Privacy and Cybersecurity Law 2015-12-10 15:14:18

On Monday, the European Parliament, Council and Commission came to an agreement on the Network and Information Security (NIS) Directive.   

The NIS Directive is the first pan-European set of cyber security rules and aims to ensure a high common level of cyber security across Member States.  Each Member State will be required to designate a national competent authority to ensure compliance with the new Directive and be responsible for handling and responding to cyber security incidents.  Key changes introduced by the Directive are new security and notification requirements for companies in certain sectors.  This will affect companies who operate “essential services” (e.g. energy suppliers, banks and healthcare providers) and also “digital service providers” (e.g. search engines, cloud computing services, online marketplaces).  

So what’s next?  The text will have to be formally approved by the European Parliament and Council.  Once approved, the UK and other Member States will then have 21 months to implement the Directive into national law. 

For further details, please see the press release here.

SHA1 sunset will block millions from encrypted net, Facebook warns

(credit: Michael Rivera)

Tens of millions of Internet users will be cut off from encrypted webpages in the coming months unless sites are permitted to continue using SHA1, a cryptographic hashing function that's being retired because it's increasingly vulnerable to real-world forgery attacks, Facebook and Web security company CloudFlare have warned.

Facebook said as many as seven percent of the world's browsers are unable to support the SHA256 function that serves as the new minimum requirement starting at the beginning of 2016. That translates into tens of millions of end users, and a disproportionate number of them are from developing countries still struggling to get online or protect themselves against repressive governments. CloudFlare, meanwhile, estimated that more than 37 million people won't be able to access encrypted sites that rely on certificates signed with the new algorithm.

Both companies went on to unveil a controversial fallback mechanism that uses SHA1-based certificates to deliver HTTPS-encrypted webpages to people who still rely on outdated browsers. The remaining, much larger percentage of end users with modern browsers would be served HTTPS pages secured with SHA256 or an even stronger function. The mechanisms, which both companies are making available as open-source software, will allow websites to provide weaker HTTPS protection to older browsers while giving newer ones the added benefits of SHA256. Facebook is deploying the plan on most or all of the sites it operates, while CloudFlare will enable it by default for all of its customers. CloudFlare said other sites, including those run by Chinese portal Alibaba, are also implementing it.

Read 6 remaining paragraphs | Comments

Hacked at sea: Researchers find ships’ data recorders vulnerable to attack

A voyage data recorder recovery capsule aboard a container ship. Some VDRs may be an easy target for hackers--or crew members who don't want what they've done to be recorded. (credit: Hervé Cozanet)

When the freighter El Faro was lost in a hurricane on October 1, one of the goals of the salvage operation was to recover its voyage data recorder (VDR)—the maritime equivalent of the "black box" carried aboard airliners. The VDR, required aboard all large commercial ships (and any passenger ships over 150 gross tons), collects a wealth of data about the ship's systems as well as audio from the bridge of the ship, radio communications, radar, and navigation data. Writing its data to storage within a protective capsule with an acoustic beacon, the VDR is an essential part of investigating any incident at sea, acting as an automated version of a ship's logbook.

Sometimes, that data can be awfully inconvenient. While the data in the VDR is the property of the ship owner, it can be taken by an investigator in the event of an accident or other incident—and that may not always be in the ship owner's (or crew's) interest. The VDRs aboard the cruise ship Costa Concordia were used as evidence in the manslaughter trial of the ship's captain and other crewmembers. Likewise, that data could be valuable to others—especially if it can be tapped into live.

It turns out that some VDRs may not be very good witnesses. As a report recently published by the security firm IOActive points out, VDRs can be hacked, and their data can be stolen or destroyed.

Read 7 remaining paragraphs | Comments

Steam tightens trading security amid 77,000 monthly account hijackings

(credit: Aurich Lawson)

Account theft is a common and longstanding problem for all kinds of online gaming services, as I can personally attest after losing all of my Diablo III loot to a hacker a few years ago. But Valve says the problem is reaching epidemic proportions on Steam, with "around 77,000 accounts hijacked and pillaged each month." Since the service launched item-trading features back in 2011, Valve says the problem of account theft "has increased twenty-fold as the number one complaint from our users... What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items."

It's not hard to see why the problem is increasing. Items in games like Team Fortress 2 and Counter-Strike: GO can be worth a lot of real money on the secondary market, not to mention the inexplicably popular virtual trading cards floating around the Steam social network. As Valve puts it "practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker's time. Essentially all Steam accounts are now targets." Goods transferred from stolen accounts can be relatively easy to unload on unsuspecting legitimate customers, too, making it hard to unwind the theft once it's detected.

Now, Valve is taking additional steps to decrease the value of these hacks when they happen. By default, traded items will now be "held" by Valve for "up to three days"—hopefully enough time to give users a chance to discover that their account has been compromised (and to prevent quick item transfer/liquidation by the hackers). Users that have two-factor authentication enabled will be exempt from this restriction, since their accounts are theoretically safe from most hacking attempts. Trades between users that have been friends for a year or more will only be held for "up to one day" even without two-factor, since that implies a real relationship between the traders.

Read 1 remaining paragraphs | Comments