seeking feedback on how best to safeguard our electronic networks against disruption from attack or natural hazards. This follows a public presentation of the findings of a study which identifies a range of important issues for ensuring that our future networks are sufficiently protected and resilient. As the services and processes that they support become increasingly interconnected and interdependent, the consequences of the failure of or criminal attack on a single network or sub-system could potentially be propagated more widely and faster than ever before. Protective measures need to be put in place to ensure that critical services and infrastructure are not vulnerable to such failures, and that there can be no 'domino effect' that might otherwise result in a major technological collapse of communications and the many services they support.

more items

QuickLinks consists of

• a free newsletter appearing approximately every two to three weeks. The newsletter is distributed by electronic mail through an "announcement only" mailing list.
• a Web site with frequent updates, an events page, news items organised by category as well as chronologically by issue and full text search.