Neues europäisches Recht verlangt Sanktionen für IT-Sicherheitsmängel

Die Europäische Union hat ihre erste allgemeine Richtlinie zur IT-Sicherheit verabschiedet. Mit der Veröffentlichung der Richtlinie über Maßnahmen zur Gewährleistung eines hohen gemeinsamen Sicherheitsniveaus von Netz- und Informationssystemen in der Union (NIS-Richtlinie) im Amtsblatt der Europäischen Union am 19. Juli 2016 (L 194/1) ist der über dreijährige Gesetzgebungsprozess zum Abschluss gekommen. Die EU-Kommission hatte im Februar 2013 einen Vorschlag vorgelegt, die IT- und Cybersicherheit auf europäischer Ebene rechtlich zu regeln. Im Ergebnis der Verhandlungen zwischen Parlament, Rat und Kommission ist eine sehr weitgehende Richtlinie entstanden, die am 8. August 2016 in Kraft tritt. Die Richtlinie sieht Maßnahmen zur Verbesserung der IT- und Cybersicherheit auf drei verschiedenen Ebenen vor. Continue reading

The US cyber deal with China – A stop to economic espionage?

A new deal emerged between the US and China regarding economic espionage. Both countries agreed that neither government “will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” An important and to many analysts even surprising turn of events. China was always notoriously known not to reply, let alone comply to similar requests in the past. But things have changed. The agreement came to reality due to two important factors. First, the US continued to confront China publicly with evidence regarding their hostile activities against US companies, not withstanding Chinese denial of – legally – deniable material. Second, Obama seemed to be willing to take the confrontation to a new level. No one of course would ever want to exchange hostilities on this. But the White House did announce a series of severe economic sanctions against the Chinese, as punishment for past cyber spying. Sanctions may be difficult for China in a number of ways and send controversial signals around the world, so Beijing agreed to sign the informal agreement to curb economic spying. Continue reading

Tesla goes Crasla – First glimpses of the many problems of autonomous driving cars

Car manufacturers are excited about the new options for autonomous driving. Rightly so – it would be the greatest revolution in this field in decades. Autonomously driving cars are not just good to take a nap on a boring ride. They enable entirely new business models, new forms of mobility, they combine the relaxed luxury of a train ride with the individual flexibility of the car, and the ongoing parallel evolution of the information layer on top of everything, the cars may even be turned into robots, doing the groceries all by themselves or picking up the kids without any parents involved. Continue reading

EU investiert 450 Millionen Euro zusätzlich in Forschung und Entwicklung für Cybersicherheit

EU-Kommissar Günther Oettinger hat am 5. Juli 2016 die europäische Public-Private-Partnership für Cybersicherheit gegründet. Partner der EU-Kommission ist die neu gegründete Europäische Cyber Security Organisation (ECSO), ein Zusammenschluss von europäischen Unternehmen. Ziel der PPP ist die enge Zusammenarbeit zwischen den verschiedenen Akteuren der Cybersicherheit, Anwender- und IT-Unternehmen, Staat und Wissenschaft, um die Forschungs- und Entwicklungsagenda Europas auf diesem Feld gemeinsam zu erarbeiten und umzusetzen. Im Rahmen der Aktivitäten der neu gegründeten PPP stellt die EU-Kommission zusätzliche Finanzmittel in Höhe von 450 Mill. Euro unter den Bedingungen des Horizon 2020-Programms zur Verfügung. Sie verspricht sich durch die PPP eine Hebung um den dreifachen Betrag aus der Privatwirtschaft. Die ECSO und die von ihr gemanagte PPP wird zukünftig erster Ansprechpartner für europäische Förderung im Bereich Cybersicherheit sein. Continue reading

Banana sales strategies in gaming under scrutiny

The software industry is notoriously known to ship their products as early as possible – which is quite frequently way before maturity. That’s why their products have been equated with bananas: they ripen with the customer. But this annoying practice of debugging a product right in the market has now been confronted. In the UK, an amendment to the UK Consumer Rights Act has been made regarding digital-only purchases of videogames. Games are quite known for being shipped with buggy code or sold as offering features demonstrated in trailers, but not present in the final product. The game “The Witcher 3″ provides a recent example, where graphics in trailers were superb, but obviously not available to common gaming PCs, where the game looked much less elegant and rather crude. So consumer protection stepped in. Gamers can now seek refunds or repairs from gaming companies if products are not working properly. The amendment is still criticized to be too vague in wording. This may be a reaction to the many difficulties in determining “proper functionality” of software, but is in turn also owed to the fact that it does not want to curb the videogames industry too much. A moderate first step seems more sensible, testing the waters for this kind of regulation. The regulation also made a smart little addendum, avoiding an obvious tactic for the gaming industry to ditch the new rules. It provided “consumers [the right] to challenge terms and conditions which are not fair or are hidden in the small print”. Continue reading

The EuGH judgment – A step towards digital self-determination in Europe

The recent EuGH judgment, rendering the 15 year old “Safe Harbor” regulation between the EU and the USA ineffective, has significant implications for data protection and security, digital businesses and societies.

The “Safe Harbor” regulation enabled the free exchange of data between the EU and the US, as long as IT- and Internet companies promised to comply to a minimal set of data protection standards, awarding data of EU citizens an (almost) equal protection level. This regulation, however, was now judged to have been wrong in three ways. First, it went far beyond the authority of the EU, interfering much too strongly with national and regional data protection regulation. Second, it forgot that national security regulations in the US rank higher than self-administered data protection standards of the IT- and Internet industries, rendering it effectively impossible for these companies to make any promises regarding the protection of European data. And third, “Safe Harbor” also forgot that the United States are not a constitutional state for Europeans, rendering any chance for intervention into national security processes in the US impossible, thus depriving European citizens of their basic rights on data protection and legal intervention. Continue reading

Report on Chinese threat actor group “Mofang” emphasizes the human factor in cybersecurity

Fox-IT, a Netherland-based security company, has recently issued a report on the Mofang group – said to be a closed group with very specific, seldom-used attack tools. Thus far, diverse Mofang attacks have not been observed simultaneously. The first Mofang attacks occurred in 2012, targeting  different government institutions in the USA, Singapore, and Myanmar. These attacks also targeted security-related organizations and companies in Canada, Korea, and India. Two German companies were also attacked, with recent newspaper reports naming Rheinmetall as one of the German victims. Since early 2015, however, organizations in Myanmar have been the only victims. Continue reading

Top encryption mechanism easily attackable through microphones

Researchers from Tel Aviv have just discovered a new and easy attack on encryption: they listen to it. A computer’s processor emits a high-frequency sound while calculating an encryption. This sound varies characteristically due to the changing electrical current during the calculation. This way, the researchers were able to decrypt a 4,096-bit encryption key. Critics may now point out the fact that you would first have to be able to come close enough to listen to the computer. But this problem was solved eloquently. The researchers simply hacked the computer and took over the microphones. Modern-day PC microphones are good enough to pick up the electrical current modulating for a distance of about ten meters.

The UAE are attacking dissidents and journalist with government spyware

The UAE is known at least since 2012 to have joined the many more oppressive nations doing surveillance on their own citizens, more narrowly, on political activists and journalist. In that year, the UAE appeared in the list of customers of the global oppressive surveillance company Hacking Team, who were licensing the country to monitor more than 1100 devices.

Now, a new Citizenlab report has appeared, in which Munk School researchers Bill Marczak and John Scott-Railton analyze the new case of Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, has been attacked by spyware, delivered in a spear phishing attack associated with the UAE surveillance effort. The attack pattern, dubbed “Stealth Falcon” by the Munk School researchers, involved indicators which were used in previous Twitter-based attacks by the UAE on other political opponents. Continue reading

Erfolgreiche Passwort-Hacks – Anbieter riskieren Geldbußen und Schadensersatzleistungen

2012 wurde das Kontaktportal LinkedIn Opfer eines Passwort-Hacks. War damals “lediglich” der Diebstahl von 6 Millionen Benutzernamen und Passwörtern zugegeben worden, hat sich jetzt herausgestellt, dass über 100 Millionen Passwörter aus dem damaligen Hack auf dem Schwarzmarkt gehandelt werden. LinkedIn hat die Echtheit der Daten bestätigt. Ganz abgesehen von dem zweifelhaften Umgang von LinkedIn mit diesem Vorfall, zeigt die hohe Zahl auf dem Schwarzmarkt kursierender Passwörter ein anderes Problem auf: die offenkundig fehlende oder zu schwache Verschlüsselung von Passwörtern durch Diensteanbieter. Continue reading