SANS EuroSCADA Date: 5-11 December, 2012 Location: Barcelona http://www.sans.org/event/eu-scada-2012

Digital Forensics Training Workshop – “Deep Thought” Software Tool for Cybercrime Experts in Albania Date: 10-14 December, 2012 Location: Tirana, Albania http://polis.osce.org/events/details?item_id=4002&lang_tag=EN&qs= The workshop is intended to help Albanian cybercrime experts in dealing effectively with large numbers of computers seized during criminal investigations.

International Workshop on Cyber Crime (IWCC 2013) Date: 24 May, 2013 Location: San Francisco http://stegano.net/IWCC2013/ Today's world's societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous socio-economic impact on global enterprises as well as individuals. This poses new challenges for law enforcement policies and forces the computer societies to utilize digital forensics to combat the increasing number of cybercrimes. Forensic professionals must be fully prepared in order to be able to provide court admissible evidence. To make these goals achievable, forensic techniques should keep pace with new technologies.

 

Dear Reader, This winter will be hot in Europe and all around the world. The discussion on the need for a new Internet Governance approach is raising the attention of the policy makers of all the Continents on this infrastructure not rarely given for granted. The declarations of an ex former security expert at the Pentagon on the risks derived from the supposed supremacy of China on the world telecommunication networks made this discussion even more relevant. Meanwhile in Europe is growing the consciousness of the need for new regulations for the Cloud World.

We report in this issue the details about the EU COM (2012) 52, “Unleashing the Potential of Cloud Computing in Europe”. While approaching the new year, new technologies (e.g. NFC) are arising, with the implicit promise of changing the way in which we’ll interact with the world. In a similar context, here at GCSEC, we believe that cyber security will move from being a mere technological issue to a matter of governments collaborations and C-level managers commitment, and the EU-US workshop on Cyber Security and the Grand Conference organised by CPNI.NL and supported among the other by GCSEC are two clear examples of this need. Andrea Rigoni

“Big China is watching you…?” by Maria Luisa Papagni – Almaviva/GCSEC

“Amsterdam: in October capital of Cyber-Security.” by Igor nai Fovino - GCSEC

“NFC a.k.a. the revolution of payment systems” by Alessio Coletta - GCSEC

Unleashing the Potential of Cloud Computing in Europe – COM (2012) 529 …“Where the World Wide Web makes information available everywhere and to anyone, cloud computing makes computing power available everywhere and to anyone”….

by Alessandra Lonardo - GCSEC

events

editorial

in this number

November 2012 – year 2, issue 9

 

Cyber Pearl Harbour http://www.f-secure.com/weblog/archives/00002446.html US Defense Secretary Leon E. Panetta has warned that the United States faces a possible 'Cyber Pearl Harbor' attack by foreign computer hackers. Variant of Middle East spy virus found http://www.ft.com/intl/cms/s/0/0a0cdcce-16ee-11e2-8989-00144feabdc0.html#axzz2AnUX6qKM A variant of the cyber espionage viruses that have infected targets across the Middle East has been discovered, raising fears that researchers have only begun to scratch the surface of cyber warfare being waged in the region. Researchers at Kaspersky Lab said on Monday that the variant, called Mini-Flame, came from the same “cyber-weapon factory” responsible for other malware discovered this year, including the Flame and Gauss platforms, as well as the Stuxnet programme used against Iran’s nuclear facilities in 2010. Kaspersky Labs preps its own OS to guard vital industry against cyberwarfare. http://www.engadget.com/2012/10/16/kaspersky-labs-preps-its-own-os-to-guard-industry-against-cyberwarfare/ Kaspersky Labs' namesake Eugene Kaspersky is worried that widely distributed and potentially state-sponsored malware like Flame and Stuxnet pose dire threats to often lightly protected infrastructure like communication and power plants. To minimize future chaos and literally keep the trains running, Kaspersky and his company are expanding their ambitions beyond mere antivirus software to build their own, extra-secure operating system just for large-scale industry. Four in ten Brits have had to change all their passwords to foil crooks. http://www.theregister.co.uk/2012/10/22/getsafeonline/ A survey of over 3,000 Brits has discovered that more than half (56 per cent) have been targeted by online criminals with a successful attack costing, on average, £247 per person. The study, released on Monday to coincide with the start of the annual Get Safe Online awareness week, discovered that almost one in five (17 per cent) victims were too embarrassed to tell anyone or share their experience with others. Almost a third of those surveyed by OnePoll (29 per cent) admitted they didn't know whether or not they were putting themselves at risk when they used the net. Android apps get SSL wrong, expose personal data. http://www.theregister.co.uk/2012/10/21/android_app_ssl_vulnerability/ More than 1,000 out of a sample of 13,000 Android applications analysed by German researchers contained serious flaws in their SSL implementations. In a paper, the researchers from Leibniz University in Hannover and Philipps University of Marburg found that 17 percent of the SSL-using apps in their sample suffered from implementations that potentially made them vulnerable to man-in-the-middle MITM attacks.

Political fiction? Maybe... But U.S. security experts are now warning us: China is listening 24 hours a day and it has conquered a large part of the telecommunications market worldwide in order to steal military and industrial secrets of the Western countries! These are not only rumors. The charges were written on a document of the U.S. China Economic and Security Review Commission, the congressional commission of the United States government responsible for monitoring and investigating national security and trade issues between the United States and People's Republic of China. Such accusations were reiterated recently by Michael Maloof, ex former security expert at the Pentagon: “The Chinese government has pervasive access to some 80 percent of the world’s communications, giving it the ability to undertake remote industrial espionage and even sabotage electronically of critical infrastructures in the United States and in other industrialized countries”. In particular, the Chinese government is gaining access through two Chinese companies, Huawei Technologies Co. Ltd. and ZTE Corporation, which are 2 of the global providers of telecommunications equipment and mobile phones. Huawei is the second-largest maker of routers, switches and other telecoms equipment after Ericsson. ZTE is the fifth. But the smoking gun that confirms the hypothesis of United States government has not been found. After 18 months of US House Intelligence Committee investigating the Huawei and ZTE companies no evidence has been revealed to confirm that the companies have been involved in espionage activities or that the devices manufactured and sold are used for espionage. What is certain is that Huawei has developed very sophisticated systems for the analysis of the data passing over their networks and devices. But there is no evidence that they are used as cyber-arms in the service of the Chinese government. However, that lack of evidence has not discouraged lawmakers to issue a stern warning to U.S. companies, claiming to pay particular attention to the vendors for business. The Chairman and Ranking Member of the House Intelligence Committee, Mike Rogers and Dutch Ruppersberger released a report that encourages U.S. companies to take into account the long-term risks associated with companies that provide telecommunications infrastructure equipment and it explicitly recommends U.S. government systems to exclude Huawei or ZTE

“Big China is watching you…?” By Maria Luisa Papagni – Almaviva/GCSEC

news

components. More specifically, “the report includes five recommendations:

1. US government systems and US government contractors, particularly those working on sensitive systems, should exclude any Huawei or ZTE equipment or component parts. Additionally, the Committee on Foreign Investments in the United States (CFIUS) must block acquisitions, takeovers, or mergers involving Huawei and ZTE given the threat to U.S. national security interests.

2. U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects.

3. Unfair trade practices of the Chinese telecommunications sector should be investigated by committees of jurisdiction in U.S. Congress and enforcement agencies in the Executive Branch. Particular attention should be paid to China’s continued financial support of key companies.

4. Chinese companies should quickly become more open and transparent. Huawei, in particular, must become more transparent and responsive to U.S. legal obligations.

5. Committees of jurisdiction in Congress should consider potential legislation to better address the risk posed by telecommunications companies with nation-state ties or otherwise not clearly trusted to build critical infrastructure, including increasing information-sharing among private sector entities and expanding a role for the CFIUS process to include purchasing agreements.” The accusations made by several parties against these Chinese companies who conduct their business with a lack in transparency, seems to have led to other serious consequences. For example, recent news reports have shown that Cisco has decided to stop their business relationship with ZTE.

It seems that this action of the networking giant is a rather direct consequence of the behavior of the White House in response to potential cyber - espionage.

As reported by Reuters, Cisco has ended his partnership after an internal investigation launched following rumors concerning the unauthorized sale of U.S. banned computer equipment from ZTE to Iran's largest telecom firm. Chinese companies would have to have sent more high-tech products made in the USA, including Cisco switches, to a unit of the consortium that controls the telecom firm. These operations have enabled the detailed investigations of Washington with criminal probes being launched by the FBI. Huawei and ZTE have obviously reacted by categorically denying the accusations. They affirm that China's government has never made them any type of request, and if such requests were made the companies would be bound by US law. But it seems that Huawei is ready to take another step forward to regain the trust of consumers: full access to the source code of its software. This is what, according to John Lord, head of the Australian division, Huawei is ready to do to prove that the accusations from the U.S. are false. Lord also said that "all producers should be subject to the same rules" on the transparency. Of course the software will remain "proprietary". In fact, the idea is to evaluate the security of the devices with a specific procedure, performed solely by authorized personnel. Meanwhile, the “cold war” of global communication continues!

One year on, SSL servers STILL cower before the BEAST. http://www.theregister.co.uk/2012/10/18/ssl_security_survey/ The latest monthly survey by the SSL Labs project has discovered that many SSL sites remain vulnerable to the BEAST attack, more than a year after the underlying vulnerability was demonstrated by security researchers. BEAST is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt the encrypted cookies that a targeted website uses to grant access to restricted user accounts. FBI cybersecurity shift draws skepticism from experts. http://www.csoonline.com/article/720331/fbi-cybersecurity-shift-draws-skepticism-from-experts In a recent blog post, the bureau said it would dedicate more resources to "who is conducting the attack or the exploitation and what is their motive." "In order to get to that, we've got to do all the necessary analysis to determine who is at the other end of the keyboard perpetrating these actions," Special Agent Richard McFeely said in describing the bureau's Next Generation Cyber Initiative. Cyber attacks have changed, but Australia is doing something about it: SANS. http://www.csoonline.com/article/720272/cyber-attacks-have-changed-but-australia-is-doing-something-about-it-sans Australia knows how to fix things and is doing something about it, at least when it comes to online security. That is according to SANS Institute research director, Alan Paller, after he recently caught up with the Defence Signals Directorate (DSD), an intelligence agency in the Australian Government Department of Defence. Paller said DSD has proven how to stop the intrusion that China and other nations are using that most people do not know how to stop. Hurricane Sandy could cause big mess in cyber space too. http://www.scmagazine.com/hurricane-sandy-could-cause-big-mess-in-cyber-space-too/article/265773/ With Hurricane Sandy on a collision course with the Northeast, cyber crooks are likely to take advantage of the historic storm to make a quick buck or steal personal information from the unsuspecting. Like with most major news events, users should be on the lookout for legitimate-looking scams that will use the hurricane's mainstream allure to dupe them. They've only gone and HACKED the WEATHER. http://www.theregister.co.uk/2012/10/19/us_weather_service_hack/ Hackers have lifted potentially sensitive data from the US National Weather Service after exploiting a vulnerability in the weather.gov website. A previously-unknown group called Kosova Hacker's Security claimed credit for the hack in a lengthy post on pastebin, containing a stream of data lifted as a result of the hack. Leaked data includes a list of partial login credentials, something that might give other hacking crews a head start in attacking the website, as well as numerous system and network configuration files. The leaked information appears to consist only of system files and the like rather than scientific data.

October has seen Amsterdam at the center of two interesting events related to cyber-security. The 15th of October the city hosted the Joint EU-US Open Workshop on Cyber Security of ICS & Smart Grids. The workshop was part of a set of initiatives started with the EU-US summit of 20 November 2010 held in Lisbon to "tackle new threats to the global networks upon which the security and prosperity of our free societies increasingly depend". The Amsterdam’s workshop was the first US-EU joint event organized in Europe on the topic of cyber-security of ICS systems, with the objective of facilitating the exchange of information on policies and best practices and with the final scope of initiate a discussion of joint EU-US initiatives on this topic. The workshop was opened by Mr. Adrian Severin, Member of the European Parliament, which strongly underlined the importance of the EU-US cooperation and the need of having a coordinated global response. More in detail Mr. Severin indicated the path legislator should follow in the coming years on the cyber-security matter:

1. support the Development of industry initiatives;

2. cultivate information sharing capabilities;

3. improve the communication between local, state and national public sector agencies;

4. promote voluntary bilateral sharing between industry and government. After the introduction of Mr. Severin, the workshop developed along three main thematic sections:

• overview of Cyber security of Smart Grids and ICS in EU and US;

• EU Member States initiatives in Cyber security of Smart Grids and ICS;

• the voice of Industry: experiences in Cyber security of Smart Grids and ICS. The content of the different presentations provided an overview of national initiatives on the field. The Sweden presented its national program for security in industrial control systems including the initiative related to a coordination council for smart grids. The BSI (the German federal office for information security), announced the development of a new testing facility for testing industrial components.

Facebook crimes surge by 7,400 percent. http://www.csoonline.com/article/646877/facebook-crimes-surge-by-7-400-percent The number of crimes taking place on Facebook has soared by 7,400 percent in the past three years. Cambridgeshire Police received 1,640 reports of crimes on the site, including cases of bullying, harassment and even grooming this year. That's up on the 22 reports in 2007. The social network was also linked to 255 domestic abuse incidents within Cambridgeshire. Stratsec critical of cloud security, potential heaven for botnets, study finds. http://www.theregister.co.uk/2012/10/30/clouds_can_host_botnets/ A study conducted by BAE security subsidiary Stratsec claims that cloud services aren’t doing enough to secure their instances against being used to host attacks. Stratsec says it was able to set up botnets – it refers to them as botClouds – on all five of the cloud services it tested, and that none either raised alerts nor placed restrictions on the accounts that were originating malicious traffic. The experiments were conducted by setting up accounts with various cloud providers, setting up ten cloud instances on each account, and using those instances to send malicious traffic at “victim” systems on controlled networks. Common services like HTTP, FTP and SMTP were enabled on the victims. Embattled Huawei may open its code for testing in Australia. http://www.scmagazine.com/embattled-huawei-may-open-its-code-for-testing-in-australia/article/265422/ In an effort to separate itself from worries that Huawei poses a cyber espionage threat, executives of the Chinese network equipment company are proposing the implementation of a new Australian center where it would open up its code for testing. Speaking to the National Press Club on Wednesday in Australia, Huawei Australia Chairman John Lord said the center -- to be funded by technology vendors -- would give Australian officials access to the company's software and hardware source code, according to a report in The Australian. Gartner: How big trends in security, mobile, big data and cloud computing will change IT. http://www.csoonline.com/article/720271/gartner-how-big-trends-in-security-mobile-big-data-and-cloud-computing-will-change-it Gartner Symposium/ITxpo in Orlando was attended by some 9,000 executives focused on the changes security challenges, mobile computing, big data and cloud will be bringing to IT in the near future. Israeli cops penetrated by army of fake generals with trojans. http://www.theregister.co.uk/2012/10/30/trojan_hits_israeli_cops/ Israeli police departments were pulled offline following the discovery of a Trojan especially targeted at law enforcement networks in the Jewish state. The malware was distributed using spammed messages, spoofed so that they appeared to come from the head of the Israel Defense Forces, Benny Gantz. Samples of the malware obtained by Trend Micro suggest that the initial target of the attack was systems within the Israeli Customs agency.

“Amsterdam: in October capital of Cyber-Security.”

by Igor Nai Fovino - GCSEC

Estonia provided an overview on its CIIP & industrial control systems protection initiatives, underlining how the key words for getting prepared against cyber-threats in the industrial sector should be Community building & people, Security assessments, legislation, regulations and guidelines. Another interesting initiative presented was the creation in the Netherland of the European Network for Cyber Security (ENCS), a private, no-profit, independent organization with public partnerships, created in July 2012, with focus on Training program, Intrusion Detection, Cyber security requirements, End-to-end testing, Advanced privacy technology, Cyber security research. The workshop allowed also to share experiences on national exercises; for example Spain presented the results of its ICS Cyber Exercise realized in April-May 2012 and involving Energy, Nuclear and transport sectors. On top of the MS experiences, on a side the European Commission, ENISA (European Network and Information Security Agency) and JRC (Joint Research Centre) provided an overview of the European Cyber Security Strategy and on the other the US Department of Homeland Security presented its roadmap for Energy sector security and Cross sector coordination. What in overall emerged from the workshop is the fact that at today EU Member States adopt a very heterogeneous set of approaches regarding the cyber-security of ICS systems, with a huge variety in the maturity of different initiatives. There is a general need for Pan European activities involving Member States and the private sector in a coordinated and strategically built fashion to avoid useless overlapping and to involve in a comprehensive way all the parties dealing with the cyber-security process of ICS systems. The most logical way to achieve this objective is the establishing of efficient and transnational information sharing networks allowing to share good practices, preparedness measures and to improve the co-operation The ICT world always tends to hype some new technology. Now it is the turn of Near Field Communications (NFC). The NFC technology enables smartphones and similar devices to exchange some data wirelessly. Unlike other wireless solutions (like WiFi and bluetooth), NFC allows communications within a range of few centimeters. In other words, two NFC-enabled devices can communicate only if they almost touch each other. The definition of NFC does not really help understand why the ICT industry is so excited about it. The real breakthrough lays in the ways NFC can be used. There are three modes of operation. First, NFC devices can communicate and exchange information in a peer-to-peer fashion. This means that two smartphones can

between member states, private companies and stakeholders. Taking start from this consideration, the day after the EU-US Workshop, still in Amsterdam took place the Grand Conference. This conference, supported by TNO, EU Commission, ENISA, GCSEC, US-DHS, ENCS and BEX, brought together CEO's and their direct advisors from governments, academia and industry. To the conference participated some outstanding and world famous speakers as Rod Beckstrom (WEF, former CEO ICANN), Harry van Dorenmalen – (Chair IBM Europe), Mikko Hypponen (Chief Research Officer F-Secure), providing inspiring speeches on the future of our cyber society. The leitmotiv of the conference was ‘from learning by doing to leading by doing’, meaning that it is needed the full commitment of the top management of every organization to improve the cyber-security level of our society. This concept was stressed during the closing speech of the conference by European Commission Vice President Mrs. Kroes highlighting as the Cyber Security is a top priority needing top political attention. During the conference, three organisations showed their commitment to this topic by signing the cyber resilience principles and guidelines of the World Economic Forum. What I’ve just described have been, for those who attended, two very long days, rich of interesting point of inspiration. People exchanged visions, priorities, opinions, agreeing on the fact that a more coordinated, top-level commitment is needed to protect our society in the cyber-era. The hope is that the vision built in these two days will not remain a nice set of coloured slides. The hope is that “Leading by doing”, at every level, would become the passphrase driving our society toward a better future. exchange photos, videos, contacts etc. just touching each other, without any other network infrastructure. This can be useful, but still it provides functionalities which are already available, e.g. through bluetooth. The second mode of operation makes an NFC device act like a reader of other NFC devices or RFIDs. Most RFID passive tags are little stickers (with no battery) containing some information about the objects they are attached to. They can be used in several applications ranging from logistics to security, demotic, and so on. Moreover, an NFC reader can interact with contactless payment cards, i.e. normal smart card with an antenna that enable for a not to insert nor to swipe payment process. Again nothing new really.

“NFC a.k.a. the revolution of payment systems” by Alessio Coletta - GCSEC

The third mode of operation is surely the most interesting for the ICT industry and the banking bodies. This mode enables a smartphone (or a similar device) to behave like a RFID tag and, more interestingly, like a contactless card. This means that NFC can bridge the smartphone world with the contactless payment one. Mobile phones are probably the only gadget everybody always carries around, and many companies quickly recognized a huge business opportunity around smartphones as cash replacement. Similarly, NFC devices can also be used for public transportation or any kind of loyalty program. The spread of the NFC payment is highly linked to the spread of NFC-enabled devices. Some big electronic vendors already managed to sell several millions of NFC smartphones. Samsung and other companies seem to be willing to push NFC technology, with the full support of Google Android and Microsoft Windows Phone operating systems. On the other hand, and interestingly, Apple's new smartphone, which is supposed to represent a big share of mobiles sold in the next months, does not support any NFC functionality. The real reasons behind this decision are not clear and are subject of hypotheses and speculations.

Nevertheless, NFC payments do not strictly need NFC-enabled devices to operate. Indeed, there exist some SIM cards and microSD cards with integrated NFC chips and antennas. These solutions are supposed to extend the contactless payment functionalities to phones that are not equipped with NFC. However, it is not very clear how successful those solutions will be, and the spreading of NFC devices is still essential for NFC-based ecosystems. In Italy, Vodafone launched Smart Pass NFC, a contactless payment system based on NFC-enabled smartphones for contactless payments in stores equipped with MasterCard PayPass terminals. Similarly, Poste Italiane has recently announced a new contactless payment system that integrates the NFC technology with the Poste Mobile SIM card. The solutions combines the mobile operator services of the Poste Italiane group with the banking services BancoPosta of the same group. Customers will be able to pay for all the postal services at the post offices, without inserting the pin for less than 25 euros amounts.

The official announcement was released on October 17th, and the service will start on December. Few days after this announcement, Telecom, Vodafone, Wind, Tre Italia (H3G) and Poste Mobile announced a joint and common platform for micro-transaction on which banks, public transportations, and other service providers can operate. Details are still missing, though. The race for developing and adopting NFC-based payment solutions has raised the hype around NFC not only in Italy. For example, Google launched Google Wallet, a payment system which can be associated to an existing US issued credit or debit card, and can leverage the NFC technology of the smartphones. The service is not new to US customers, but starting from August 2012 Google Wallet can be used in any MasterCard PayPass tap & pay store. In other words, any NFC smartphone with the proper Google Wallet account may behave like a MasterCard contactless card. Contactless micro-transaction payments based on NFC are likely to be widespread in next months. The main question is how secure these solutions are, and answering is not that easy. Luckily, NFC payments do not need to build secure solutions from scratch. Indeed, most of the communications are based on encrypted protocols already used in the usual payment smart cards. These protocols have proved to be adequately secure in practice. However, there are some new aspects that need some concern. First, tap & pay systems require no PIN, clearly a lower security requirement. Nonetheless, typing a PIN can be avoided only for low   amounts of money, sometimes in combination with a daily maximum cap. Thus, criminal organizations should exploit many transactions of many customers, which is inconvenient or unfeasible. Second, the range in which NFC communications work is only few centimeters. It seems hard to perform side-channel attacks, eavesdropping, and information sniffing / spoofing in such a short range. Some attacks are able to extend the NFC range with a couple of NFC-enabled smartphones communicating through another network, and have been proved to succeed. However, they are quite impractical for most of attackers, mainly because one of the attackers still needs to get physically very closed to the victim, close enough to make him/her aware that something wrong is happening. From the technical point of view, it is important to focus on the so-called secure element, i.e. the secure piece of software underlying the encrypted protocols and the storage of keys used in payments. Until now, the secure element has been always placed inside the smart card chip. A smart card is produced in very secure and trusted environments, and filled with the proper applications and secrets in those environments. On the other hand, some NFC solutions for smartphones

are based on downloaded applications simulating the payment card behavior. This can raise the level of risk because smartphone operating systems are usually considered untrusted, both for legal and technical issues (among others, due to the existence of viruses). Assuring the same level of security of smart cards for applications running in smartphone operating systems might be a challenge for systems like Google Wallet. Instead, the solutions based on SIM card provided by mobile operators might circumvent this security issues, because SIM card are produced in secure and trusted environment as well as payment card. The European Commission recently endorsed a communication on ”Unleashing the Potential of Cloud Computing in Europe”. The document represents a political commitment of the Commission and aims to boost deployment of cloud technologies among European countries; it addresses key concerns such as trusted certification, interoperability and collaboration among stakeholders in the public and private sectors. Cloud computing has already led to many changes to suppliers of IT services, and this will affect not only the industry and end users, but also the way citizens interact with their computers and mobile devices. The cloud has already become an important commercial reality and appears to be rapidly expanding. The most widely accepted definition of cloud is given by NIST (National Institute for Standards and Technology) in 2011. This definition is cited in a staff working document (SWD) of the Commission, accompanying the COM (2012) 529, and states: “Cloud computing is a model for enabling convenient on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. In relation to this purely technical definition, the SWD states that the technological configuration of cloud computing may be less important than the changes that it brings! Considering the cloud from a commercial point of view, as a business model, it is necessary to take into account its key business process characteristics such as:

• Users do not need to invest in their own infrastructures, storage and processing takes place in the cloud rather than at the users premises or on the user devices;

• Cloud services can rapidly scale up or down according to demand;

• Cloud virtualises computational power so that the physical location of users or computer resources are no longer a constraint;

The ICT industry, mobile operators, and banking actors all look at the NFC technology as a possible revolution in payment systems, and they are really keen to develop solutions and opportunities for NFC-enabled devices as a replacement of cash and payment cards. The variables are still many, like the actual widespread of NFC devices and crucial security issues. The only option for security researchers is to wait for the market to grow, with eyes wide open on the solutions proposed and adopted. • Computing becomes an operating rather than a capital expenditure item. The Commission has identified the main areas where is necessary to intervene:

• fragmentation of the digital single market;

• problems with contracts were related to data management;

• jungle of standards.

The strategy is based on three key actions. Key Action 1 – Cutting through the Jungle of Standards Target: Uniformity of standards, with the aim of promoting greater integration of the various cloud services, facilitating the development of common technical criteria. The Commission undertakes to eliminate the disadvantages cause by the huge amount of technical rules in use, so as to give the possibility to users to take advantage of cloud interoperability, data portability and reversibility, identifying the necessary standards by the end of 2013. Following this impulse of standardization in the United States, the NIST has published a series of documents including a set of definitions, now widely recognized.

“Unleashing the Potential of Cloud Computing in Europe – COM (2012) 529: …Where the World Wide Web makes information available everywhere and to anyone, cloud computing makes computing power available everywhere and to anyone….“ by Alessandra Lonardo - GCSEC  

GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy www.gcsec.org

The ETSI (European Telecommunications Standards Institute) has set up a cloud group with the goal of identifying the highest standards of interoperability. The Commission, in a nutshell, intends to:

• promote reliable cloud offerings;

• improve confidence in cloud computing services;

• follow, with the support of ENISA and other competent bodies, the development in the EU-wide voluntary certification cloud schemes, drawing up a list of such schemes by 2014;

• addressing environmental problems that could result from a greater spread of the cloud, agreeing with industry appropriate measures relating to water and energy consumption as well as carbon emissions (by 2014). The ETSI will coordinate the activities and initiatives related to this pillar. Key Action 2: Safe and Fair Contract Terms and Conditions. The Commission envisages the involvement of stakeholders (providers and users) for the definition of standard models of business contracts that meet the innovative features and functionality of the cloud system, with particular attention the implications of privacy issues. Current EU legislation protects users of cloud services, but consumers are not always aware of their relevant rights, especially when it comes to contract law questions. It is not yet clear which are the applicable law sand jurisdictions in civil and commercial matters. On this issue, the Commission is committed to achieve the following objectives by the end of 2013:

• develop with stakeholders, contract models for cloud computing services with the aim of standardizing the terms of the contract, providing conditions more suited to the "digital content", in line with the Communication on a Common European Sales Law;

• appoint a group of experts to identify, by the end of 2013,safe and fair contract terms and conditions for consumers and small firms, and on the basis of a similar optional instrument approach, for those cloud-related issues that lie beyond the Common European Sales Law;

• facilitate the involvement of Europe in the global growth of cloud computing by calling into question the national protection of personal data, reviewing standard contractual clauses applicable to the transfer of personal data to third countries and adapting them, as needed, to cloud services;

and by calling upon national data protection authorities to approve Binding Corporate Rules for cloud providers;

• work with industry to agree on a code of conduct for providers of cloud computing. Key Action 3 - Promoting Common Public Sector Leadership through a European Cloud Partnership The Commission recognizes the importance of the cloud in the Public Administrations which, in fact, are the main buyers of IT services in Europe. We are moving towards the creation of a European partnership that will bring together industry experts and actors in the public sector, with the aim to promote the delivery of cloud services by the public sector itself. The main objectives of this key action are:

• leverage the purchasing power of the public sector (20% of all spending in the field of information technology) to guide the cloud computing European market;

• increase the competitiveness of European providers of shared services in the cloud;

• offering better and more affordable services in the field of e-government. According to the projections set in text of the Communication, the development of cloud could have a cumulative impact on European GDP of 957 billion euro, with 3.8 million new jobs within the next eight years. The strategy focuses also on issues relating to international cooperation, referring in particular to countries at a very high level of technological development such as Japan, the United States, Canada and Australia. The EU will further develop a structured collaboration with international partners not only to share experiences and to carry out joint projects of technological development, but also to create a better and shared regulatory apparatus. These "extended" dialogues will be pursued in multilateral fora such as the WTO and the OECD. Finally, the Commission will investigate how to make full use of its other available instruments, notably through research and development support in the Horizon 2020 program addressing the long-term challenges specific to cloud computing.