IBLS Speaker's Corner : online security

Europe Fights Mobile Malware

Maricelle Ruiz — Wed, 27 Jun 2007 12:10:00 GMT

Just when we thought our computer antivirus would protect us from anything out there…the mobile virus made its grand entrance into Europe. Police started to investigate and recently detained a prolific, mobile-virus creator. Information on the modus operandi of mobile hackers and tips to avoid their traps has been released to nip this challenge in the bud. Although they concur that this criminal activity is still not widespread, experts also agree that it shouldn’t be underestimated.

“Viruses are not harmless pranks; they cause real harm disrupting business and personal communications as well as destroying and stealing sensitive data,” says Graham Cluley, senior technology consultant for Sophos, an IT security firm. “The computer crime authorities around the globe are becoming more experienced at tracking down hackers and virus writers, and malware authors should be asking themselves whether it’s really worth taking the risk.”

After an investigation spanning half a year, Spanish police have detained a 28-year-old man accused of creating more than twenty “Leslie” viruses, reportedly affecting the high-end devices of more than 100,000 people. Millions of dollars could have been lost as a result of the viruses, reportedly named after the suspect’s fiancée. Police have seized computers, mobiles and other high-tech devices to build up their case.

The “Leslie” viruses resembled malware affecting the mobiles of hundreds of people attending the 2005 IAAF World Championships in Athletics in Helsinki, Finland, and devices in Northern Spain. The ‘Leslies’ spread through Bluetooth, manipulating infected devices to send multimedia messages to contacts in the phone agenda as well as in the call and incoming messages lists.

This particular malware came with pornography, ring tones, sports news, chat applications and even antiviruses, and manipulated devices to transmit costly phone messages or caused phones to run out of battery. However, experts report that malware may also come with pictures and video clips; replace system applications; and make screen text unreadable, among other criminal activity.

To protect mobiles, telecom and technology companies recommend that users equip mobiles with antivirus protection and firewalls; or run applications to revamp already affected devices. These programs are available online or at an operator. Companies also advise users to accept ONLY content from a known source, through Bluetooth or Beam infrared technology. Users should deactivate the technology when it is not in use to keep phones from receiving messages containing malware.

Internet security firms also report a fight against multilingual mobile spam within the continent.

ASK THE EXPERT: Does My Company Have The Right To Read My Email?

IBLS Editor — Tue, 26 Jun 2007 14:18:00 GMT

Wendy Garcia from The Philippines (Quezon City) asks:

I work for a large corporation in the finance department. In connection with the investigation of suspected embezzlement, my employer looked at my saved e-mail at work. Then, from some forwarded messages, discovered my home e-mail address, and convinced the Internet service provider to allow the company access to that e-mail as well. Does the company have the right to read e-mail at work? What about my private e-mail at home? pls answer my question asap thanks

Another Cyber Attack Hits Europe

Maricelle Ruiz — Wed, 13 Jun 2007 12:15:00 GMT

When Estonia suffered a series of cyber attacks in recent months, US official John Negroponte told the Financial Times: “We need to prepare ourselves because this is likely only to become more of an issue in the future.” Well, the future is here. And the wave of cyber attacks has moved from Eastern to Western Europe. It has recently been disclosed that around the time Estonia was under cyber attack, an important Spanish domain-registration company was also waging a battle against unknown cyber pirates. The Cyber Terrorism Division of the Spanish Police is investigating the incident. If identified, the hackers involved could be prosecuted for blackmailing a company to prevent the disclosure of confidential information.

There seems to be a disagreement regarding the severity of the situation. While some reports claim that the private data of hundreds of thousands of Internet users is in the hands of criminals, the leading Spanish company in the domain registration and web hosting business, Arsys, has issued a statement denying this information. Executives concede the company has experienced what they describe as “a security incident, compromising some client data.” However, they say, none of the data in question involves email, bank account or credit card passwords and therefore, they claim there’s no risk of illegal access into bank or email accounts.

According to Arsys, hackers reportedly stole FTP codes, enabling them to insert a link to an external server containing malicious code, in the web pages of some clients. As soon as the company detected the incident, executives say it eliminated the link from the web pages, notified affected clients and boosted security measures across the board. To comply with legal requirements, executives add the company has reported the incident to the Cyber Terrorism Division of the Spanish Police. They confirm the incident is under investigation and may end up in court.

The attackers reportedly used servers located in the United States and Russia. According to the latest Symantec Internet Security Threat Report, the United States is the top country for malicious threat activity, accounting for 31% of the worldwide total, followed by China (10%), Germany (7%), France (4%), United Kingdom (4%), South Korea (4%), Canada (3%), Spain (3%), Taiwan (3%) and Italy (3%). Meanwhile, law enforcement authorities have detained a Russian teenager suspected of involvement in the Estonian cyber attacks. The youth reportedly called for massive cyber attacks against Estonian servers in Internet forums.

Expert Input Sought on Belarusian Information Law

Maricelle Ruiz — Wed, 06 Jun 2007 12:26:00 GMT

The Government of Belarus is in the process of adopting a law on information, informatization and protection of information in that Eastern European country. Belarus intends to combine national and self-regulation to guarantee the right to receive and exchange information, including governmental data, while protecting individual privacy and national security. Think tank E-Belarus is seeking expert advice on the matter to measure the impact of the law; identify positive or negative aspects of it; and determine whether any provisions are missing from the text. Please post an expert comment on the proposed law on this blog. Your input is most appreciated by the parties working on this initiative.

The proposed Law of the Republic Of Belarus “On Information, Informatization and Protection of Information” designates the powers of public officials in this area; guarantees the right to information as long as it isn’t abused; establishes the types of information available, including public and confidential information; and sets the parameters regarding the use of personal and professional data and state secrets. It also regulates the provision and distribution of information, including data held by state bodies posted online; and demands the prompt distribution of public information upon electronic request. Furthermore, the proposed law sets the legal requirements of owners and users of data and systems, including the rights and responsibilities of parties regarding data protection.

Under the proposed law, the President and the Council of Ministers will define and implement the country’s information and privacy policies. The State Center on Informational Security and the National Academy of Sciences will come up with technical measures to protect information and keep a registry of the providers of said data. The Ministry of Communication and Informatization will regulate the sector and ensure the implementation of international treaties and the upgrading of technology. State organizations will guarantee the understanding of information technologies and resources and the timely receipt of public information.

Information may not be used to overthrow the Government, threaten the Country’s territorial integrity, or promote social, religious or racial hostility, according to the proposed legislation. The distribution of individual data should be limited to ensure personal privacy; maintain state and professional secrets; and guarantee the integrity of ongoing court cases. Holders of personal information must take measures to protect the data and seek subject authorization to distribute it. The distribution of data infringing upon the honor, dignity and business reputation of an individual or corporation is prohibited. Individuals or corporations have the right to take legal action to prevent the disclosure of their private information.

Furthermore, the planned standard states that information distributed in Belarus must clearly identify its owner and distributor, who in turn must comply with users’ right to refuse this data. Public data should be made available via email upon request promptly unless the information may harm national security or private interests. It should also be provided on the Internet. Websites of state organizations must include contact information, organizational structure, appointment times for citizens and the laws regulating said organizations. They may not contain political propaganda or ads. Both public and private sites must take adequate measures to protect personal data. A state registry on informational systems should be in place.

In addition, the proposed law establishes that international informational networks accessible from Belarus should respect national legislation. Belarusian email recipients have the right to verify senders of these communications. There are no limitations to the international exchange of information within Belarus as long as Legislation of the Republic of Belarus on Provision of Information and Protection of Intellectual Property is observed. The rights of the owner of the information contained within a database are also protected. The Government of Belarus, meanwhile, may limit or suspend the international exchange of information if deemed necessary.

Finally, it states that the users of information have the right to access personal data and use informational systems as long as they don’t abuse this right or the rights of others using these systems. Agreements should be in place to regulate the rights of owners of the information and the distributors. Agreements should also outline legal responsibility for the misuse of information. Physical protection of informational systems; cryptography; and data access controls should be in place. Violation of any of the provisions of this proposed law, slated to go into effect six months after official publication, will lead to disciplinary, civil, administrative or criminal responsibilities.

To view the full draft of the law in English, please visit:

http://www.e-belarus.org/docs/informationlawdraft.html

An Explosion in Cyber crime Sets Off Alarms in Europe

Maricelle Ruiz — Tue, 29 May 2007 02:15:00 GMT

A video circulates on the Internet linking several individuals accused of the largest terrorist attack in Europe, the 2004 Madrid train bombings, to the incident. It is attributed to Iraqi-based, terrorist organization Ansar el Islam. The video shows pictures of an alleged planner and several of the suspected executers of the attack. It also shows graphic images of the attack and its aftermath as well as maps of the Madrid train system and of Al-Andalus, the area of the Iberian Peninsula governed by Muslims centuries ago. This video and similar websites are said to be used by terrorists to recruit supporters for their cause.

The European Union wants Member States, third countries and the private sector to join forces to put an end to the use of cyberspace for criminal purposes, including the incitement to terrorism. To that end, it has released the Communication “Towards a General Policy on the Fight against Cyber Crime;” scheduled conferences on public and private cooperation; and is considering the adoption of targeted legislation. Besides dealing with cyber terrorism, the European Union wants to tackle skyrocketing online child pornography and financial fraud, particularly identity theft for the fraudulent use of credit cards, as well as cyber attacks.

The European Union urges countries to adopt the Council of Europe’s Convention on Cybercrime of 23 November 2001 and the EU’s Council Framework Decision 2005/222/JHA of 24 February 2005 on Attacks against Information Systems.

The European Union is in the process of collecting regional statistics on the magnitude and cost of cyber crime, which officials predict to be enormous, judging by the following data. The UK-based Internet Watch Foundation reports a 1,500 percent rise in child pornography sites accessible from this country in an eight-year period. In Norway, 7,000 people are said to be looking at child pornography on the Internet every day. Cyber crime losses in the United States, meanwhile, account for up to $400 billion per year. In the United Kingdom, 89 percent of businesses have been attacked in a year. Estonia was recently subjected to weeks of cyber attacks forcing the shut down of key public and private sites. The UK Financial Services Authority reports an 8,000 percent increase in bank fraud within a two-year period.

Should We Go To War Over A Massive Cyber-Attack?

Maricelle Ruiz — Mon, 21 May 2007 10:23:00 GMT

Estonia is doing it again. The tiny Eastern European nation – holder of the first Internet election – is pushing the boundaries to set another legal precedent. But this time around, a change in the law could entail serious international consequences.

It all started a few weeks ago. Weary of Russian attempts to reportedly meddle in its internal affairs, the former Soviet satellite state decided to relocate a Soviet war memorial from the center of its capital Tallinn to a cemetery. The action angered Russians living in Estonia and beyond. Among the actions taken against Estonia was a massive cyber-attack, lasting weeks, which Estonian public officials and business executives claim originated at the top levels of the Russian government.

Estonia may be small in territorial size, but when it comes to its former handlers, it’s ready to display a big attitude. The country’s top public officials went straight to the European Union and the North Atlantic Treaty Organization (NATO) to report the attacks, which disabled the sites of ministries and political parties, as well as of some of the largest newspapers, banks and businesses in the country.

“Attacking one member state means an attack against the entire European Union,” Estonian Prime Minister Andrus Ansip alleged. “We have turned to the European Union and we ask them to take immediate action.”

Prime Minister Ansip and other Estonian public officials alluded to Article V of the NATO Treaty, which states that an attack on one of its members shall be considered an attack against all and enables these nations to exercise the right of self-defense recognized by Article 51 of the Charter of the United Nations. Most EU member states – including Estonia – also belong to NATO.

Estonian Defense Minister Jaak Aaviksoo, meanwhile, discussed the situation with NATO officials and later stated the following during an interview with British newspaper The Guardian: “At present, NATO does not define cyber-attacks as a clear military action. This means that the provisions of Article V of the North Atlantic Treaty, or, in other words collective self-defense, will not automatically be extended to the attacked country. Not a single NATO defense minister would define a cyber-attack as a clear military action at present. However, this matter needs to be resolved in the near future.”

NATO cyber-terrorism experts have traveled to the country to assist Estonians in determining the source of the attack and boosting the country’s electronic defenses. The attack has been described as a distributed denial of service attack. A denial of service attack is defined as an attack against a computer or network that attempts to limit access to the Internet by flooding it with requests for a webpage or emails. A more sophisticated variant of this attack is said to be the distributed denial of service attack, where hackers rely on viruses to take over multiple computers to engage in the attack, thus increasing the amount of malicious traffic and decreasing the ability of the owners of the victim machine or network to defend themselves. In the Estonian case, the IT experts prevented foreign Internet addresses from accessing the sites under attack until the situation was under control.

The President of the European Council, German Chancellor Angela Merkel and Commission President José Manuel Barroso, meanwhile, were scheduled to discuss the cyber-attack issue during a recent EU summit with Russia, which judging by their grave faces during the final press conference, did not seem to yield positive results. In the past, Russia and China have been linked to electronic espionage. Now, it may be wise to admit that governments must evaluate measures to effectively handle countries that decide to engage in this novel type of warfare.