International Cyber Security 2012 Date: 29-31 May, 2012 Location: Brussels, Belgium http://www.cyber-securityevent.com/Event.aspx?id=677612 Entering into its third year, International Cyber Security 2012 strikes a unique cord by focusing on network defence for key areas of national security. Our senior panel of international speakers, drawn from government, military and private firms critical to national security, will be speaking about their primary concerns for their networks over the next 12-18 months and what steps they are taking to secure their systems against the next generation of cyber attacks. IEEE TRUSTCOM-12: IEEE International Conference on trust, security and privacy in Computing and Communications, Date: 25-27 June, 2012 Location: Liverpool, UK http://www.scim.brad.ac.uk/~hmibrahi/TrustCom2012/ IEEE TrustCom-2012 is an international conference for presenting and discussing emerging ideas and trends in trusted computing and communications in computer systems and networks from both the research community as well as the industry. Digital Government Institute Cyber Security Conference Date: 31 May 2012 Location: Washington, DC http://www.issa-­‐dc.org/   Digital Government Institute's annual Cyber Security Conference - which is free for government professionals to attend - will explore today's cyber threats and offer an opportunity for those supporting government security initiatives to collaborate on how to detect, protect, and respond to these challenges. Annual AT&T Cyber Security Conference Date: 6 June 2012 Location: New York City, USA www.corp.att.com/securityconference/

 

Dear Reader, April and May have been very intense! GCSEC joined many international workshops. On May 14th we joined the 3nd Russian Internet Governance Forum: experts and operators in Russia share the same concerns of many other countries. Minister of Communications proposed to agree on “rules of road” for the Internet, starting from those principles that we all already share. Simple to understand, but complex to achieve, at least considering the very slow progresses on International Cyber Security cooperation. London Cyber conference, that GCSEC joined in November 2011, started what they called the London process: but without the proper support, we may end

up in Bulgaria in fall 2012 talking again about the need of International Cooperation (and we will all agree!). It is time to act! GCSEC is working with various International organizations (IGF, ITU, OECD, EU) to support the international dialogue and to progress on the definition of basic principles. On the 16th of May GCSEC gave a speech at the European Parliament thanks to the European Internet Foundation (www.eifonline.org). We raised the awareness of MEPs on the need of a new framework for Digital Identities, including the need for more flexible tools (signature and authentication) that could be easily implemented in EU. Andrea Rigoni

“Digital inheritance” by Igor Nai Fovino - PhD – GCSEC Even if it might seem rather peculiar as last Will, in a digital society as the one in which we live today, similar needs will more and more be common in the near future. According to a survey, 10% of people in the UK insert digital beings in their wills. The study magnified indeed that more than a quarter of people in the UK have hundreds of pounds worth of music and films stored online that they wish to pass on to loved ones.

“How my personal information became bits. A look at Digital Identity management systems” by Marco Caselli – GCSEC In our day life we are used to present personal IDs in public offices or banks to access numerous services. This simple gesture makes people sure that we are who we claim to be as well as confirm the personal information we provide. Considering the multiplicity of services that have already migrated into the Internet we are now facing the challenge of virtually sharing this information in the same simple way. Lately, interest on this topic is increasing and the concept of a digital identity (DI), intended as a sort of virtual document, is beginning clearly to take shape.

“Preparing for cyber war… EU-USA joint exercises” - by Maria Luisa Papagni – AlmavivA/GCSEC The national and international cyber security is one of the main objectives toward which national and international policies tend. It could not be otherwise, since the number of cyber attacks increases and considering that the targets are often Community institutions.  

events

editorial

in this number

May 2012 – year 2, issue 5

 

The AT&T Cyber Security Conference is an annual day-long conference offered by the AT&T Chief Security Office. Combining the expertise of its security experts, the scale and reliability of its global IP network and the innovation of AT&T Labs, AT&T is giving businesses some of the most powerful weapons available today in their battle against cyber security attacks. The conference showcases AT&T's leadership in helping businesses, large and small, manage the increasingly complex and critically important security of their IT networks and assets.

  Hackers break into bitcoin exchange, steal $90,000 in bitcoins http://www.csoonline.com/article/706418/hackers-break-into-bitcoin-exchange-steal-90-000-in-bitcoins Hackers stole 18,547 bitcoins for a value of about US$90,000 and the Bitcoin exchange site “Bitcoinica” temporarily suspended its operations. The user database probably was compromised. MoD to warn of E-bomb attack http://www.csoonline.com/article/706417/mod-to-warn-of-e-bomb-attack The defence secretary said that UK needs to defend itself against an electromagnetic pulse-based 'E-bomb' that would explode in the upper atmosphere and knock out all electronic communication and power, the defence secretary will say today. CISPA passes House of Representatives vote http://www.theregister.co.uk/2012/04/28/cispa_passes_representatives/ The House of Representatives has approved the Cyber Intelligence Sharing and Protection Act (CISPA) with a vote count of 248-168, despite the threat of a possible veto by the president. McAfee, Intel collaborate on protecting energy infrastructure http://www.homelandsecuritynewswire.com/dr20120516-mcafee-intel-collaborate-on-protecting-energy-infrastructure McAfee and Intel will collaborate on improving the protection of the world’s energy utilities, including generation, transmission, and distribution, from increased cyber attacks; the two companies have provided a blueprint for a comprehensive solution of multiple products which create layers of security and operate together without great complexity or without impacting availability

  I would like to insert in my Testament my ITunes account, am I crazy? “Life is beautiful, but, as everything in this world, nothing lasts forever, and soon or later we’ll be obliged to leave all our belongings. I’ve invested thousands of euros in ITunes downloads, and I would like to leave them to my son…am I crazy?” Even if it might seem rather peculiar as last Will, in a digital society as the one in which we live today, similar needs will more and more be common in the near future. According to a survey by Goldsmiths at the University of London, 10% of people in the UK insert digital beings in their wills. The study, promoted by Rackspace, a cloud computing company, magnified indeed that more than a quarter of people in the UK have hundreds of pounds worth of music and films stored online that they wish to pass on to loved ones. Inheritance…this is the reason for which everybody should write his Last Will and Testament, to describe how we would like our possessions and assets to be distributed after passing away. The Will is the intention of a testator to legate. Considering that we spend a huge amount of our life collecting goodwill, fortune and, generally speaking, assets, it is obvious to think that Will generally deal with the concept of property and, more precisely with Movable and Immovable property. We intend as Immovable property house, estate land, plants, allowances and so on, including also peculiar things as the “right to use an object” or the “right of passage”. In other words, everything attached to the earth fall into this category. Immovable properties had been subject of Will and Testament since the early ages of human society (we can find for example references to Testament and transmission of physical properties in the Roman law). Things tend to become more complicated with the so-called Movable properties. Traditionally into this class fall cars, furniture, jewels i.e. material things that an executor can re-distribute among the inheritors. However the class of movable properties is in continuous evolution. Let say for example that in this category at a certain point started to be included Intellectual Property rights, copyrights and everything that is the creation of the human intellect. So, music, literature, discoveries, inventions, phrases etc. started to be considered as something that can and, sometime, must be willed and legated. This is, indeed, not surprising. Having these intangible properties a not

news

“Digital inheritance”

By Igor Nai Fovino - /GCSEC  

negligible value, it was natural to consider them as something that everybody would like to leave to their relatives. Now making a little step forward, speaking of value, let ask ourselves: has my personal email account a value? Well, lets take me as example: I’ve started to have an email address 25 years ago. At that time I managed to register my private email account with an email provider that today is very famous and prestigious. Being my surname NAI, my email was a three letters email, nai@xyz.com. Obtaining today a three letters account from this operator (or from other operators) would be almost impossible, moreover, having used as account my family name, I could consider this email address as something I would like my son to inherit. The value in this case is sentimental, as in the case of a facebook accounts, flickr accounts, Twitter, dropbox etc., but the traditional testaments are indeed full of dispositions with a mere sentimental value, so why do not take into consideration also these aspects when defining a Will? Things became more evident in situations in which an economical value is involved. Lets consider for example web domains: the trade market of web domains is still appealing, i.e. they can have a remarkable value in term of money. If the owner dies and no one pays the annual fee, they return on the market, causing a loss to the potential inheritors of the original owner. Making again a little step forward, being the owner of a well-established blog, read by thousand or persons per week, I might have stipulated with some vendors contracts for putting banners on my blog. In that case the blog is actively producing incomes and as in the case of “real companies” I might consider to leave it to my relatives. The previous examples are, however, only the tip of the iceberg. Paypal accounts, online bank accounts, digital trusts, account balances, online credits, ITunes accounts (again ), digital identities, are what we can define as Digital Inheritance or Digital Estate. From a legal point of view, even if things might be slightly different in different countries, the tendency is that digital inheritance requires that digital data take part of the descendant's estate. If the digital data are “physically” stored on a media that was in possession of the testator they can be considered directly as movable properties and everything goes smoothly. The legal and practical problems arise when the testator does not physically possess digital assets, e.g. when the digital asset is stored on a third party server. This is the case for example of cloud-based services. If I physically do not posses an object, how can I leave it as inheritance? Again experience and good sense come in help. In these cases the orientation of the majority of the legislations seems to give an extreme relevance to the concept of password. In other words, if the digital asset, hosted by a service provider, was accessed by the testator using a password, this password will assume the role of the most classic safe box’ key, creating possession in a legal sense and falling in this way in the traditional concept of estate. Even if things might seem simple described in this way, it is indeed true that the matter is still under development and there exist huge differences among the different legislations in the world. A part from the legislative problem, a real obstacle to digital inheritance is that, being so immaterial, to be inherited, the heir should know that the asset exists, and this is not always easy. So, from a pragmatic point of view, if you would like to leave to your relatives what we called here digital assets, there are only four advices I can give you: (1) Keep track of all your relevant and valuable digital assets, email accounts, paypall accounts, dropbox shares etc. (2) Keep track of the “digital keys” allowing to access to these assets (3) Store and maintain them in a secure digital repository (4) Mention the digital assets in your Will and establish with the help of your lawyer a suitable method for making the digital key-ring available after your departure. After that… enjoy your life!

Self-adapting computer network that actively defends itself against hackers http://www.homelandsecuritynewswire.com/dr20120515-selfadapting-computer-network-that-actively-defends-itself-against-hackers Researchers are looking into the feasibility of building a computer network that could protect itself against online attackers by automatically changing its setup and configuration; the researchers will examine whether this type of adaptive cybersecurity, called moving-target defense, can be effective – and cost-effective White House’s cybersecurity official retiring http://www.washingtonpost.com/world/national-security/white-houses-cybersecurity-official-retiring/2012/05/16/gIQAX6fmUU_story.html The White House’s cybersecurity coordinator Howard Schmidt said Thursday that he is stepping down at the end of this month. Schmidt leaves at a time when the administration still has much work to do to ensure the protection of the computer systems of companies that provide electricity and other critical services. EU to impose compulsory cyber defence rules http://www.euractiv.com/infosociety/eu-impose-compulsory-cyber-defence-rules-news-512739 The European Commission is planning to force energy, transport and financial companies to invest more in their cyber security and to report on breaches suffered, two EU officials said. EU cyber-security legislation on the horizon http://euobserver.com/22/116239 The European Commission will propose binding EU legislation before the end of the year to help member states plug huge gaps in their cyber-security defences. BAE warns UK government on cyber security http://www.ft.com/intl/cms/s/0/f16bb2cc-9f2d-11e1-a455-00144feabdc0.html A research of BAE Systems Detica shows that British business is pessimistic about security in general. Europe’s biggest defence contractor says the government is not doing enough to help businesses protect themselves from the growing threat of cyberattacks.

In our day life we are used to present personal IDs in public offices or banks to access numerous services. This simple gesture makes people sure that we are who we claim to be as well as confirm the personal information we provide. Considering the multiplicity of services that have already migrated into the Internet we are now facing the challenge of virtually sharing this information in the same simple way. Lately, interest on this topic is increasing and the concept of a digital identity (DI), intended as a sort of virtual document, is beginning clearly to take shape. There is still no common definition but we can basically intend a digital identity as a set of information a user decides to share with an IT system in order to access services on the Web. Seems easy, but nowadays we are forced to deal with lots of DIs at the same time. Let’s think just a second to how many web services we use every day.

Accesses to mail providers, bank accounts, ecommerce portals and social networks are just some of the operations that request a user to login and provide personal information, each time with different rules and security levels. Moreover, a person is usually asked to insert the very same data (name, surname, birth, etc.). This few elements lead us already to a main general issue: is it possible to manage these accounts coherently, securely and avoid the spread of duplicated information? The current need for a digital identity management system is pushing developers to design secure but usable solutions capable to fill this slice of the IT market. There are several models of infrastructure for identity management systems. One of the most used in the past was the so-called Silo-Model, in which each service provider arranged to store users’ information by its own. With the increasing of the data associated to each identity there has been the need to separate the management of such information from the services.

In the Centralised-Model a DI provider stores all the information and gives data to service providers simply on demand. In a different manner, within a Federation-Model there is a Provider of Identities that manages the distribution of users’ information among service providers but without storing anything by its own. In this case, the data stays again at service providers’ side but, unlike the Silos-Model, they can be freely used or moved among the federated participants. Lately, a quite different schema called User-Centric is forging consensus among users. In this model, a user is always in control of his/her own information and, formally, he/she stays always in the center of every data transaction. In other words, it will not be possible for any other actor in the system to exchange information without the owner is clearly informed. There are at least three interesting User-Centric solutions that could become very common and largely used in the near future. OpenID was probably the first real attempt to take advantage of this logical schema. This infrastructure, designed in 2005, proposes a way to authenticate users in a decentralized manner. The key idea is that a user can freely choose an OpenID provider to store personal information and that the latter assigns to him/her a specific identifier (for example a URL) to access them. Through this identifier the user can use any OpenID-compliant web service demanding authentication and information sharing to the provider and avoiding multiple usernames or passwords. The solution is widely deployed in the Internet but sometimes people complained for a user-friendlier identifier. In fact, linking our identity to a generic URL may sound strange and most recent solutions are trying to eliminate this ambiguity. This is the case of BrowserID. The solution, proposed by Mozilla, uses in fact email-addresses instead generic identifiers and, compared to OpenID, focuses more on privacy issues. In the previously described OpenID communication protocol DI repositories and web services directly share user’s information. This means that, the firsts know everything a user does with its information. Since this is an obvious privacy concern BrowserID changes radically the way of communicating personal information by demanding more work to the user. The BrowserID authentication process consists on sharing a signed digital certificate where the identity provider asserts that some information really belongs to the user. This certificate is stored by user’s browser and provided to any BrowserID-compliant web services to perform the login. No other communications are needed and users are ensured to be the only one to keep track of services’ utilization. The idea could be successful but the infrastructure implementation is yet at an embryonic phase.

“How my personal information became bits. A look at Digital

Identity management systems” by Marco Caselli - GCSEC

 

OneID tries to go even further by proposing a schema that allows the user to be the only one to know the whole information set stored in the repository. The concept behind OneID is simple but innovative: we can encrypt information before sending them to DI providers and decrypt data locally when we need. Like BrowserID we are always in control of the communication flows but no one except web services has to know anything about us. Another important characteristic of OneID regards the linking of a DI no longer to an identifier but to as many devices as we want. PCs, mobile phones, tablets become the key for our digital information. When we login to our DI repository the infrastructure will recognize our device automatically sending DI’s data to it. Even if it is convenient from a privacy perspective, OneID always depends on have our devices available and The national and international cyber security is one of the main objectives toward which national and international policies tend. It could not be otherwise, since the number of cyber attacks increases and considering that the targets are often Community institutions. Just think of the repeated fraudulent attacks suffered in the past year by the Emission Trading System (EU ETS) of the European. They caused a cumulative theft of about 2 million permits (more or less equal to 30 million euros) from the national registers of various EU countries, and the subsequent decision of the European Commission to temporarily suspend trading. Besides this example, we must take into consideration also the increasing alarm linked to international terrorism. As direct consequence, the protection of critical information infrastructures (CIIP), became a matter of crucial attention. “The Commission invites Member States to organise regular exercises for large scale networks security incident response and disaster recovery”. With this communication (1) the European Commission urges to evaluate, and possibly improve, the protection of Critical Information Infrastructures for defending Europe from large scale cyber-attacks and disruptions. Even during the Ministerial Conference in Tallinn of April 2009 it was highlighted that: “A joint EU exercise on Critical Information Infrastructure Protection should be organised and staged by 2010, in line with the Commission’s action plan”. So, it is perceived that one of the most pressing issues that the cyber community should face is to improve preparedness and response capabilities at national and international attacks or incidents. In this context arises the work of the European Network and Information Security Agency (ENISA) that, to this end, wants to develop principles and guidelines for Internet resilience, leading pan-European exercises on incidents of large-scale and preparing a framework and a roadmap for European participation in global exercises. Cyber Europe 2010 The first exercise, "Cyber Europe 2010", was conducted November 4, 2010. The main objective was to stimulate and test the cooperation between EU countries in case of

this can be awkward sometimes. It is important to notice that none of the above is “the” solution. Each of the previous proposes a way to securely manage information concentrating on different authentication and data-sharing processes. As already said, users want to be the only ones to read personal information but maybe web services want more assurance on data they receive. This guarantee may arise from speaking directly with identity repositories that, from their part, have every interest to monitor what users are doing. There is still no concrete answer, but things move quickly. Today we wonder whether or not to enter our phone number on the Internet but probably tomorrow we will consider DI management systems safe enough to entrust all our deepest secrets to them. attacks on a large scale. Other objectives of this initiative were also to consolidate the trust among member states, to raise awareness about security issues, and sharing around a joint table the cyber-community approach to the issue of cyber security by promoting the exchange of information. About 70 cyber security experts were found to face more than 300 attacks (virtual of course) whose intent was to paralyze the communication between institutions, corporations and private citizens throughout Europe. During the exercise, loss of Internet connection among the countries was simulated. One after the other member states were subjected to increasing problems of access to the network that led to the progressive failure of all links, as shown in figure below:

Fig. 1 – Maps showing gradual loss on Internet connectivity (2)

“Preparing for cyber war… EU-USA joint exercises”

by Maria Luisa Papagni – AlmavivA/GCSEC

GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy www.gcsec.org

This situation required international cooperation to prevent a total collapse of the virtual network. According to the evaluation report of “Cyber Europe 2010”, multi-level cooperation is necessary to address the threats of global cyber attacks. It is also fundamental the harmonization of standard operating procedures in emergency situations and the definition of the existence of known contact points. The recommendations contained in the document highlight the need to continuously: • Conduct joint exercises for the protection of critical

infrastructure as energy, defense, public administration (according with 86% of participants),

• Have the support and the help of the private sector, • Ensure a continuous transfer of knowledge and

information among participants and • Determine as soon as a road map to pan-European

exercises with scenarios based on more realistic conditions.

Cyber Atlantic 2011 The transatlantic response was the first joint exercise on cyber security between European Union and the United States and held last November 3rd, 2011 focusing on hacking SCADA and Advanced Persistent Threat (APT). The exercise lasted one day and took the name of Cyber Atlantic 2011. The objectives were mainly to: • Evaluate the degree of cooperation between the EU Member States and the United States in the management of a cyber-crisis, • Identify the criticalities of a cyber-crisis management at international level • Exchange good-practices on how to tackle cyber crisis worldwide. The exercise involved 20 EU member states, 16 of which with an active role, taking the lessons learned from the first exercise last year's European Cyber Europe 2010. The exercise began by simulation of crisis scenarios to analyze how the EU and the U.S. would communicate and work collaboratively in case of attacks to their critical infrastructures. In particular, the joint activity between ENISA and the Department of Homeland Security of the United States, has tested two problems that beset the security worldwide: stealing secret information and blocking the productivity of a critical infrastructure of the real world as the energy power generation. The scenarios evoked famous attacks suffered in the same year from Sony Playstation, and the EU Emissions Trading Scheme (described above). So, in the first scenario was simulated an APT attack, with the theft of sensitive data from the national security agencies of EU countries. The second simulated an attack on the SCADA systems (Supervisory Control and Data Acquisition) of U.S. production facilities used in energy production in Europe. The evaluation report on Cyber Atlantic 2011 has not yet been published. Notes 1. "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and Resilience", COM (2009)149 of 30 March 2009, ENISA 3. “Achievements and next steps: towards global cyber-security”, COM(2011) 163 of of 30 March 2011, ENISA; http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0163:FIN:EN:PDF

In the next future... “Cyber exercises are an important element of a coherent strategy for cyber incident contingency planning and recovery both at the national and European level. […] Such a plan should provide the baseline mechanisms and procedure for communications between Member States and, last but not least, support the scoping and organization of future pan-European exercises. ENISA will work with Member States on the development of such a European cyber incident contingency plan by 2012. In the same timeframe, all Member States should develop regular national contingency plans and response and recovery exercises.” (3)

Member States shall therefore prepare to organize other exercises. The next pan-European exercise on CIIP will be conducted this year. The exercise will be more extensive and sophisticated, which was designed based on experiences and recommendations of the 2010 Cyber Europe. ENISA considers these exercises a great opportunity to evaluate and especially improve cooperation between the different Member States in the event of a crisis on a large scale. These exercises are also a priority throughout Europe and this need is formulated in the “Digital Agenda for Europe”. Moreover, the first results, as noted above on the report on Cyber Europe 2010, have highlighted the need for more exercises, more cooperation between Member States and the importance of the private sector to ensure information security. In this context, ENISA will take stock of efforts in the “First International Conference on Cooperation crisis Cyber - Cyber Exercises”. So expect new results for further food for thought! 2. “Cyber Europe 2010 – Evaluation Report”, ENISA; http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/cyber-europe/ce2010/ce2010report