MALAYSIA TO SET UP 4,000 WIFI VILLAGES BY 2012

osmanlee.com

By the end of 2012, about 4000 WiFi villages will be set up nationwide as part of the Government’s initiative to bring the benefits of broadband to the citizens.According to Information, Communications and Culture Minister, Datuk Seri Dr. Rais Yatim, at present there are only about 1,400 WiFi villages in the country and are mostly found in Perlis, Sabah, and Sarawak. “We are in the process of building electronic towers in Sabah and Sarawak, therefore our big enrolment drive to create Malaysia as an internet community is there now,” he said. 

  

The average cost of the project for each village is about RM25,000 (USD 7,800) to RM 32,000 (USD 10,000). The villages would be provided with the normal computerising system with broadband facility which will be free of charge for the first three months, while a minimum of RM10 (USD 3) per month would be charged subsequently. 

The WiFi village project is an important component in helping the Government realise its objective of becoming a high-income and high skilled nation driven by innovation and a knowledgeable society. The Government hopes that recipients of the facility will regard broadband as a necessity in their daily lives, not only as an unlimited resource to obtain useful information and as a means to connect with other people, but also in the conduct of their business and work. 

The Minister added that in order to expand the use of the facility, an educational process in terms of sharing knowledge and experiences by relevant agencies are crucial to further increase the number and performance of online businesses in the country. “What is lacking is the systematic educational system to teach our young and older generation how to do business online in a manner that it is a culture with great returns besides garnering confidence,” he said. 

futuregov.asia

Cyber security threats are evolving

Hackers group Lulzsec has intensified its action against cyber security and has even teamed up with group Anonymous to counter foreign government efforts to track them down. LulzSec announced its decision to team up with Anonymous via its Twitter and website: "To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships."- KoreaITTimes

THREATS TO CYBER SECURITY are evolving and businesses need to learn from attacks by Lulzsec and Anonymous, speakers said at a cyber security panel discussion today. At a Westminister Eforum, Defence Select Committee member Julian Brazier told the audience that "very few people understand the sheer scale and spectrum of the threat we face". Andy Dancer, CTO at Trend Micro explained that the nature of cyber threats is changing, and cyber attacks are targeting individuals, rather than an entire company at once.
He said, "Previously threats went out to the targets [attackers] could see. Now its point of entry and then focus on machines on the inside, impersonate the user if I can't get access to their machine. It's not an outbreak that hits all machines one at a time, it's an individual that slowly takes over.


" He added, "From the point of entry to compromise, it happens very quickly. It's very difficult to keep up with patching because you can't apply patches quickly enough. It often takes weeks for patches to be applied but just hours to compromise a system." Mike Hawkes, chair of the Mobile Data Association said that companies need to learn from attacks by hacktivists such as Anonymous and Luzsec.

He said, "We are going to be invaded and we need to be prepared to be invaded across all devices." He added that the next big attack "comes through data", pointing to the fact that entire networks have been down because of issues. Hawkes said, "If your only solution is to take down your network them you aren't doing things in the right way."

theinquirer.net | RT

A U.S.–India Partnership in Cyberspace

The US and India are engaged in an unprecedented level of collaboration and joint innovation in cyberspace. As our two economies grow more intertwined in the information age, so do our vulnerabilities. Today, adversaries in cyberspace no longer have to reach one nation’s shores to strike the other. They can strike computer networks in Hyderabad by penetrating those located in Houston, and vice versa. This means India’s ability to fend off cyber attacks is critical to the US’ economic and national security—just as the US’ ability to protect our information networks is critical to India’s security. 

The threat to both our countries is growing. Last March, a foreign hacker stole 24,000 secret Pentagon files—one of the most damaging cyber attacks against the US to date. And according to India’s Minister of State for Communication and Information Technology Sachin Pilot, 117 Indian government websites were hacked during the first six months of 2011 alone. And dangers we face will only escalate and diversify in the period ahead. 

We already face the daily challenge of identity theft and cyber crime. According to the Norton Cybercrime Report, nearly 30 million people in India fell victim to cyber crime in 2010, resulting in direct financial losses of $4 billion. Our countries must also deal with increasing cyber-espionage, as foreign entities use the Internet to steal state secrets and intellectual property. We face a growing danger posed by viruses and malicious codes, such as the Stuxnet virus which affected networks in the US, India and other nations, in addition to Iran’s nuclear programme. And we face the increasing danger of data manipulation, in which hackers sneak into our networks and falsify critical information by changing words or moving a few decimal points—with potentially disastrous economic results. 

Perhaps the most worrisome threat over the horizon is cyber-terrorism. Both India and the US have experienced catastrophic terrorist attacks in recent years, and policymakers have rightly focused on preventing terrorists from obtaining weapons of mass destruction that could cause even greater damage. But terror networks could also cause unprecedented damage with “weapons of mass disruption” —using cyber attacks to disable our financial systems and other critical infrastructure—causing massive economic shocks and even loss of life.

In recent years, we have seen non-state actors—such as the hacker collective “Anonymous”—launch denial of service attacks against private companies and institutions with a level of sophistication that was once reserved to nation states. If private hackers can develop such advanced cyber attack capabilities, it is only a matter of time before terrorists do as well. India understands homeland security depends on cybersecurity. India is a founding member of the Cyber40—an EastWest Institute (EWI) grouping of the world’s most digitally-advanced nations that are working together to build the legal, policy, and technical capacity to protect our digital infrastructure. 

And next year India will host the third EWI Worldwide Cybersecurity Summit in Delhi—bringing together the world’s top cyber defence officials and business leaders to expand cooperation even further. Everyone knows that their networks are vulnerable, but few want to acknowledge that their networks have been compromised. But the only way to protect our digital infrastructure is to share information about the threats we face, so we can collaborate on ways to defeat them. 

This summer, the US and India took an important step in this direction, when our nations signed a cybersecurity agreement to increase information sharing between our countries on cyber attacks. India has signed similar agreements with Japan and Korea, and is negotiating one with Finland. And the North Atlantic Treaty Organization recently announced its desire to work with India on cybersecurity. 

The more trusted relationships we build, the better we can protect against threats we face in cyberspace. We also need to address the human capital crisis in cybersecurity. There are not enough cybersecurity experts to deal with the dramatic escalation of cyber threats. We need to encourage more young people in both our countries to make careers in cybersecurity. The University of Maryland University College recently became the first US institution of higher learning to establish degree programs in cybersecurity, with more than 3,000 students enrolled. 

We need to encourage other academic institutions in the US to do the same, and to partner with Indian academic institutions so we can educate a new generation of cybersecurity experts who can take on the hackers and cyber terrorists. India can also help train cybersecurity experts in other nations under threat, such as Estonia, where India just established a chair at Tallinn University for cyber studies this past month. India has a young, dynamic, technologically-literate population that—with the right training—can become part of the solution. 

Securing cyberspace is a global challenge that cannot be solved by a single country acting alone. Our economies and our networks are increasingly intertwined—and increasingly vulnerable to the new threats of the information age. That means we need to work together to protect them. And the first step is recognizing that India’s cybersecurity is the US’ cybersecurity. 

William S Cohen and Harry D Raduege Cohen, a former US defence secretary, is currently chairman and chief executive officer of The Cohen Group, an international business advisory firm. Raduege, a retired US Air Force lieutenant general, was co-chairman of the Commission on Cyber Security for the 44th presidency. He is currently a senior counselor of The Cohen Group

.livemint.com

Propaganda & Warfare in Cyber World

wallstreetrun.com

After sea, land and air warfare, traditional arch rivals India and Pakistan are now facing each other in another arena. With the help of Israelis, Indians have launched another war on a new axis against Pakistan – Cyber Warfare. In certain aspects, Cyber warfare is complex, more penetrating and detrimental to the national security than conventional warfare. It is fought on the cyberspace using weapons like Cyber espionage, web vandalism, gathering data, Distributed Denial-of-Service Attacks (DDOS), equipment disruption, attacking critical infrastructure, compromised counterfeit hardware, virus and worm release. Potential targets include; 

• Emergency services 
• Financial markets and bank systems 
• Power grids Water and fuel pipelines 
• Strategic Weapons systems Communication networks (Military / Civil) 
• Industrial and Engineering Complexes 
• E-Government services (internet based utility services, web servers)

The Internet security company McAfee stated in their 2007 annual report that approximately 120 countries have been developing ways to use the Internet as a weapon and target financial markets, government computer systems and utilities. 

Global Cyber Wars

China and US are spearheading cyber war at global level with dozens of cyber attacks on each other’s critical IT infrastructure. Both countries are spending millions every year in order to fight against cyber attacks.

Lethality of cyber warfare become palpable by the fact that till April 2009, Pentagon had spent more than 100 million dollars in just 6 months to fight against cyber attacks on its different systems. Money spent on propaganda operations are apart from this. In October 2010, US army created its first ever US army Cyber Command headed by a 3 star General.

From Pakistan’s perspective, unlike any other conventional threat, cyber warfare is rather a new battle field. Pakistan is not geared nor prepared to respond to this latest threat. India has all the reasons and resources to use this as a weapon against Pakistan. Recently Israel has joined hands with India raising this threat level significantly to be ignored any longer. Cyber espionage, web vandalism and information gathering are the known cyber weapons and tools to be used against a security establishment and government. Apart from these cyber threats, the cyber world has been also used ruthlessly for the propaganda warfare.

As per various media reports one can be sure that Indians and Israelis are taking these known cyber threats to its next level by using money, talent and technology to defame Pakistan and its nuclear program. How eagerly the Indians want to gain an edge in cyber warfare technology is evident from what the Indian Naval Chief Admiral Sureesh Mehta told to Start Post;

“The Indian Armed Forces are increasingly investing in networked operations, both singly and in a joint fashion. We cannot afford to be vulnerable to cyber attacks.  Information Technology is our country’s known strength and it would be in our interest to leverage this strength in developing a formidable ‘offensive’ and ‘defensive’ cyber warfare capability. Harnessing the gene pool available in academia, private industry and the younger generation of talented individuals is imperative,”

Statement of the Indian Naval Chief is an endorsement to the media reports that India has offensive cyber warfare plans. Pakistan is the natural target though Indian military establishment and political leadership used Chinese threat as an excuse for introducing this new war theatre in the region. 

Indian Endeavour:

In August 2010 the Indian government decided to recruit and form cyber army of software professionals to spy on the classified data of hostile nations (read Pakistan and China) by hacking into their computer systems. A strategy was drafted for this purpose earlier in a high level security meeting on July 29, 2010, chaired by Indian National Security Advisor Shiv Shankar Menon and attended by the director of Indian Intelligence Bureau (IB) as well as the senior officials of the telecom department, IT ministry and RAW.

According to the strategy drafted in the meeting, India will recruit IT professionals and hackers who will be assigned to be on the offensive or to launch pre-emptive strikes by breaching the security walls of enemy’s computer systems. The most important factor to note is the involvement of the Indian National Technical Research Organization (NTRO) along with the Defence Intelligence Agency (DIA) who will be responsible for creating these cyber-offensive capabilities. It is to be noted that NTRO is a key government agency of India that gathers technical intelligence while DIA is tasked with collating inputs from the Navy, Army and the Air Force.

The Indian Army conducted a war game called the Divine Matrix in March 2009. The most interesting aspect of this exercise was that Indian Military simulated a scenario in which China launches a nuclear attack on India somewhere in 2017. The purpose of the exercise was to describe how China will launch a cyber attack on India before the launch of the actual nuclear strike. Chinese were not amused by this Indian war gaming and simulation.

Their Foreign Ministry’s spokesman Qin Gang expressed his views on the Indian cyber warfare exercise. “We are surprised by the report. Leaders of China and India had already reached at consensus that the two countries will not pose a threat to each other but rather treat each other as partners.” However, recently the Indian Army chief and the ex-chief have clearly threatened that there can be a nuclear war in the region (a veiled threat to both Pakistan and China). 

Indo-Israeli Cyber nexus against Pakistan: 

Though no large scale cyber attack has been reported as yet in Pakistan, yet a number of limited cyber skirmishes have already taken place between the Indian and Pakistani hackers in the recent years. In 2008 a group of Indian hackers defaced a Pakistani website of the Ministry of Oil and Gas.

In a quick and effective retaliation Pakistani hackers attacked and defaced many Indian websites. This year too, many websites were defaced by the hackers on both sides. This is where the interests of both India and Israel converged. According to reports, Israel has recently established a Cyber Task Force for Cyber Warfare against Islam and Pakistan, besides harming the Palestinian cause. A 15 million dollar budget has been allocated to this force to carry out various digital espionage and information gathering operations against Islam and Pakistan. 

Propaganda Warfare and Cyber Space

In a new development, Israel has also setup a huge workforce of writers on the internet and is still increasing its strength. Primary task of this force would also be to wage propaganda war against Pakistan and its nuclear weapons and armed forces. Israelis are waging a net based disinformation and psychological war against Pakistan for quite some time now.

Hebrew websites and magazines have been targeting Pakistan by orchestrating near to impossible scenarios about vulnerability of Pakistani nukes and the “possibility” of their falling into Al-Qaeda hands. Israelnationalnews.com, IsraelNN.com, and Arutz-7’s Hebrew newsmagazine are a few to name among these media outfits where Israelis are spiting and spewing venom against Pakistan. Israeli government first tested these cyber propaganda tools during operation Cast Lead (brutal military operation in Gaza in 2008) when bloggers, surfers and writers were asked by the ministry of foreign affairs of Israel, through www.giyus.org (Give Israel You United Support), to promote words like “holocaust”, “promised land” and “murder of Jews” on social networking and blogging websites like Face Book, Twitter, MySpace, BlogSpot, wordpress etc.

Israeli government went to the extent of giving written messages to be posted on the aforementioned websites as if they were the personal responses or views of the citizens of other countries. Israeli lobbies have been heavily exploiting their clouts in US and UK to wage propaganda war against Pakistan’s nuclear program through satellite news channels (like BBC, FOX, SkyNews) and news papers (New York Time, Washington Post, etc.).

Disinformation campaign was also launched from US and Western media when operation Rah-e-Rast was initiated in Swat and Malakand regions. Taliban threat was so exaggerated that a perception was created as if Islamabad was about to fall to the Taliban! Indian government also took active part in this campaign.

Indian Prime Minister took this disinformation war to new heights by saying that some of the Pakistani nuclear installations were already under Taliban control! Israeli cyber operations were resolutely and admirably countered by the young Palestinian bloggers by posting thousands of pictures and footages of Israeli brutalities in GAZA over the internet. 

Final Thoughts:

In Pakistan, as compared to the adequate measures being taken for the upkeep of the conventional forces and the safety and security of the strategic assets, it is alarming to see the absence of any serious threat perception in the theatre of cyber warfare.

The government as well as the armed forces seem to have neglected this threat for too long now and are not prepared to readily respond to this new challenge. Pakistan cannot afford any more complacency in this regard and better take immediate steps to respond to this lurking threat on literal war footings. It would need absolute coordination, planning or understanding within various civil and military organizations and intelligence agencies responsible for the Cyber Warfare and perception management through propaganda wars in the cyber space.

The whole existing system and organizations are to be revamped and some restructured to deliver effectively in these times of great crisis and threats in this arena. Reliance on the old fashioned methods of collecting and collating information and processing have to be updated. This should be clearly understood that in the modern world only those nations would have the advantage on the battle field, in both conventional and unconventional wars, which have fought and won the war in the cyber world first.

The entire military equation in a war can be changed dramatically without even firing a shot, by controlling the critical infrastructure and perception of the target population through propaganda war in the cyber world.

Weapons like E-bombs have emerged as a new threat to cripple the military communication infrastructure by producing massive electromagnetic pulse. Pakistan must start work on Transient Electro Magnetic Pulse Emanations Standards, known as TEMPEST in military parlance to counter electromagnetic-pulse bombs that can interrupt wireless signals.

Pakistan has already faced interception of its vital secrete data on military operations in FATA by India through its assets in the area. It is, therefore, a must that we should work on TEMPEST and harden it to a degree of zero chances of interception of data transferred by defence agencies. Pakistan needs urgently to create a centralized, aggressive and pro-active Command for Cyber and Information warfare under the Chairman Joint Chiefs of Staff Committee. The unguarded flank of Pakistan defence must be secured at the soonest.

http://paktribune.com

ABM Knowledgeware receives E-Government contracts worth Rs. 60.03 crore

For implementing e-Governance software in 231 municipal bodies all over the state of Maharashtra ABM Knowledgeware has announced that the company has been awarded E-Government contracts worth Rs. 60.03 crore by the Project Management Consultant of Urban Development Department, Government of Maharashtra.

According to the EC-Council, the CyberLympics is a series of ethical hacking games comprised of both offensive and defensive security challenges that will take place across six continents. Teams will vie for regional championships, followed by a global hacking championship round to determine the world’s best cybersecurity team. The EC-Council announced it is sponsoring over $400,000 worth of prizes.

“The Global CyberLympics could help to foster a greater sense of partnership and cooperation between countries on the issue of cybersecurity,” said Mohd Noor Amin, chairman of the International Multilateral Partnership Against Cyber Threats, the cybersecurity executing arm of the United Nations. “By sharing knowledge, training and resources, we can help to improve the level of cybersecurity in many countries and regions around the world.”

The EC-Council hopes that the event will help discover new talents, methods and ideas, bring awareness to the issues of information security and encourage global peace.

“Our purpose with the Global CyberLympics initiative is to help establish true cybersecurity partnerships across borders,” said Jay Bavisi, chairman of the Global CyberLympics Organizing Committee and president of EC-Council. “We are very proud and honored for this initiative to be supported by key players in the information security community, including IMPACT, the world’s first United Nations-backed global alliance for cybersecurity, as well as some of the most reputable events such as GITEX, the largest IT tradeshow in the Middle East region, and Hacktivity, the largest hackers conference in central and eastern Europe.”

The regional championships for the Global CyberLympics in the United States will take place in October at the Hacker Halted USA conference in Miami and in December at the TakeDownCon event in Las Vegas.

EC-Council has selected iSight Partners’ Threatspace platform as the official technology partner of the CyberLympics.

thenewnewinternet.com

Don’t Panic Over Looming Cybersecurity Threats

Getty Images, Berlin Germany:
A participant sits with a laptop computer as he attends the annual Chaos Communication Congress of the Chaos Computer Club at the Berlin Congress Center on December 28, 2010 in Berlin, Germany. The Chaos Computer Club is Europe's biggest network of computer hackers and its annual congress draws up to 3,000 participants.

Panic is in the air — at least, that is, the air surrounding the debate over cybersecurity. It has become virtually impossible to read an article about cybersecurity policy, or sit through any congressional hearing on the issue, without hearing prophecies of doom about an impending “Digital Pearl Harbor,” a “cyber Katrina,” or even a “cyber 9/11.”

Let’s be clear: Cybersecurity and cyberwar are serious matters. Real dangers exist to individuals, companies, and our country. And there are steps that both Congress and the Obama administration can and should take to make sure America better secures digital networks and critical information systems from cyberattacks.

Still, that does not excuse the apocalyptic rhetoric so frequently heard in these debates. What’s going on here is what political scientists refer to as “threat inflation.” It refers to the artificial escalation of dangers or harms to society or the economy. Threat inflation is a key ingredient of many technopanics.

The concept of threat inflation has gotten more circulation in the field of foreign policy, where numerous examples of it have been documented. Jane K. Cramer and A. Trevor Thrall, editors of the book American Foreign Policy and the Politics of Fear, define threat inflation as “the attempt by elites to create concern for a threat that goes beyond the scope and urgency that a disinterested analysis would justify.”

Jerry Brito and Tate Watkins of the Mercatus Center at George Mason University have warned of the dangers of threat inflation in cybersecurity policy and the corresponding rise of the “cybersecurity industrial complex,” much like the military-industrial complex of the Cold War era.

They appear to be on to something. Gen. Michael Hayden, who led the National Security Administration and Central Intelligence Agency under president George W. Bush, recently argued that a “digital Blackwater” may be needed to combat the threat of cyberterrorism. Susan Crawford, a former White House senior advisor on technology policy matters, has noted that “cyberwar hysteria aids consultants” and “would certainly create work” for many organizations surrounding the Beltway.

A skeptic might ask: Where’s the harm in using a little inflammatory rhetoric to stir the passions of the public or policymakers? Isn’t a little panic useful if it prompts beneficial action?

In reality, technopanics and threat inflation often backfire or have many unintended consequences.

Panics and threat inflation can create distrust in many institutions, especially the press, and result in a “boy who cried wolf” problem. When panic becomes the norm, it becomes more difficult for the public to take seriously those who propagate such tall tales. “When a threat is inflated,” argue Brito and Watkins, “the marketplace of ideas on which a democracy relies to make sound judgments—in particular, the media and popular debate—can become overwhelmed by fallacious information.”

Apocalyptic rhetoric and prophecies of doom are also inappropriate—even offensive—when comparisons are made to horrific events that are not analogous to cybersecurity attacks. Thousands lost their lives or were injured in the attacks on Pearl Harbor in 1941 and the World Trade Center during 9/11, and Hurricane Katrina also resulted in thousands of deaths and injuries in 2005. To compare cybersecurity attacks to those incidents is to insult the memories of those who lost their lives.

The technopanic mentality is also troubling because it can lead to calls for comprehensive regulation of the Internet or forms of information control.

For example, in his recent book, Cyber War: The Next Threat to National Security and What to Do About It, Richard A. Clarke, a former cybersecurity advisor in the Clinton and Bush Administrations, calls for government to impose a fairly sweeping set of new rules on Internet Service Providers to better secure their networks against potential attacks. Clarke wants ISPs to engage in a great deal more network monitoring for digital dangers (using deep-packet inspection techniques) under threat of legal sanction if things go wrong. He admits there are corresponding costs and privacy concerns, but largely dismiss them in the name of a safer and more secure cyberspace.

Most ISPs already take steps to guard against malware and other types of cyberattacks, however, and they also offer customers free (or cheap) security software. It is certainly true that “more could be done” to better secure networks and critical systems, but it is important to acknowledge that much is already being done to harden systems and educate the public about risks.

That points to the better approach to cybersecurity going forward: education and resiliency.

Recent work by Sean Lawson, an assistant professor in the Department of Communications at the University of Utah, has underscored the importance of resiliency as it pertains to cybersecurity. “Research by historians of technology, military historians, and disaster sociologists has shown consistently that modern technological and social systems are more resilient than military and disaster planners often assume,” he finds. “Just as more resilient technological systems can better respond in the event of failure, so too are strong social systems better able to respond in the event of disaster of any type.”

Education is a crucial part of building resiliency. People and institutions can prepare for potential security problems in a rational fashion if given more information and tools to better secure their digital systems and understand how to cope when problems arise.

Panic, by contrast, is never the right answer.

blogs.forbes.com

Enisa: W3C web standards pose 51 security threats

Emerging web standards have over 50 security design flaws, many of which could allow an attacker to steal information, the EU's security agency has warned.

During year-long research, the European Network Information Security Agency (Enisa) discovered 51 vulnerabilities in 13 upcoming World Wide Web Consortium (W3C) standards and specifications, the agency said in a report on Monday. Among these were issues with the HTML 5 standard, which is being used by Microsoft, Adobe and others in their latest web browsers.

"They're not rootkit-type vulnerabilities, they're more likely to allow an attacker to control a browser context," Giles Hogben, a network security expert at Enisa, told ZDNet UK. "For example, a dodgy page could get information from a legitimate page."

http://radar.oreilly.com/2009/05/google-bets-big-on-html-5.html

Using the flaws, an attacker could trick people into installing malware to give the hacker remote control of their system, he added. Many could allow a criminal to steal information using form submission and cross-domain requests, according to Enisa.

Possible attacks

In HTML 5, one of the serious design vulnerabilities opens the door to form-tampering through HTML injection. In one scenario, a person buying goods online enters credit card number and other information into a web form. HTML 5 allows buttons, such as a submit button, to exist outside a web form. With the design flaw, an attacker could trick the buyer into sending the financial information to an unintended destination using a malicious button.

Another possible attack outlined by Enisa turns a browser security feature — a sandbox — into a method of subverting HTML 5 security. Putting websites into a sandbox prevents them from accessing the system via the browser. However, the attack described by Enisa uses the sandbox to disable protection against clickjacking. In clickjacking, a user is fooled into clicking on a seemingly innocuous web object such as a button, which then reveals confidential information.

The HTML 5 specification allows a hacker to put a malicious page inside a sandboxed iframe, disabling top-level navigation, and leaving the user open to clickjacking.

Another flaw highlighted by Enisa, in the Geoloc-Secure-3 cache API specification, lets a hacker retrieve information about the user's location from the cache. In addition, the specification fails to set an upper limit to how long geolocation data is stored in the cache, leaving people open to attacks that give away their movements.


W3C

The W3C has time to change some of the standards, but some may not be reworked to mitigate the flaws completely, according to Hogben. For example, the consortium is unlikely to fully mitigate the HTML 5 form-filling threat through the standard, he said.

"Some of the flaws we don't expect to be [fully] fixed... especially the one about the forms, as the functionality should be in there for a reason," said Hogben. "We don't expect W3C to take the forms functionality out of the spec."

The standards have been developing for varying amounts of time, and Enisa has submitted its report to W3C in time for W3C working groups to consider before specifying the final standards.

"We have worked with Enisa in preparing this review to ensure that it is relevant and timely to the standards work that is going on. What you are seeing here is the security review process functioning as it should: Independent review identifies possible security issues; the relevant Working Groups then analyse and address the issues raised," the W3C said in a statement.

"The relevant W3C working groups will indeed address these vulnerabilities according to the usual W3C process," it added.

zdnet.co.uk

Massive Global Cyberattack Targeting U.S., U.N. Discovered; Experts Blame China

Courtesy : foxnews.com

The world's most extensive case of cyber-espionage, including attacks on U.S. government and U.N. computers, was revealed Wednesday by online security firm McAfee, and analysts are speculating that China is behind the attacks.

The spying was dubbed "Operation Shady RAT," or "remote access tool" by McAfee -- and it led to a massive loss of information that poses a huge economic threat, wrote vice president of threat

"What is happening to all this data -- by now reaching petabytes as a whole -- is still largely an open question," Alperovitch wrote on a blog detailing the threat. "However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat."

Analysts told The Washington Post that the finger of blame for the infiltration of the 72 networks -- 49 of them in the U.S. -- points firmly in the direction of China.

California-based McAfee would only say it believed there was one "state actor" behind the attacks -- identified from logs tracked to a single server -- against a long list of victims, including the governments of the U.S., Taiwan, India, Canada and others; the International Olympic Committee; the U.N; and an array of high firms and defense contractors.

Alperovitch admitted he was shocked by the scope of the scam.

"Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators," he wrote in a 14-page report released on Wednesday.

As the threat of cyberwarfare grows, 56 percent of Americans believe the U.S. should be able to authorize cyberattacks when necessary, according to a poll posted on 60Minutes.com.

McAfee researchers discovered a “command and control” server in 2009 while investigating some attacks against defense contractors, Reuters reported. In March of this year, they returned to that computer and found logs revealing all of the attacks, the agency said.

While McAfee investigators can only guess what exactly was stolen, McAfee's Alperovitch said the attacker looked for data that would give it military, diplomatic and economic advantage, Reuters reported.

McAfee found evidence of security breaches as far back as mid-2006, but said that it’s possible the hacking began before that, Reuters reported. Some attacks lasted just a month, while others lasted for more than two years.

The attacks were carried out using spear-phishing emails, which are tainted with malicious software, to specific people at the organizations they targeted. When people clicked on an infected link, the intruder was able to jump on to the machine and use it to infiltrate the organizations computer network, Reuters said.

ShadyRAT map of countries hit

The hackers sought out sensitive data on U.S. military systems and satellite communications, with the snooping apparently going on for several years.

Companies in construction, steel, energy, solar power, technology, accounting and media were targeted.

The intrusion into the U.N. computer system in Geneva in 2008 went unnoticed for nearly two years, while the hackers quietly combed through files of secret data, according to McAfee.

The UN said it was aware of the report, and had started an investigation to ascertain if there was an intrusion.

Many of the attacks targeted organizations linked to Taiwan and the IOC in the months leading up to the 2008 Beijing games, which pointed analysts toward China.

"This is the biggest transfer of wealth in terms of intellectual property in history," Alperovitch told Reuters. "The scale at which this is occurring is really, really frightening."


.foxnews.com

India proposes nationwide fibre network

kapil-sibal

India’s Telecom Commission proposal to create a US$4.5 billion National Optical Fibre Network (NOFN) has been approved by the Department of Telecom (DoT), announced Shri Kapil Sibal, Minister of Communication and Information Technology.

This NOFN will extend the country’s existing fibre optic network from the district level to the village level, giving the country of 1.2 billion people services like e-education, e-health, e-banking and also reduce migration of rural population to urban areas, said Sibal.

“In economic terms, the benefits from the scheme are expected through additional employment, e-education, e-health, e-agriculture etc. and reduction in migration of rural population to urban areas,” Sibal said.

“The proposed NOFN will enable effective and faster implementation of various mission mode e-governance projects amounting to approximately 500 billion Indian rupee (US$11.25 billion) initiated by Department of Information Technology as well as delivery of a whole range of electronic services in the above areas by the private sector to citizen in rural areas.”

The US$4.5 billion cost will be funded by he Universal Service Obligation Fund (USOF). Sibal also suggested that the private sector will contribute similar investments to complement the infrastructure and to provide services to users.

futuregov.asia

CyberSecurity clinic to enhance security, safety and info privacy

PILOT STUDY: Husin (top right) speaking to the media after a talk and briefing on the CyberSecurity Scenario in Malaysia at Wisma Bernama here yesterday. He affirmed that the pilot study for the clinic began earlier this year. — Bernama photo

The CyberSecurity Malaysia Clinic which is expected to be opened by September this year, is aimed at enhancing the security, safety and privacy of information for computer and handphone users.

“The emphasis is on the current public demand and focus to enhance the security, safety and privacy of information, following the recent increase in cyber security risks,” said CyberSecurity Malaysia chief executive officer, Lt Col (R) Datuk Husin Jazri.

Speaking to the media after a talk and briefing on the CyberSecurity Scenario in Malaysia at Wisma Bernama here yesterday, Husin said the pilot study for the clinic began earlier this year.

“Once we understand the real challenges with regards to the service and are ready to manage the risks, we plan to expand the clinic throughout the country,” he added.

On the start-up cost of the investment for the clinic, he said it would not be much as it would operate from the CyberSecurity Malaysia headquarters in Seri Kembangan, Selangor.

“But we will have to look at the operation of the clinic in other parts of the country.

“We need to undertake a talent search, validation for the technicians as well consider the business plan, for the other places.

“We have also not decided as yet the fees for the services to be provided by the clinic,” he said.

Husin also said the clinic might be called the 1Malaysia CyberSecurity Clinic, but the permission of the Prime Minister would be first sought.

Meanwhile, the talk and media briefing was presented by Husin and Microsoft Malaysia National Technology Officer, Dr Dzahar Mansor.

Dzahar said cyber security risks were becoming more widespread of late, especially via the social networking and online gaming sites due to their popularity.

“Hence, there is a need to improve security and privacy awareness among the people,” he added.

Recently, Microsoft Corp released its Security Intelligence Report Volume 10, which highlighted a worldwide polarisation in terms of cyber criminal behavior and significant increase in the use of “marketing-like” approaches and deception tactics to steal money from consumers.

“As software becomes more secure, cyber criminals are looking at alternative vulnerabilities to exploit,” Dzahar said

theborneopost.com

India, US ink accord on cyber security

With terrorists increasingly resorting to hacking and using internet for communications, India and the US Tuesday inked an agreement to promote increased collaboration in cyber security.

The memorandum of understanding on cyber security was signed by R. Chandrashekhar, secretary, India Department of Information Technology, and Jane Holl Lute, deputy secretary for the US Department of Homeland Security (DHS). The agreement entails closer cooperation and the timely exchange of information on cyber security.

The pact was signed on a day US Secretary of State Hillary Clinton and External Affairs Minister held the second India-US strategic dialogue that focused on expanding counter-terror cooperation.

"The agreement helps fulfill the joint commitment of both nations to advancing global security and countering terrorism, one of the pillars of the US-India Strategic Dialogue launched on July 20, 2009," a statement from the US embassy said. The accord sets out best practices for the exchange of critical cyber security information and expertise between the two governments through the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology, the Ministry of Communications and Information Technology, and DHS' United States Computer Emergency Readiness Team (US-CERT).

The agreement will allow both the US and India governments and broader cyber security communities in the two countries to coordinate on a broad range of technical and operational cyber issues. The cyber security agreement flowed from the first comprehensive bilateral dialogue on homeland security issues between the US and India that was held in May.

deccanherald.com

U.S., Russia Forge Cybersecurity Pact

The United States plans to start regularly sharing cybersecurity information with Russia as part of the Obama administration's efforts to re-establish closer ties to that country and clear up misconceptions surrounding the two nations' cyber policies.

Cybersecurity officials from both countries met last month to discuss policy coordination at a Russian delegation in Washington led by Russian National Security Council Deputy Secretary Nikolay Klimashin, according to a White House blog post by U.S. Cybersecurity Coordinator Howard Schmidt.

"Both the U.S. and Russia are committed to tackling common cybersecurity threats while at the same time reducing the chances a misunderstood incident could negatively affect our relationship," he said.

Misunderstood incidents may include attacks on U.S. government infrastructure and networks by Russian hackers, who have raised their threat profile significantly in the last several years. The recent attacks on networks either owned by or containing information related to the federal government by Anonymous, LulzSec, and AntiSec hactivist groups have shed new light on this risk.

Data centers represent a massive investment of fiscal and human capital.
Discover how to improve the efficiency of your current data center facility.

At the meeting, officials made a pact for collaboration on cybersecurity, including the exchange of military views on cyberspace operations and a regular information exchange between the Computer Emergency Response/Readiness Teams (CERTs) of both countries, according to a joint statement about the meeting by Schmidt and Klimashin.

The two countries also plan to use existing crisis-prevention communications links between the two countries to establish protocols for communicating about cybersecurity, they said.

"While deepening mutual understanding on national security issues in cyberspace, these measures will help our two governments better communicate about small- and large-scale threats to our networks, facilitate better collaboration in responding to those threats, and reduce the prospect of escalation in response to crisis incidents," officials said.

The two countries agreed to implement the cybersecurity measures by the end of the year, they added.

Just as the political relationship historically between the United States and Russia has been strained, so have their ideas about cybersecurity.

In 2009 the two countries famously disagreed over the issue, with Russia favoring an international treaty to secure cyberspace against threats and the United States promoting instead more intimate cooperation among international law-enforcement officials.

Fostering better collaboration with foreign nations on cyberspace policy is a key aspect of President Obama's International Strategy for Cyberspace Policy, which he released in May.

informationweek.com

UK: There should be no 'safe havens' for cybercriminals

Home Office minister James
Brokenshire
has called
for tougher international laws
to fight cybercrime.
Image credit: Home Office

The Home Office has called for tougher international laws on cybercrime, saying there should be no "safe havens" for online fraudsters and hackers.

On Tuesday, crime and security minister James Brokenshire called for international treaties, bilateral treaties and common agreements between nations to make sure miscreants active outside their home country can be prosecuted when scams and hacks take place..

"Cybercrime is a truly global problem that demands a global response," Brokenshire said at a launch event in London. Cybercriminals are "not inconvenienced by national boundaries", he added.

Recent cyberattacks across borders include one against defence contractor Lockheed Martin, in which hackers used data stolen from RSA about its SecurID authentication tokens to attempt to access systems. In June, international cyber-policing efforts led to the arrest of Ukrainian suspects in a fraud scheme using a Conficker botnet.

At present, the strongest international treaty is the European Convention on Cybercrime, which the UK ratified in May 2009. However, the 40-plus signatories do not include major powers such as China and Russia, which critics have argued undermines the aims of the convention.

More legislation is necessary to ensure criminals cannot use countries with weak cyber-laws as "safe havens", Brokenshire said. In addition, despite international initiatives, many nations are not collaborating on justice efforts.

"People recognise that we need appropriate legal frameworks in place," he told ZDNet UK. "Partnership is key."

Cybersecurity alliance

Brokenshire was speaking at the launch of International Cyber Security Protection Alliance (Icspa), which seeks to train police forces around the world to deal with high-tech crime and bring closer international co-operation on related issues. The seven founding members of the non-profit organisation include security companies McAfee and Trend Micro, as well as UK online retailer Shop Direct Group.

The organisation, which is supported by the British government, will help co-ordinate response by justice and law enforcement agencies, as well as by the private sector, said prime minister David Cameron.

"The Icspa is forming a network powerful enough and wide enough to face down cybercrime," the prime minister said in a video statement.

Over the past six months, attacks by the LulzSec and Anonymous hacker groups, among others, "have dealt a blow to sceptics" who play down "the potential for attacks to disrupt continuity in business" said former home secretary David Blunkett, who chairs Icspa.

"We need to make sure Britain is best placed to do business online, and that Britain is a leader in understanding the potential and danger of the cyber revolution," said Blunkett.
Icpsa funding

In September, Icspa will link up with Europol, a European law enforcement agency, to seek funding from the European Union, according to the organisation's chief executive, John Lyons. A month after that, it plans to apply for funding to the US, and afterwards approach the UK, Canada and Australia. Those countries are all part of the 'Five Eyes' forum, dedicated to collaboration on cyber-issues. However, Icspa does not plan to directly approach New Zealand, the fifth member, Lyons said.

In the UK, Icspa will work with the Cabinet Office and the Office of Cyber Security and Information Assurance (Ocsia) for aid in approaching foreign governments.

"We'll be bringing our members' expertise to the table with Europol and Ocsia to determine the UK government interest in helping set up links with law enforcement and outreach," Lyons told ZDNet UK.

Police training

One focus for Icspa will be training police officers in places associated with mass compromise of computer systems. These include countries in South America, Russia and China, according to Lyons.

Russia, Ukraine, China and Brazil are hotspots of cybercrime activity, according to Trend Micro.

"We put police officers into high-tech crime units and expect them to be able to deal with high-tech crime," said Rik Ferguson, solutions architect at the security company. "It would be great if we can tool up the police."

The UK has well-respected dedicated cyber-police bodies such as the Metropolitan Police Central eCrime Unit (PCeU). Even so it, still sub-contracts for services like digital forensic investigation, according to Ferguson.

McAfee said it will be offering the services of its cybersecurity experts for the police training efforts. "We've been involved for years with the intelligence services," said Jacqueline de Rojas, a vice president at the security company. "By providing resources and expertise, [we] can give a view of the kinds of evolving threat that are coming."

zdnet.co.uk

Cyber Attacks Ranked With Military Threats Under Obama Strategy

An Obama administration policy for tightening global defenses against computer attacks places cybersecurity on equal footing with military and economic threats, according to security analysts.

The International Strategy for Cyberspace, unveiled at a White House event yesterday, calls for the U.S. government to work with other countries on standards to protect intellectual property, prevent theft of private information and ensure cooperation among foreign law enforcement agencies when a cybercrime is being investigated.

“We as a society should not take it as a fact of life living in the era of Internet that people are going to successfully take your identity or your credit card or disable networks,” Howard Schmidt, the top White House cybersecurity official, said in a phone interview yesterday. “We want nation states to be unified behind a vision like this so we can send a clear message to bad actors that there's going to be no place for them to operate in the international sphere.”

The plan recommends setting consequences for countries and groups that don't comply with the standards and strengthens the U.S. position on its response to a cyber attack.

The administration is sending the message that “cyberspace is not some separate world where our usual laws, our usual deterrence does not apply,” said Kristin Lord, vice president and director of studies at the Center for New American Security, an independent security research institution.

The message is meant to “deter attacks and say, ‘Look, we're the United States, we have a full set of tools at our disposal,' ” Lord said in a telephone interview yesterday.

‘All Necessary Means'

The cybersecurity plan states that the U.S. reserves “the right to use all necessary means -- diplomatic, informational, military and economic -- as appropriate and consistent with international law,” to defend itself and its allies.

The strategy calls for the U.S. government, including the State, Defense, Homeland Security, Commerce and Justice departments, to work with their global counterparts, Schmidt said.

“Long-term cybersecurity in cyberspace depends on cooperation” on the plan, which was a result of “more than 18 different departments and agencies” collaborating, Schmidt said at the White House event.

The departments must report back to the president in six months on their progress, which is an important time frame, Dean Garfield, president and chief executive of the Information Technology Industry Council, said in an interview yesterday.

“It has taken a long period of time to get where we are today and the fact that the administration has put some time frame around the next steps are important in making sure that we move forward at a more accelerated pace,” Garfield said.

‘Private Sector'

Federal departments will issue details on their strategies for the plan. In six months, the White House will assess agencies' progress on meeting the plan's policy goals, John Brennan, President Barack Obama's assistant for counterterrorism and homeland security, said at yesterday's event.

“We look forward to partnering with our private sector, with other nations and with others who share the same goal” to support trade and commerce, security, free expression and innovation in cyberspace, Secretary of State Hillary Clinton said at the event.

The strategy also emphasizes that the U.S. will respond to hostile acts in cyberspace “as we would to any other threat to our country,” according to a fact sheet released yesterday by the administration. Possible retaliation will mean the “right to use all necessary means -- diplomatic, informational, military and economic.”

International Norms

The strategy's broader goal is to ensure that current conventions and international norms on self-defense and armed conflict include violations of cyberspace, Schmidt said in the interview.

“The rules are not different in cyberspace,” he said. “It's been difficult over the years because there's a desire to carve that off separately” from the rules governing conventional conflicts. “We need to make sure it's brought up to the 21st century with the understanding that none of us want to see” a conflict, he said.

Schmidt said attributing cyber attacks to specific countries or groups remains difficult and “that's why we need diplomatic ties” to help the U.S. and other countries talk about ongoing investigations.

The strategy also calls for helping small and developing countries build the capability to deal with cybercrime and theft of intellectual property.

Russia and China

The U.S. doesn't want some countries to “become the next generation of cyber victims because the developed countries constantly do a better job of protecting our systems and citizens,” Schmidt said. “We want to make sure we are helping them build theirs as well.”

The Obama administration is consulting with a range of countries, including Russia and China, on developing these norms, Schmidt said.

“It's very important to understand we can't have these discussions without engaging” with both nations, Schmidt said.

The U.S. also is urging countries to sign a 10-year-old treaty called the Cybercrime Convention that calls for cooperation in probing crimes committed via the Internet and other computer networks. These crimes include copyright infringement, fraud, child pornography and violations of network security, according to the treaty website.

The treaty has been ratified by 30 countries, including the U.S. and 29 European nations. Signatories including the U.K., Canada and Turkey have yet to ratify the law, according to the treaty website. China and Russia are among nations that have not signed the treaty.

businessweek.com

Chrome encrypts Gmail whether you want it or not

Google, which has found Gmail to be a target of hacking attempts from China, has modified Chrome so the browser always encrypts connections with the e-mail service.

Google already changed Gmail to use encryption by default, a mode indicated by the "https" at the beginning of a browser address bar that means outsiders sniffing network traffic can't read your e-mail. People could still get to the unencrypted version by typing "http://gmail.com," but no more, for Chrome.

Set your Gmail to "always https"

"As of Chromium 13, all connections to Gmail will be over HTTPS. This includes the initial navigation even if the user types 'gmail.com' or 'mail.google.com' into the URL bar without an https:// prefix," Google programmers said on a blog post yesterday. They said that approach defends against sslstrip-type attacks, which can be used to hijack browsing sessions.

The technology used to enforce the encryption is called HSTS, which stands for HTTP Strict Transport Security and which lets a browser specify that a Web site may only be used over a secure HTTP connection. HTTP, or Hypertext Transfer Protocol, is the standard that governs how Web browsers communicate with Web servers to retrieve a Web page.

The moves dovetail with Google's attempt to make security a prominent selling point of its browser. By improving Chrome's security, the company stands to benefit directly by making its own services less vulnerable and indirectly by making the Web a safer place for people to spend personal and professional time.

Google is a prominent target. It has disclosed attacks on Gmail it said appeared to come from China--some in 2009, and more this year. To try to make attacks harder, it's added two-factor authentication to Gmail, which requires a code from a person's mobile phone as well the ordinary password.

Most people don't appreciate the measures Google is taking to secure Chrome and its browser-based operating system, Chrome OS, argues Sundar Pichai, Chrome's senior vice president, in an interview at Google I/O, pointing to measures such as running plug-ins such as Flash and a PDF reader in a sandbox, using a verified boot process with Chrome OS, and making Chrome OS's file system encrypted.

Chrome also is the vehicle for other Google ambitions, for example to speed up the Web. Among aspects of that effort are an HTTP improvement called SPDY; a new ability to preload selected search results pages so they display much faster when a person actually clicks on the links; technology called Native Client designed to run Web-app software much faster; and the WebP image format that Google argues is faster than JPEG.

It's not just about making the Web faster and safer, though. When people use Chrome to perform a Google search, the company doesn't have to share any resulting search-ad revenue with other browser makers such as Mozilla.

The HTTPS-only access to Gmail isn't the only security move Google is making.

Google also is trying to ensure that no users of Chrome and Gmail will be vulnerable to a problem that reared its head in March when an affiliate of a New Jersey company called Comodo was hacked, apparently by an Iranian.

Comodo and its affiliate issue digital certificates that browsers use to establish encrypted connections to Web sites, but the attack produced fake encryption certificates for Yahoo, Skype, Google, and Mozilla. The Comodo issue is leading browser makers to rethink certificate technology.

Now, for some sites including Gmail, Chrome only can obtain certificates originating only from a short list of providers, not from the hundreds available on the global Internet. That list includes Verisign, Google Internet Authority, Equifax, and GeoTrust, according to a blog post by Adam Langley, a Google programmer. He adds that the list is visible in Chrome's source code.

In the longer run, there's another significant security move on the horizon: Google is rebuilding Chrome atop its Native Client technology, gradually making more parts of the browser execute in a more secure "sandbox" whose isolation from other computing resources makes it harder for attackers to take over a computer through a browser-based attack.

That move will begin with Chrome's PDF reader, but it won't be switched on until Google is confident of the technology, Pichai said.

A close cousin of security is privacy, for example in the case where a government might want to see if a dissident has visited a particular Web site. Browser makers are working to extend beyond today's private-browsing modes that don't leave traces on a computer to private-browsing modes that don't leave traces on servers, either.

For example, Chrome, Firefox, and Internet Explorer all are getting a technology to delete local stored objects (LSOs), which in practice means it's harder for Web sites to keep track of users through "evercookies." Standard cookies are text files that can be deleted by browser users, but with Adobe's Flash Player, other plug-ins, and new HTML storage techniques, there are more ways for Web browsers to store that data even when ordinary cookies are deleted.

Evercookies are an overt way to track people. But there are subtler fingerprints a browser leaves behind that can help identify who's using a browser, as the Electronic Frontier Foundation's Peter Eckersley documented last year in his Panopticlick report (PDF.)

Chrome is based on the WebKit browser engine project that's also the foundation of Apple's Safari. Now WebKit engineers are evaluating the idea of "tracking-resistant browsing" that reduces that fingerprint.

One example, described in the WebKit documentation of the tracking-resistant browsing, concerns the user-agent string--the text a browser sends a Web server to describe its version number, compatibility, and operating system. Differences between different people's user-agent strings means that a each carries enough information to narrow it down to about one in a thousand randomly selected browsers.

Even a thousandth of the total number of Web browsers is a huge number, of course, but there are plenty of other ways to narrow down a search: time zone, installed plug-ins, fonts, and screen resolution, and more.

It's not clear yet how much appetite there is for obscuring these fingerprints, though.

"I'm skeptical that doing these things will provide anything more than window dressing, but I certainly don't want to discourage you from trying," said WebKit programmer Adam Barth in a comment. He requested more information: "I'd like to see us make tracking harder...I'd just like us to understand what we're buying and what we're paying for it."

news.cnet.com

Japan enacts anti-computer virus law

pinewswire.net

The Japanese parliament has passed a law, to take effect in July, which criminalises the creation or distribution of computer viruses.

The new law would punish those accused of creating or distributing a computer virus without reasonable cause for up to three years in jail or a fine not exceeding 500,000 yen (US$6240), even when no harm has been inflicted.

Those who acquire or store a virus will be penalised with a two-year imprisonment or a fine of 300,000 yen (US$3744).

The law describes a computer virus as an ‘eletromagnetic record that would make a computer function against a computer user.”

It also prohibits the sending of pornographic email spam, punishable by imprisonment of up to two years or a fine of up to 2.5 million yen.

The new law will authorise Japanese law enforcement agencies investigating a cybercrime to request internet service providers to preserve communication logs for up to 60 days.

It will also strengthen the Japanese government’s commitment to the international Convention on Cybercrime, which the country joined in 2001 after signing a treaty mandating a crackdown on cybercrime for the 31 member states.

In the past, Japanese authorities depended on copyright-related legislation to tackle cases involving computer virus.

In more than ten cases, of virus creators in the country have been apprehended by the police, but most were prosecuted on charges of violations of the Copyright Law or of destruction of property.

“Hurdles for prosecuting criminal cases have been too high,” said a senior official at the National Police Agency of Japan.

.futuregov.asia

EU ministers seek to ban creation of 'hacking tools'

Justice Ministers across Europe want to make the creation of "hacking tools" a criminal offense, but critics have hit back at the plans, saying that they are unworkable.

spiegel.de

Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission's text, the ministers extended the draft to include "the production and making available of tools for committing offenses".

This is problematic, as much legal and legitimate software could be put to criminal use by hackers. The draft mentions "malicious software designed to create botnets or unrightfully obtained computer passwords," but goes no further in attempting to clarify what "tools" might be subject to criminal sanctions. For example, the distinction between a password cracker and a password recovery tool is not specified. Nor is there any mention of legitimate use for testing. Many tools that could be used for hacking in the wrong hands, are used by system administrators and security consultants to probe for vulnerabilities in corporate systems.

Illegal access, illegal system interference and illegal data interference as well as instigating, aiding, abetting and attempting to commit offences are already crimes under current E.U. law. However, ministers want to harmonize penalties for illegal interception of computer data, and see the imposition of a minimum two-year sentence for the most serious crimes. They also want to oblige member states to collect basic statistical data on cybercrimes and to respond to urgent requests for information by other member states within eight hours.

The creation of hacking tools is already a criminal offense in the United Kingdom under the Computer Misuse Act and in Germany under the 202C law, and is also cited in the Budapest Cybercrime Convention. But if included in an E.U. directive, all 27 member states would be required to ban production of these so-called "tools" in national law.

The introduction of the laws in Germany in 2007 and the U.K. in 2008 met with fierce criticism. In Germany many legitimate websites shut down or moved over fears that they might be prosecuted.

German PHP security professional Stefan Esser wrote on his blog at the time that the law was not clearly written and allows too much interpretation. "While our government says that they do not want to punish, for example, hired penetration testers, this is not written down in the law," Esser wrote.

The ministers' proposals will now be put to the European Parliament, which must approve the text before it can become law. It is likely that MEPs will question some of the ministers' assumptions and will seek to better define what is meant by "tools".

computerworld.com