Archive for Cyber Security
- EC proposes €3m Cybercrime Centre
- Destroying experiment participant information
- Cyber-security and the vexed question of global rules
- Five more councils breach Data Protection Act
- UK Police launch more cyber e-crime hubs
- Creating a Common Operating Picture in Cyberspace
- Mikko Hypponen on the three types of online attacker
- NATO cyber defence and the New Strategic Concept
- Knowledge Sharing and Investment Decisions in Information Security
- Cyber attacks could run rings around London Olympics
EC proposes €3m Cybercrime Centre
Around one million people are victims of computer crime every day. The perpetrators are unseen, and often go unpunished.
The EU plans to tackle this with a new European Cybercrime Centre 
, which would warn EU countries of major threats and alert them to weaknesses in their online defences. It would also identify criminal networks and prominent offenders, and provide support during investigations.
The centre will use information from the public domain, industry, the police and academia to assist cybercrime investigators, prosecutors and judges.
Anyone can be a victim of cybercrime – it includes:
- online identity theft
- computer fraud
- credit card scams
- sexual exploitation of children
- hijacking of web accounts
- attacks on public or private IT systems
And this type of crime is increasing. Around 600,000 Facebook accounts need blocking every day after hacking attempts. In Belgium alone, internet fraud rose from just over 4,000 cases in 2008 to over 7,000 in 2010. And in the UK, bank account takeovers shot up by 207% between 2008 and 2009.
A crackdown on cybercrime will help to increase confidence in e-banking and online booking, and will save millions of euros – a 2011 study put the global cost of cybercrime at €85-291bn. Unfortunately, very few of the perpetrators are currently caught.
The pan-EU nature of the centre would ensure that threats are passed on quickly to other EU countries. If someone in Lithuania reports that their bank account has been accessed illegally, it could be linked quickly to similar incidents anywhere from Greece to Ireland, allowing the centre to immediately alert all EU countries to the threat.
The centre would also respond to technical and forensic questions from investigators, prosecutors and judges. It said this will be established to help EU member states’ investigations into cyber crime and to map organised crime online. It will also be responsible for training national experts on cyber crime and will form part of the EU police agency Europol. The centre would be based within the European police agency – Europol in The Hague, which must first approve the proposal. The European Commission (EC) is to propose the establishment of a Cybercrime Centre to tackle rising levels of online crime within member states.
The centre, which the EC first mentioned in its 2010 Internal Security Strategy, is due to open in 2013 and is the latest EU move to combat cyber crime.
Speaking at a press announcement, Cecilia Malmström, member of the EC in charge of home affairs, highlighted the low costs of credentials and said that cyber crime creates fear “of putting things online, of using social networks, a fear of our ordinary internet lives”.
She said e-commerce only equates to four per cent of the EC’s economy, so there needs to be a strengthening of confidence among consumers, particularly in light of the current euro crisis. Asking what can be done, she said: “Let’s put the best people together, the best brains to identify the main cyber criminal networks and the main threats in cyberspace.
“That is why the commission is proposing today to put together a centre that will bring together some of the best brains in the field of cyber crime, under the flag of Europol in The Hague.”
Malmström added: “This will not target individual file-sharers, this is about severe organised cyber crime across the European Union.” She also said the centre will be a hub to defend an internet that is free, open and safe. Its proposed budget is around €3.6m.
Jeremy Nicholls, European channel director EMEA at Arbor Networks, said: “We believe that the EU’s move towards creating this centre is a step in the right direction, but there needs to be a co-ordinated effort across the industry to really make this work.”
Joseph Souren, vice-president and general manager of Wave Systems EMEA, said: “The announcement shows a serious intent to fight back against the torrent of cyber crime that has affected organisations worldwide for too long. We see thousands of new forms of malicious software code being launched against all types of organisation each month. Co-ordinated efforts, led by units such as the EU Cybercrime Centre, can not only help to map the extent of online criminal activity, but also advocate more robust IT defences.”
Ron Gula, CEO of Tenable Network Security, said: “Cybercrime is often perpetrated by individuals working together from different countries so I’m in favour of any law enforcement initiatives that allow for easier sharing of cyber crimes, the techniques used and any data that may have been stolen. The introduction of a new European Cybercrime Centre will enhance cyber-crime coordination across the EU. At the moment, each EU country has different laws which affect user privacy and stipulate varying corporate penalties for losing data.
“Coordinating cyber crime offenders at the EU level will not only better leverage crime fighting resources in each EU country, but it will also provide a consistent response. It is also important to remember that while the new EU cyber crime centre will focus on eCommerce and protection of internet users privacy, if and when there is a cyber-terror event, the culture and practices of sharing cyber-criminal investigations will ultimately enable the EU to respond quickly and effectively.”
0 Comments 
Filed under Destroying experiment participant information
BERT image and robot facial expressions
For an experiment into human perception of robot facial expressions I collected Personally Identifiable Information (PII) to record participant consent and contact information. This consent was recorded separately (hard copy) to a more detailed questionnaire about lifestyle (hard and soft copy), but linked via a participantID.
After the award of the masters degree, publication of a science paper and waiting a sufficient delay for any queries or reasons to contact experiment participants, there is no longer any suitable reason to retain the contact information or the hard copy of the questionnaire. All digital information has been burned to a DVD as the participants agreed that the anonymised data can be stored and used in future research.
While my research focus has moved into a different domain, I am still interested within the perception of humanoid robots and their use in EEG and psychology experiments.
PII destruction notification
Google didn’t bring up a PII destruction notification template so I actually had to write a letter (below for those who want to copy and paste).
Dear Participant
Thank you for participating in my experiment back in 2010. This experiment was part of an investigation into the human perception of robot facial expression and emotion recognition.
Personally Identifiable Information (PII) was collected to record your consent to participate in the experiment and a questionnaire was complete to provide information into your background.
I am writing to inform you that all hard copy paper records that contain any personally identifiable and personal information have now been destroyed. As indicated on the consent form, the digital copy of the anonymised questionnaire linked to the electroencephalogram (EEG) data has been stored and may be used for future research.
I would like to thank you again for your participation. The research produced a science paper that was accepted for publication at the HUMANOIDS 2010 conference in Texas, USA.
If you have any questions or would like to discuss anything further please feel free to email me at any time.
Kind Regards
Richard Craig
Cyber-security and the vexed question of global rules
This report is made up of a survey of some 250 leading authorities worldwide and of interviews carried out in late 2011 and early 2012 with over 80 cyber security experts in government, companies, international organisations and academia.
It offers a global snapshot of current thinking about the cyber-threat and the measures that should be taken to defend against it, and assesses the way ahead. It is aimed at the influential layperson, and deliberately avoids specialised language.
The first part of this two-part report concentrates on the main issues that are slowing progress, starting with the absence of agreement on what we mean by terms like cyber-war or cyber-attack. It reflects sharp divisions over the rights of individuals and states in cyber-space. Most Western countries believe that freedom of access to the internet is a basic human right, and that he or she also has a right to privacy and security that should be protected by laws. UNESCO argues that the right to assemble in cyberspace comes under Article 19 of the Declaration of Human Rights.
At the other end of the spectrum are those countries, like Russia and China, that favour a global treaty but nevertheless believe that access to the internet should be limited if it threatens regime stability, and that information can also be seen as a cyber-threat. For these countries, any state has the right to control content within its sovereign internet space.
Linked to the rights and responsibilities of states is the thorny issue of attribution. There are those countries that say that attribution to a specific attacker is impossible, and that the focus has to be defence from attacks. Others argue that attribution is possible, but requires international cooperation, sharing of information and assistance from local authorities.
Some states believe that cooperation is a threat to their sovereignty; others say they can’t be held responsible for the activities of individuals or private companies. And a number apparently fear openness because they don’t want to see restrictions on their political or military objectives.
Some clear themes emerge from the report, and they are issues that need fairly urgent resolution;
- To what degree should a more proactive stance be developed both in the military and private arenas
- The need for much greater international cooperation
- Introducing a more solid security architecture to the internet
- Establishing cyber-confidence building measures as an easier alternative to any global treaty.
The second part of this report are 21 country stress tests, complemented by findings from the global survey the SDA conducted in the autumn of 2011 among 250 top cyber-security specialists in 35 countries. They included government ministers, staff at international organisations, leading academics, think-tankers and IT specialists, and their views diverged widely on how to improve international cooperation in cyberspace, which over half of them now consider a global common like the sea or space.
Everyone agrees that cyber-security presents a global rather than a national challenge (thanks Sherlock). But how global should our attempts at a solution be? This report will help show where global thinking on cyber-security currently stands, and how to improve it.
The following recommendations are a step in that direction. They are not directed at specific bodies or institutions, but are intended as a checklist for achieving international solutions to global regulatory questions:
- Build trust between industry and government stakeholders by setting up bodies to share information and best practices, like the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA).
- Increase public awareness of how individuals can protect their own internet data, and promote cyber-security education and training.
- New problems and opportunities created by ubiquitous computing must be examined.
- Prioritise information protection, knowing that no one size fits all. The three key goals that need to be achieved are confidentiality, integration and availability.
- Consider establishing cyber-confidence building measures as an alternative to a global treaty, knowing that many countries view a treaty as unverifiable, unenforceable and impractical.
- Improve communication between the various communities and stakeholders at national and international levels.
- Enhance attribution capabilities by investing in new technologies, and establishing rules and standards.
- Follow the Dutch model of a third party cyber-exchange for improved private-public partnership on internet security.
- Find ways of establishing assurance – or trust – through the use of security mechanisms and processes (for private companies and for governments).
- Encourage integration of cyber into existing processes and structures. Make sure cyber considerations and investment are present at every level.
Read the document here: http://www.securitydefenceagenda.org/Portals/14/Documents/Publications/
SDA_Cyber_report_FINAL.pdf
Five more councils breach Data Protection Act
The Information Commissioner’s Office has found that five local authorities have breached the Data Protection Act by failing to protect personal information about citizens.
Basingstoke and Deane borough council breached the Data Protection Act on four times over two months in 2011. In one incident, which occurred in May, an individual was mistakenly sent information relating to 29 people who were living in supported housing. The council has since signed an undertaking committing it improving its handling of private information.
In July last year a member of staff at Brighton and Hove council emailed personal details about another council employee to 2,821 council workers. The ICO said that in the previous year a “third party” had informed it about the theft of an unencrypted laptop belonging to the council from the home of a temporary employee.
Brighton and Hove has now given a commitment to ensure that the personal information they process is secure, including making sure that all portable devices used to store personal data are encrypted.
According to the ICO, similar undertakings have also been signed by Dacorum borough council, Bolton council and Craven district council. It has also issued an enforcement notice to Staffordshire county council over its mishandling of a subject access request.
“At a time when councils are increasingly working with community partners, when data is shared it is vital that they uphold their legal responsibilities under the Data Protection Act. Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty said Information commissioner Christopher Graham, ”We must also consider the detrimental impact these breaches continue to have on the individuals affected. Disclosing details about someone’s social housing status can be upsetting and damaging for those affected. To help tackle this issue I’ve submitted a business case to the government to ask for them to extend my compulsory audit powers.”
UK Police launch more cyber e-crime hubs
The UK police capability to tackle the growing threat of cyber crime was strengthened today with the announcement of three regional policing e-crime hubs
The new hubs, in Yorkshire and the Humber, the Northwest and in East Midlands, was be launched at the ACPO e-crime conference in Sheffield. Cyber crime has been identified in the National Security Risk Assessment as a ‘tier one’ threat alongside international terrorism, an international military crisis, and a major accident or natural hazard requiring a national response.
To meet the threat, the government has granted £30m over four years to improve national capability to investigate and combat cyber crime. It seems that this £30m is part of the £650m package announced as part of the 2009 UK cyber strategy.
The three new units will work alongside the Metropolitan Police Centre e-crime Unit (PCeU) which was established in October 2008 as part of the National e-Crime Programme.
ACPO lead on e-crime Deputy Assistant Commissioner Janet Williams said: “The Government has acknowledged a need to collaborate and provide a structured response to the cyber security of the UK and these three additional policing units are going to play a critical role in our ability to combat the threat. It is anticipated the hubs will make a significant contribution to the national harm reduction target of £504m. In the first six months of the new funding period alone we have already been able to show a reduction of £140m with our existing capability. While a training period is required before the hubs are fully functional they will undoubtedly provide an enhanced ability to investigate this fast growing area of crime and provide an improved internet investigation capability.”
James Brokenshire Minister for Crime and Security said: “Cyber crime is a threat locally and nationally, and every police force in the country has to deal with its impact on people and businesses in their area.As well as leading the fight in their regions, these units mark a significant step forward in developing a national response to cyber crime, which will be driven by the new National Crime Agency.The government has committed £650million in the fight against e-crime.”
Regional e-crime co-ordinator, East Midlands Deputy Chief Constable Peter Goodman said:“There is no doubt that the proliferation of the internet has brought significant benefits to all across society, but unfortunately that also includes those who have criminal intent. We know that increasingly criminal networks are seeking to exploit cyber space for profit and we have a duty as police leaders to respond to protect individuals and communities.”
Within the first 18 months of activity, the central unit conducted seven operations across the England, Wales and Northern UK which resulted in an overall harm prevention figure of £83m; a 1:21 saving on funding.
PCeU Northwest, PCeU East Midlands and PCeU Yorkshire and the Humber will initially each comprise of three staff members (detective sergeant and two detective constables), and will operate not only by generating their own investigations, but in a supporting capacity to the Met’s PCeU.
Creating a Common Operating Picture in Cyberspace
Successful cyberspace investigations require an ability to piece together disparate technical and contextual data sources to develop a comprehensive picture of an adversary and their methods of attack. This session will highlight six key challenges of cyber security, and how Palantir can be used to build a common operating picture for cyberspace enabled organisations.
Mikko Hypponen on the three types of online attacker
A great introduction about the behaviour of the East German state that required a sample page from each typewriter to ensure that they could trace which was used to produce any critical articles of the state (The lives of others). The same thing is happening with laser printers today allowing government to use technology against citizens.
Mikko Hypponen divides attackers into the following groups
- Criminals – Motivations are easy to understand; they want to make money and have made their fortunes online. In the future the majority of crime will occur online.
- Protesters – Activists, motivated by beliefs .
- Nation states – Totalitarian states hack companies (Diginotar) or individuals (Germany) for surveillance.
While many will state “I have nothing to hide why should I worry?”, the argument is never about personal privacy vs national security, but about Freedom vs Control. Loss of privacy IS loss of freedom. We must remember that any right that is given away will never be returned. The moral right of a government is derived solely from the consent of the people whom the government represents.
“They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” – Benjamin Franklin
“My criticsim of the West, especially of liberals, is that they take freedom for granted.” – Ayaan Hirsi Ali
How about if the government set up video cameras and microphones in every room of your house, would that be ok? No, because you would have lost your freedom to be a private individual – privacy is necessary for healthy psychological function in modern societies. Governments watching what you do on your computer is the same as having CCTV in your home. Now imagine giving governments the power to watch your every move without you even knowing it. How could you fight such a government if it became repressive? You couldn’t because those liberties would have been lost.
Another good comment after the video;
Tyrannical governments are not going to spy on everyone in order to find out who hates them because they already know that the majority of the population hates them and because they cannot incarcerate the majority of the population. All they want to know is who is brave enough to oppose the government. I know this fact because I was a dissident in communist Poland and I learned it from the secret police and from other dissidents. In North Korea, not crying hard enough at the funeral of Kim Jong-il was interpreted as anti-government demonstration, punishable by incarceration. German Nazis had blockleiters (block leaders) who spied on the people living in the same building. Soviet Union had the same kind of spies, called dvorniki (house-men). The purpose of these spies was terrorizing the population. It did not matter who was arrested, as long as a few people were arrested every year.
Even if ordinary people manage to create a guerrilla army, they cannot overthrow tyrannical governments, e.g., the governments of Adolf Hitler, Joseph Stalin, Hafez al-Assad (Hama massacre), and the North Korean government because the governments have better weapons and their soldiers have better training. All historical examples of guerrilla victories are victories against weak, non-tyrannical governments. The American war of independence (revolution) was won by the French navy. Egyptian military leaders told Hosni Mubarak that if he did not step down voluntarily the army would force him out. Muammar Gaddafi was overthrown by Western air-force aided by militia armed and trained by the West. Taliban and Haqqani Network exist because they receive support from Pakistani ISI. Any tyrannical government can enslave its population because we, the people, do not have modern air force and we cannot defeat the government air-force with rifles and RPGs. Any tyrannical government that possesses nuclear weapons and is willing to defend itself with genocidal attacks is invincible.
Privacy was a problem for companies and governments to solve, and technology has allow people to meet the challenge.
NATO cyber defence and the New Strategic Concept
(c) NATO
Despite the launch of NATO’s New Strategic Concept in Lisbon, there remain many unanswered questions regarding the Alliance’s mission in cyberspace. Experts have attempted to decipher the position of cyber threats within the context of NATO’s grand strategic debate, both nationally and internationally. So where does the task of countering these threats fit among the Alliance’s core commitments? And what challenges do they present to security and defence policies?
Behind this backdrop of uncertainty, a NATO-funded workshop will bring together 40 experts from NATO and partner countries, including Russia, to proffer answers and provide an analytical context for a clearer understanding of what NATO’s cyber security strategy should be.
Taking place from 10 to 11 October 2011 in Cambridge in the United Kingdom, this workshop will attempt to steer the perception of cyber threats from a constant annoyance punctuated by embarrassing security breaches, to the economic and security impacts it can pose to both the public and private sectors. Despite this reality, talk of a ’cyber 9/11’ remains at a theoretical level even though intellectual property as well as corporate and government secrets are constantly compromised by anonymous actors.
Key speakers at this workshop will discuss topics such as:
- Emerging security threats in cyberspace;
- Command and control in cyberspace;
- A history of internet security failures;
- Cyber risks and preparedness in the private sector;
- Securing the next generation internet; and
- Governing cyberspace – law, international cooperation and treaty
It is becoming increasingly apparent that many security analysts recognise the importance of cyber defence and view the security of the ‘e-domain’ as being on par with NATO’s more traditional concerns. Cyber attacks offer anonymity and deniability as well as vastly favourable cost-benefit ratios in comparison to conventional military options. It is increasingly probable that a cyber attack on a NATO country will precede, or even replace a physical assault, moving cyber issues to the forefront of security concerns. This requires new strategic thinking to mitigate this very real threat of tomorrow.
Participants from Microsoft, Facebook (UK), the Massachusetts Institute of Technology and Cambridge University will contribute to what promises to be a dynamic exchange of views on a facet of the modern security environment.
This workshop is funded through NATO’s Science for Peace and Security Programme.
Knowledge Sharing and Investment Decisions in Information Security
Dengpan Liu, Yonghua Ji, and Vijay Mookerjee (2011), “Knowledge Sharing and Investment Decisions in Information Security,” Decision Support Systems, in press.
Abstract: We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners’ Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an “arms race” where they over-invest or reenact the under-investment behavior found in the complementary case. Once again, this sub-optimal behavior can be corrected using incentive mechanisms that penalize for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.
Cyber attacks could run rings around London Olympics
McAfee announced survey results which show a worrying lack of awareness amongst MPs, business leaders and journalists about the extent of the cyber threat facing the London 2012 Olympic Games.
The report states that a recent survey of MPs, business leaders and journalists (narrow pool of participants) show that only two percent think that a cyber attack poses the greatest threat to the 2012 Olympic games. You might think that a terrorist attack or infrastructure failure would top the list, but a ‘lack of interest from the British public’ tops the poll (carried out between 17th June and 12th July 2011).
The findings suggest that there is a continuing failure to grasp the importance of the cyber threat despite the government categorising the possibility of cyber-attack a tier one threat in the National Security Strategy and warnings from the London Organising Committee of the London Games (LOCOG) that attacks are “inevitable”.
Atos Origin, LOCOG’s IT partner, have said that 14 million malware events were recorded per day during the Beijing Olympics, 400 of which had the potential to impact on the games.McAfee’s own research released in August 2011, has shown that the International Olympic Committee (IOC) has already been the subject of cyber-attacks along with the networks of 72 organisations, although this has not been confirmed by the IOC. [see Operation Shady RAT ].
In the first three months of 2011, McAfee identified more than six million examples of malicious software, which far exceeds any records for a similar time period. There has also been a 76% increase on attacks on android phones. At the current rate of growth McAfee expects samples to reach 75 million by the year end.
The survey showed:
- 52% of business leaders, 64% of politicians and 62% of journalists feel it is unlikely that there will be a large scale cyber-attack during London 2012
- 74% of business people, 79% of politicians and 80% of journalists believe that if an attack took place it would not compromise the Games
- 41% of respondents rated transport as the greatest threat to the success of the Games followed by 38% who rated terror attack as the biggest potential threat
- Only 2% considered cyber-attack the largest threat which was less than those who thought lack of interest from the British public posed a greater problem.
However
- 89% of business leaders, 79% of MPs and 83% of journalists felt that the risk of cyber-attack will grow in the future
David Blunkett, former Home Secretary and Chair of the International Cyber Security Protection Alliance (ICSPA) has called for an education campaign targeted at all parts of society. “At a time when cyber attacks on organisations like the International Monetary Fund (IMF) are hitting the headlines, it is important that our lawmakers and opinion formers understand the importance of the work being done to protect the London Olympic Games and use it as a springboard for a national campaign of online vigilance,”