GFIRST 2012 Conference Date: 19-24 August 2012 Location: Atlanta, Georgia , USA http://www.us-cert.gov/GFIRST/ The Government Forum of Incident Response and Security Teams (GFIRST) is a group of technical and tactical practitioners from incident response and security response teams responsible for securing government information technology systems and providing private sector support. GFIRST promotes cooperation among the full range of Federal, State, and local agencies, including defense, civilian, intelligence, and law enforcement.

Cyber Security Conference Date: 20 September, 2012 Location: New York, USA http://www.nyit.edu/conferences/cyber_security_conference/ Join cyber security experts and government officials on Sept. 20, 2012 to discuss cyber vulnerability and how individuals and organizations can protect themselves against cyber attacks.

Cyber Defence Forum Date: 23 - 25 October, 2012 Location: Prague http://www.cyberdefenceforum.com/Event.aspx?id=770998 As part of Defence IQ’s Cyber Defence conference series, the new Cyber Defence Forum is being launched to provide an enhanced opportunity for interactive debate and discussion on key cyber issues. This event will run as a series of panel discussions and round tables, to share knowledge is increased further still. The Cyber Defence Forum will focus specifically on the challenges, operations and solutions facing armed forces and governments as they formulate national strategies in-line with the international community.

Cyber Security Summit 2012 Date: 6 November, 2012 Location: London http://cybersecuritysummit.co.uk/    The Cyber Security Summit 2012 is this year’s leading forum for policy makers, practitioners and industry stakeholders to debate the future for cyber security. Event will explain the implementation and development of the Cyber Security Strategy and the further measures being undertaken internationally to protect cyber space and promote economic prosperity.

 

Dear Reader, This fall and winter will be hot in this area of the world: EU is working on new Cyber Security Directives and the world is preparing for the WCIT in Dubai in December, where Cyber Security is one of the hot topics on the table. GCSEC is following the work of both EU and ITU very closely and is providing support through public consultation. European Commission opened a public consultation on “improving network and information security in the EU” that will be used to prepare the EU Strategy on Cyber Security. In the mean time, European Commission already published

communication COM(2012)238/2 on eID, eSignature and eAuthentication that does not cover “soft identities”, that GCSEC promoted in various contexts. In this number, you find a report on our contribution to the European Digital Agenda, where GCSEC proposed to define a framework for Digital Identities wide enough to cover not only eID (the equivalent of National ID Cards), but also “soft identities”. The Linkedin password leak should be a wake up call, it is clear that many operators are not adopting minimum countermeasures that are consolidated and often free-of-charge! Andrea Rigoni

“Italy needs the National CERT!” by Massimo Mencaroni - GCSEC

“Is it time to say ‘goodbye password’?” by Maria Luisa Papagni – Almaviva/GCSEC

“Ipv6, a real need” by Elena Agresti – GCSEC

“Botnets. The real virtual armies” by Marco Caselli - GCSEC

“European Digital Agenda Assembly 2012” by Igor Nai Fovino – GCSEC “Revision of the Electronic Signature Directive pursuant to the provisions of the Digital Agenda for Europe.” by Alessandra Lonardo – GCSEC

 

events

editorial

in this number

July/August 2012 – year 2, issue 7

 

 Computer scientists break security token key in record time http://bits.blogs.nytimes.com/2012/06/25/computer-scientists-break-security-token-key-in-record-time/ For years private companies and government agencies have given their employees a card or token that produces a constantly changing set of numbers. No one could have access to the data without a secret key generated by the device. Computer scientists say they have now figured out how to extract that key from a widely used RSA electronic token in as little as 13 minutes. The scientists, who call themselves Team Prosecco, said their experiment can pry open one model of the RSA dongle — the SecurID 800 — as well as similar tools produced by other companies. NFC is great, but mobile payments solve a problem that doesn’t exist http://techcrunch.com/2012/06/30/nfc-is-great-but-mobile-payments-solve-a-problem-that-doesnt-exist/ For the past few years, we’ve been told over and over again that NFC will eventually replace the common wallet. Parts of Europe and China are using it for public transport transactions and the ability to ditch all of your loyalty cards and combine them in one place (potentially) PassBook-style would be highly convenient. But there is no benefit to merchants to implement these systems, in reality it’s only an added cost to overhaul the system. Even at a minimal cost, the only value is a slight increase in efficiency pushing customers through POS.

Open source offense could be our best defense against cyberattacks http://www.csoonline.com/article/711231/open-source-offense-could-be-our-best-defense-against-cyberattacks A core dilemma for IT today is how to properly protect the organizations' information systems and assets. Companies need to approach security more fundamentally and strategically. They should also be looking at it from the attacker's viewpoint, trying to identify what there is to steal and how to go about it. Mobile threats take center stage http://blogs.csoonline.com/wirelessmobile-security/2267/blackhat-preview-mobile-threats-take-center-stage With everyone in possession of smartphones these days, mobile threats are of great interest to Black Hat USA attendees. One of the big points attendees get this year is that we can no longer consider mobile and desktop threats as two separate things, attackers can use infected smartphones to penetrate company networks. Depending on the configuration of certain components in the carrier network, a large population of smartphones may be simultaneously attacked without even needing to set up your own base station.

Authorities down servers of third-largest spam botnet http://www.csoonline.com/article/711431/authorities-down-servers-of-third-largest-spam-botnet Authorities in three countries have taken down a half-dozen command-and-control servers for the Grum botnet, crippling the world's third-largest spam-spewing network. A total of five servers in Panama and the Ukraine were

  A National Cyber Security Strategy and a national CERT establishment are now mandatory. The big industrialized countries that care about the protection of their economy, digital and real, define their own defense and development strategy aimed at this. It's obvious that Cyber Security issues are of great importance as any other model of security. It is far too long that we speak, unfortunately only speak, of a organization that handles in an organized way issues related to the protection of critical information infrastructures and how they interconnect with each other. I will not go deeply into the analysis for which Robert Morris in 1988 released a virus that could self-replicate "n" times spreading from one computer to another traveling on the ARPANET, bringing up to the first U.S. CERT ("Computer Emergency Response Team"). What happened then, today is prehistoric! The creation of an organization that finally succeeds in creating a dialogue and properly handling all the information - addressing them in a symmetrical and constructive way - and in managing the possible / probable accidents in the wide world of the Net, cannot be postponed anymore. The example of other big countries that have adopted CERT of this importance, for example, the U.S. with their ICS-CERT (Industrial Control System Cyber Emergency Response Team) or the UK or Germany or Japan, must remember us that we are so interconnected, especially in industrial but also in defense sector, that any security failings for a big blackout would exclude Italy from international manufacturing production. It follows that if such a devastating eventuality should happen, Italy would pay the greatest consequences. So, organized exchange of information between public and private national and international players becomes mandatory for the protection of our country. If we want to help to further the effectiveness and vitality of strengthening industrial actions, we have to establish necessarily a National CERT, which coordinates and promotes the exchange of information as well as managing and delivering data obtained from Web. How? It's very simple. Even the European Union, adopting the need to make sure the Cyber Space, urged the various Member States to take all necessary steps to make this possible through specific programs. Today, in Italy, we have a great opportunity with the Italian Digital Agenda for implementing a CERT National Defence of Information Critical Infrastructure. The players and the necessity to take all necessary actions are already available, missing only the will to coordinate putting together all the puzzle components.

“Italy needs the National CERT” By Massimo Mencaroni – GCSEC

news

All are getting in trouble for this nasty story of hacked accounts. Last in order of time is Yahoo immediately after the notorious case of Linkedin. But also Gmail, MSN, AOL, Hotmail, in addition to other providers not so used in Europe as Verizon , SBC Global, BellSouth and Live.com, will run for cover. Overall, a big theft of about 453.000 passwords that might send users into a tailspin and, moreover, they see their privacy violated. The hacker group that claimed responsibility for the action, called D33D Company, has announced that the attack was made possible by exploiting a vulnerability inherent in the SQL database on a Yahoo service, resulting in the theft of usernames and passwords for 453.000 accounts. The technique used for the cyber attack is thus the infamous "SQL injection" that exploits the lack of efficient controls in inserting data on database to send malicious code through the web. The group D33D has promptly claimed the action on its website with the aim of demonstrating the startling vulnerability of security systems of much admired web companies. Apparently, therefore, not really a threat but more a demonstration. However, the credentials have been published by the group on the web and you can never be sure that sensitive data stored in the e-mail may not be exploited for other purposes. Now the real threat is that of legal action by the affected users, some of which were already planning to start a class action. Also the popular professional social network LinkedIn has suffered, early of June, a cyber attack which led to the theft of about six and a half million credentials for access to the platform. In short, part of Linkedin database has been exposed, and the passwords with it. Obviously, Linkedin has applied a password hashing mechanism, but has been used SHA1 algorithm, which is pretty weak. The SHA-1 produces, from any text (so even a password), its encrypted version. The security of a hash algorithm, such as SHA-1, derives from the fact that the function that takes care of transforming plain text into its encrypted version is invertible. In principle you cannot return from the encrypted version to the plaintext. Unfortunately, however, the first analysis showed that SHA-1 passwords were "unsalted", they have not been generated including random bits as input. The use of SALT technique makes more difficult attacks based on the use of dictionaries and, according to the claims by some experts, Linkedin passwords may have been easily attacked using the so-called “rainbow tables”. To the sorry figure for embarrassing escape of millions of passwords, now may also add a large bill. In fact LinkedIn has come under fire because of a class action in a federal court in San Jose, California, that could cost to the company a maxi-sanction of at least $ 5 million. Leading the class action is Szpryka Katie, who had earlier agreed to pay to enjoy all the services provided by social network dedicated to professionals. LinkedIn has now accused by Szpryka of negligence, having trampled on the contractual terms that require specific encryption technology to ensure maximum protection of the users database. In other words, LinkedIn would have facilitated the

taken down, while the plug was pulled on two servers in the Netherlands. Grum is responsible for more than 17 percent of the world's spam, according to Mushtaq. Most of the spam sells fake Rolex watches and Viagra. Over the last few years, the tech industry has become more aggressive in battling botnets. In March, Microsoft won court permission to seize the servers of the Zeus botnet, which cybercriminals used to steal $100 million over five years. UK should go on the offensive in cyber war, say MPs http://www.csoonline.com/article/711387/uk-should-go-on-the-offensive-in-cyber-war-say-mps The UK should go on the attack in the cyber war, rather than just defend, according to MPs on the Intelligence and Security Committee (ISC), there are more proactive measures that the military and intelligence agencies could take. Examples could be what the ISC termed 'active defence', which involves interfering with the systems of those trying to hack into UK networks, or accessing of data or networks of targets to obtain intelligence or to "cause an effect" without being detected.

Android malware steals location data from mobile devices http://www.csoonline.com/article/711385/android-malware-steals-location-data-from-mobile-devices BitDefender Labs has discovered Android malware that regularly broadcasts the location of the infected mobile device to a remote server. The app operates in the background and appears on the smartphone or tablet as an icon with the word "store" written on it. Whether it's spyware or another type of malicious app, the number of mobile malware is soaring. During the first quarter of this year, the year-to-year increase was 30 percent, with spyware alone doubling. Most mobile malware is targeted at Android, the leading smartphone operating system. FBI stings expected to increase web underground's secrecy http://www.csoonline.com/article/711033/fbi-stings-expected-to-increase-web-underground-s-secrecy The FBI's latest arrests in a two-year, international sting operation that has led to the capture of more than two-dozen suspected cybercriminals will likely drive crooks to adopt more sophisticated tactics to avoid detection, security experts say. In June 2010, the FBI launched in the criminal underground an online forum called Carder Profit, where criminals bought and sold credit card, debit card and bank account numbers; social security numbers and other personal identification information; hacking tools and "drop services." Cybercriminals are also adopting stealthier technologies, Encryption, proxies and obfuscation tactics make it very hard to track them down. Mahdi cyberespionage malware infects computers in Iran, Israel, other Middle Eastern countries http://www.csoonline.com/article/711390/mahdi-cyberespionage-malware-infects-computers-in-iran-israel-other-middle-eastern-countries A piece of malware called Mahdi or Madi has been used to spy on hundreds of targets from Iran, Israel and a few other Middle Eastern countries during the past eight months, according to researchers from security vendors Seculert and Kaspersky Lab. Mahdi is capable of logging keystrokes, taking screenshots at specified intervals, recording audio and stealing a variety of documents,

“Is it time to say ‘goodbye password’?” By Maria Luisa Papagni – Almaviva/GCSEC

escape of passwords in the absence of "adequate security". The social network was also accused of violating California law for the protection of consumers, not having bothered to promptly notify its users. "We believe that no account has been compromised after the theft of passwords, and we have reason to believe that no member of LinkedIn has been damaged. We believe that these accusations are unfounded, and we will defend ourselves vigorously against attempts to exploit that causes criminal behavior of third parties". The question, from a legal point of view, it will be all there. The judges will be asked to solve the problem. Attacks such as those mentioned above demonstrate security leaks in the management of passwords by operators. Governments and regulators should impose minimum measures for the protection and proper handling of credentials, as in banking for payment credentials for example. But thefts of passwords, such as LinkedIn case, also reveal that users have not learned anything. They used easily guessable passwords again. The many violations involving weak password authentication schemes show that the current password system is not adequate. Let's face it: people cannot remember complicated passwords for secure logins. Users have shown over and over again that their nature is to choose weak passwords, the usual "123456", "qwerty" or "password", and they often use the same password for multiple accounts. Furthermore, to remember their passwords, they often write them on sticky notes, that maybe even put on the monitor or under the keyboard! It’s time we realize that this system is neither sustainable nor secure. New forms of authentication must emerge. Instead of telling people to remember more and more complicated strings of letters, numbers and symbols, could possibly think of adopting new approaches of authentication that are more secure and easier for people. So long live the password managers, but mostly the identity management systems! Yes, because the concept of e-mail address, for example, is strictly connected to the concept of digital identity. Or better, an e-mail address is a digital identity! A digital identity is our Facebook profile, our e-Passport, our PayPal or our Amazon account. Probably all of us have at least a digital identity and this fact adds a further level of complexity because, as written before, users are not able to manage them. So there are many solutions that offer the possibility to easily and securely log in to websites: OneID, OpenID, and many other. A user no longer needs to remember multiple usernames, passwords or filling out forms… The system does it for him. Finally, awareness of the need for change is growing and these solutions are becoming increasingly popular. So do not worry about it! Maybe soon we can free our mind. We would not need to remember all our passwords or tempt them all when we log in to websites… and probably we will also use much fewer sticky notes!

Internet was founded in the 60's during the Cold War and it was initially a network dedicated to communications within the scientific community and among the governmental and administrative organizations. Originally only part of a technocratic elite had access to Internet and it had interest in collaborating and sharing the result of work and research. In this environment the primarily concern was network reliability. Security problems and needs of mobility were secondary to the quality of service and availability. Today we use Internet to read our mail or access to social network sites from various devices like laptop, PC, smartphone, and from different points of the network. Audio and video files are transmitted over IP and with the evolution into the world of the “Internet of things”, a wide range of intelligent devices such as appliances, telephones, and vehicles will support connectivity. With the evolution of its services, Internet must response to new needs such as eCommerce and eBanking services that have users exposed to risks of financial loss.

images, archives and other files. Fake Facebook photo tag ruse smears malware on PCs http://www.theregister.co.uk/2012/07/19/facebook_photo_tag_malware_ruse/ Spam emails have attempted to trick Facebookers into visiting virus-stuffed web pages by claiming users have been tagged in photos. The counterfeit messages appear to have been sent by the dominant social networking website, but the "From" address is misspelled as "Faceboook.com" among other mistakes. The emails feature clickable links to a website hosting malicious code, including the infamous Blackhole kit, which tries to gain control of users' systems when visited. YouTube blurs faces to protect the innocent http://www.theregister.co.uk/2012/07/19/youtube_blurs_faces/ YouTube has launched a feature that blurs faces in videos uploaded to the site, “to share sensitive protest footage without exposing the faces of the activists involved, or share the winning point in your 8-year-old’s basketball game without broadcasting the children’s faces to the world ..." Internet Defense League to save the web from evil governments http://www.theregister.co.uk/2012/07/19/internet_defense_league_launch/ Not for profit rights group Fight for the Future will on Thursday launch the Internet Defense League, a new initiative designed to help internet stakeholders fight back whenever their rights are threatened by the man. Fight for the Future’s hope is that the League will spring Batman-like into action whenever internet rights are threatened. Hacktivists lift emails, passwords from oil biz in support of Greenpeace http://www.theregister.co.uk/2012/07/17/opsavethearctic An Anonymous cadre has hacked into major oil corporations' computers to protest against drilling in the Arctic. The attack, dubbed OpSaveTheArctic, has led to the lifting of email addresses and encrypted password hashes for about 500 email accounts at five leading oil exploration corporations: Exxon Mobil, Shell, BP, Gazprom and Rosneft. Some of the leaked contact addresses have been added to Greenpeace's Save The Arctic petition page. Other hacktivists have been encouraged to spread the list. Olympics security cockup down to software errors – report http://www.theregister.co.uk/2012/07/16/software_caused_olympic_security_fiasco/ A computer software failure caused the security fiasco at the Olympics, the Independent on Sunday has said, after talking to insider sources at security contractor G4S. G4S defaulted on their Olympic security contract two weeks before the start of the games, meaning that 3500 members of the armed forces have been drafted in to provide basic security coverage for the Olympics. The security firm said they were unable to recruit and train enough guards to adequately police the site. Yahoo! fixes password leak vulnerability http://www.theregister.co.uk/2012/07/13/yahoo_fixes_password_hole/ Yahoo! has fixed the flaw that allowed hackers to scrape the unencrypted passwords of over 450,000 of its customers' accounts. The company said the information that was

“Ipv6, a real need” By Elena Agresti – GCSEC

Furthermore, created to a smaller number of users, the Internet today is collapsing. Its original protocol, called IPv4, has awarded almost all the available addresses, about 4.3 billion. To respond to this issue, some measures such as the adoption of NAT (Network Address Translation) were taken, allowing the assigning a unique address to entire networks, often called local networks. Today in fact corporate networks usually have just few address directly connected to the Internet; entire corporate networks are reached as a single host and NAT allows to address them and all clients beside the public IP. While increasing the security of internal servers whose IP address is not known, NAT makes complicated audits of security and reduces the end-to end attack. The only one possible solution to the collapse of the Internet is to adopt a new protocol, IPv6. But IPv4 and IPv6 will work in parallel as long as necessary, even if in the long run, to complete the implementation of IPv6. The main devices on the market, already allow implementation of both IPv4 and IPv6 protocols to communicate with all types of devices. The big services providers, such as Google, Facebook, YouTube, have recently adopted Ipv6 and provide their services both in IPv4 and IPv6. IPv6 responds to several issues, first of all the address space. The IPv6 allows the use of thousands of billions of new Internet addresses responding to current and future requests. While Ipv4 consists of four groups of three numbers separated by dots on the type 192.168.1.1, a typical IPv6 address consists of eight groups separated by ":". Each group is composed of four letters or numbers like 2001: db8: 1f70: 999: De8: 7648:6 e8. IPv6 is a new generation protocol and natively includes additional features such as IPsec that was optional in IPv4. In particular IPsec allows authentication of messages, authenticating the sender and verifying that the package has not been altered during transmission. In addition, through authentication and encryption of messages, ensures that only the authorized recipient will be able to read the message. IPv6 protocol guarantees better network performance and in particular routers and bridges/switches performance, using a fixed header dimension, and simplifies deployment of mobile IP-based systems. In fact it is a Multicasting protocol; it transmits a packet to multiple destinations in a single send operation. Ipv6 ensure scalability of the Internet and enable innovative applications, including sensor networks and embedded systems It allows for every machine/device to have its own IP address on the wider Internet, simplifying network designs and also allowing for easier remote configuration. The websites will be configured to support the old connections in a configuration called "dual stack": if a computer does not support IPv6, the information will be served through the traditional IPv4 connections. The transition to IPv6 has not and will not have any effect on the usability of the Internet and end users. The transition period will be long and it needs to maintain operations & interoperability. Adoption of Ipv6, with security advantages, also brings disadvantages. While responding to the lack of IP address, the growth of IP address may cause collapse of filtering systems. In fact, around 90% of web filtering tools used by business today relies on blacklists. Furthermore, organizations should upgrade their security policy with Ipv6 adoption. Rules for firewalls and network security policy should be reconsidered. The dynamic change of IP addresses make difficult implementation with Ipv6 of security policies already adopted due to the different structure of packages and globality address generation. Today, Ipv6-based products are still immature or poorly configured and therefore more exposed to vulnerabilities. Security researchers have already seen widespread malware with IPv6-based command-and-control capabilities. An analysis conducted by RIPE Labs, found that 3.5 percent of all email received was spam on IPv6 networks. This indicates that spammers have already started the migration. Operators have competences on Ipv4, there is a lack of Ipv6 skills and it could be a real security risk. In many cases, Ipv6 is enabled by default, so they could use ipv6 and ipv4 at the same time vanifing security measures they

published by members of the hacking group D33Ds Company stemmed from users who had signed up with the Associated Content site before Yahoo! bought it 2010. If these users try and log into their Yahoo! accounts now they will be asked a series of authentication questions before having to change their data, and Yahoo! is also suggesting other users get into the habit of changing their passwords regularly. Security fail for Apple as hacker cracks iOS in-app purchasing http://www.theregister.co.uk/2012/07/13/apple_ios_hack A Russian hacker claims to have found a way to crack the in-app purchasing mechanism used in iOS so that users can get free content in a variety of applications. The hacker posted a video of the crack on YouTube and claims that the technique makes it possible to beat Apple's payment systems by installing a couple of certificates and assigning a specific IP address to the device. Billabong is latest password breach victim, 21k exposed http://www.scmagazine.com/billabong-is-latest-password-breach-victim-21k-exposed/article/250203/ More than 21,000 unencrypted usernames and passwords have been stolen from Australian surfwear company Billabong and posted online to CodePaste.net. Black Hat hacker con promises to "ruffle some feathers" http://www.scmagazine.com/black-hat-hacker-con-promises-to-ruffle-some-feathers/article/250043/ The annual Black Hat security conference, which kicks off in Las Vegas later this month, is full of sessions showcasing the latest research on vulnerabilities and defenses. This year the Black Hat Review Board evaluated more than 500 submitted proposals to select the 80 sessions that would be presented over a two-day period, July 25 and 26. Formspring disables user accounts after password leak http://www.scmagazine.com/formspring-disables-user-accounts-after-password-leak/article/249852/ The social networking Q&A site Formspring has been hacked, and hundreds of thousands of password hashes were leaked. The company disabled all user passwords as soon as it learned of the network intrusion. Users will be prompted to change their passwords when they log back into Formspring. Google may pay $22.5 million for bypassing Safari settings http://www.scmagazine.com/google-may-pay-225-million-for-bypassing-safari-settings/article/249590/ Google is close to finalizing a settlement with the Federal Trade Commission (FTC) on charges related to bypassing Apple's user privacy settings in Safari. The web giant is expected to pay a record $22.5 million as part of the settlement, officials familiar with the terms told the Wall Street Journal for its Tuesday editions. While the FTC staff and Google have reached a proposed settlement and agreed on the fine, it still needs to be approved by agency commissioners. The terms could still be altered. If approved, the fine will be the largest penalty every imposed on a single company by the FTC.

have put around either protocol. To support ipv6 deployment, several studies and guideline were published by vendors, standardization entities, such as NIST with the publication of 800-119 “Guidelines for the Secure Deployment of IPv6” or international organization such as l’ICANN. Deployment of Ipv6 is also a key element of European Digital Agenda. On world Ipv6 day, Neelie Kroes, Vice President of the European Commission for the Digital Agenda said: "I encourage governments, Internet content and service providers and any company doing business on the Internet to switch to IPv6 as soon as possible or we will face what we cannot afford in Europe: huge market distortion, slower Internet and a negative impact on innovation." European Economic and Social Committee agrees that urgent action is needed. It encourages the Commission to be more “assertive about the leadership role that the EU should now take to rapidly accelerate the adoption of IPv6”. Also OECD has studied transition form Ipv4 to Ipv6 analysing economical aspects associated. Italian institutions are aware of the importance of Ipv6 transition. In one of the "motions on cyber security threat" approved in meeting no. 728 of 23/05/2012, the Senate "commits the Government to adopt, with the highest priority - because of the seriousness of the risks consequent depletion of IPv4 addresses - measures to enable the availability of new unique IP addresses, with the transition to Ipv6 or the introduction of technical devices that allow “It is the rule in war, if our forces are ten to the enemy's one, to surround him; if five to one, to attack him (…) if slightly inferior in numbers, we can avoid the enemy”. Probably Sun Tzu did not think to cyber fights in his “The art of war” but sometimes real and virtual scenarios maintain the same principles. The size of the army is one of these. The greater are the forces involved the higher is the probability that the enemy's defenses collapse, whether we speak of walls or … firewalls! So it comes the botnet. The idea to take advantage of a computers army that silently follows orders and fights for its master, the “bot herder”. But how does a cracker succeed to take possession of such a large amount of machines and especially what can he do with this army? Well, the botnet is nothing more than a set of compromised computers connected over the Internet and waiting for commands. Each element (the “bot”) is a device infected by a malware that, among its tasks, is designed to open a communication channel to a machine controlled by the cracker. However, in this way, it will be too simple to go back to the bot masters and, in fact, they are used to take advantage of different systems like IRC servers (Internet Relay Chat). Through this kind of services they are able to create a meeting place where to deliver and to forward instructions towards the bots. This is just the logic structure. Botnet management can be really complicated as the main target of a cracker is to not be found. In the same way it is important for him also to increase the number of controlled computers. Since that,

otherwise user identification. " FBI has raised concerns on the use of IPv6. It requires that “traceability features be enabled with IPv6 that will allow federal agents to identify suspected cybercriminals with the same kind of ease evident with IPv4”. “The FBI has even suggested that a new law may be necessary if the private sector doesn't do enough voluntarily.” An FBI spokesperson explained: “An issue may also arise around the amount of registration information that is maintained by providers and the amount of historical logging that exists. Today there are complete registries of what IPv4 addresses are “owned” by an operator. Depending on how the IPv6 system is rolled out, that registry may or may not be sufficient for law enforcement to identify what device is accessing the Internet.” It’s relevant to provide traceability but the transition to Ipv6 is a real need. To guarantee a correct transition to IpV6 is needed International co-operation and monitoring. Government must encourage Ipv6 adoption. Network operators and private companies must learn to define and meet new security and operational procedures, implement IPv6 training initiatives and IPv6 connectivity must be considered in traffic exchange agreements. the botnet is rarely dormant. Each component is always busy to find other victims. The malware, if it does not receive any different instruction from its master, monitors the network and tries to copy itself to every possible new device. The possible attacks or criminal activities that a botnet owner can perpetrate are numerous and very different from each other. The most known way to use zombie PCs (as they are usually called since they seem silent when instead they are working for someone else) is for distribute denial-of-service attacks. A server or router can hardly support a persistent traffic from thousands of machines and so falls under the effect of the botnet making itself unavailable to authorized users.

“Botnets. The real virtual armies” by Marco Caselli - GCSEC

Botnets are commonly used for espionage activities. Spywares transmitted inside them can collect and send information to bot herders about users’ activities. Passwords, credit card numbers but also visited websites are valuable data that can be sold on black markets. Another very profitable business regards email spamming. Over the years has been estimated that about 80% of the global email traffic comes from botnets. Messages are usually advertising or malicious. It is worth noting that botnets are also used as a support for other cyber frauds. Phishing, for example, (the scam that tries to trick users with copies of websites similar to the original) can use a botnet to hide malicious servers hosting the fake website. This is done through mechanisms called “Fast Flux”; techniques that continuously modify DNS records to create an ever-changing network in which it is almost impossible to trace connections. Regardless of the attack’s types, the strength of the botnet is always the size. If the anti-cybercrime does not find the Command & Control servers (the machines typically used to route instructions to the bots) the disposal of a thousand-machines botnet is impossible. But the numbers are much higher. The botnet BredoLab on 2009 reached the 30,000,000 units and together Rustock and Cutwail (with just 1,650,000 bots) in the biennium 2006/2007 sent It’s finally time for being digital in Europe. It might seem incredible, but the economical problems are investing our continent are becoming one of the most relevant drivers for the digital evolution of the European Union. Citizen digital inclusion and digital services promise to be, according to EU experts one of the corner stones for coming out of the biggest economical crisis of the last twenty years. The plans of the European Union, summarized in the EU 2020 strategy give a lot of relevance to the definition of an European Strategy for the digital world in Europe. The 21 and 22 of June, in Bruxelles experts and politicians from all around the continent were invited within the context of the “European Digital Agenda Assembly 2012” to contribute to the definition and review of the principle which constitute the basis for the European digital agenda. The meeting was organized by the European Commission to get an update on the “state of the Union” on the digital topic and to gather new indications from the participants which would help in speeding up the digitalization process. The first day was organized in parallel sessions exploiting different priorities of the digital agenda: 1. Anytime, Anywhere, Any Device? Converged Media Platforms 2. High-speed connections 3. Trust What You Buy, Choose How to Pay ? The Future of e-Commerce in Europe 4. Social Media: Social Networking for Economic Recovery, Jobs and Growth 5. Data vulnerabilities. The proposed steps raised wide consensus of the audience.

something like 100 billion spam emails per day! Last but not least the cyber world is now dealing with Zbot. Such threat stands on the others since it is not yet clear how extensive the network of compromised computers is (some hypotheses describe 3,600,000 bots only in the US) and because of the malware involved: Zeus. Such malicious program, besides being one of the most complex and incisive Trojan horses studied right now, is very difficult to detect even with up-to-date antivirus software due to its stealthy features. However cyber security experts do not stand and watch. Intrusion prevention systems (especially rate-based) and intrusion detection systems are good and widely used instruments to mitigate the problem even if such tools have always to be customized for the malwares they are dealing with. A final and comprehensive solution still not exists. The events of the world may teach that larger armies usually emerge victorious from the fighting. For this reason it is possible that in the near future nations and companies put up in turn crowds of computers in defense of their cyber domains. The history tells us of some wars, will cyber-wars be told in books of cyber-history? 6. Clouds for Europe: From Cloud-friendly to Cloud- Active 7. Security: Secure Digital Future, building on growth, innovation and confidence 8. Innovation and entrepreneurs Dr. Igor Nai Fovino (representing GCSEC), participated as invited speaker to the Secure Digital Future session, with a speech on the relevance of digital identity as digital inclusion enabler in Europe.

GCSEC brought on the European discussion table the problem of the traditional vulnerability of the soft identities and the risks to which EU Citizen are exposed due to the use of digital soft identity in critical contexts. GCSEC proposed to the EU Commission a package of urgent actions to be put in place to improve the security of digital identities: • Define EU common frameworks, standards and regulations on Digital Identity (soft and strong) mutually recognized in all Member States • Define a set of minimal security requirements that Identity Service Providers must be compliant with • Create public awareness on the importance to secure Digital Identity in order to mitigate threats and diagnose and cure. eInvoicing, eProcurement. eGovernment”.

“European Digital Agenda Assembly 2012” by Igor nai Fovino - GCSEC

The second day, to which participated among the others Alexander Alvaro (Vice President, EU Parliament), Neelie Kroes (Vice President, EU Commission) and Amalia Sartori (Chair of Committee on Industry, Research and Energy, European Parliament), was devoted to the review of the results of the first day and to plan future actions. Of high interest has been the speech of Neelie Kroes, which provided an overview of the actual situation of the digital agenda and of the direction that will be taken in the coming future. Ms. Kroes underlined how in the EU vision, “ICT supports innovation, jobs, and society, helping businesses to grow; and supporting fields from entertainment to healthcare”. At the same time, ICT is evolving in something a lot different from the traditional fixed network paradigm as “more than 176 million Europeans can now access mobile internet wherever they go, in some cases now aided by new 4G networks”, pointed out Ms. Kroes stressing the fact that in this period of crisis, ICT “can boost productivity, efficiency, effectiveness. And it can provide so many innovations and applications.” Ms. Kroes underlined which would be the priorities: “Social media, smart grids, streaming on demand, software as a service. Data sharing, data mining; crowd-sourcing, crowd-funding. Tele-health solutions for those getting older; healthcare apps to inform and empower; electronic pills to On 4th June 2012 the European Commission adopted the proposal for a Regulation "on electronic identification and trusted services for electronic transactions in the internal market". The proposal is going through the ordinary legislative procedure, and it is expected that the Regulation shall replace the existing EU Directive of 1999, and will lead to a renewal and a breakthrough in the development of electronically supplied services. The proposal is issued pursuant to Article 114 of the TFEU, according to which the European Parliament and the Council - acting under the ordinary legislative procedure and after consulting the Economic and Social Committee - adopt the measures for the harmonization of the legislative apparatus of Member States that regulates the establishment and functioning of the internal market. The initiative follows the provisions in the Digital Agenda for Europe [COM(2010) 245], which proposes the adoption of rules on electronic signatures (key action n. 3), and mutual recognition and identification of e-identification and e-authentication across the EU based on online 'authentication services' to be offered in all Member States (key action n. 16), in order to establish a clear regulatory framework that would eliminate the fragmentation, promote interoperability, develop digital citizenship and prevent cyber crime. Going into more detail, the new rules will facilitate more

While on a side this is what EU as a whole should aim at improving, on the other a lot of efforts are needed before seeing these area at the center of the European development. For that reason Ms. Kroes announced that later this year she’ll propose a review of the digital agenda, to strengthen the EU approach and focus on priorities: 1. Cloud: create a single, seamless space where digital content can flow within our internal market. 2. Ensure a secure and open internet. One where we can defend against critical risks, malicious attacks, or criminality. Because the more we depend on the internet – the more we depend on its security. 3. Deliver fast broadband for all. By encouraging private investment, and legal predictability. 4. Stimulate innovation and entrepreneurship, revamping European research and innovation programmes and supporting entrepreneurs 5. Use ICT to boost the quality and efficiency of public services. Impression is that finally Europe decided to jump with decision on the ICT horse; Cina, Japan, USA and the emergent economies are by far in clear advantage, but it is not the first time that the old Europe is able to transform itself from runner-up to winner horse. That’s all for now from Bruxelles secure and homogeneous electronic transactions in order to improve the effectiveness of e-government and private services, as well as e-business and e-commerce. As mentioned, the current European legislation on personal identification for electronic transactions is set by Directive 1999/93/EC establishing a Community framework limited to the use and mutual recognition of electronic signatures. The new proposal therefore aims to widen the existing regulatory framework, in order to strengthen the confidence of citizens, businesses and public institutions, towards online transactions, as a main issue to promote economic development. The European Commission has repeatedly pointed out that the lack of confidence is a key element that restrains consumers, businesses and governments from carrying out transactions electronically and adopting new services. The adoption of rules to ensure the mutual recognition of electronic identification and authentication across the EU and the review of the Directive on electronic signatures are also a key action for the Single Market Act (see COM/2011/0206, Single Market Act Twelve levers to boost growth and strengthen confidence "Working together to create new growth" – section 2.7. The digital single market), and the “Roadmap for stability and growth”, presented by the European Commission on

“Revision of the Electronic Signature Directive pursuant to the provisions of the Digital Agenda for Europe.” by Alessandra Lonardo - GCSEC

GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy www.gcsec.org

October 2011. The new framework will give a legal effect and mutual recognition to trust services including enhancing current rules on e-signatures and will provide a legal framework for electronic seals, time stamping, electronic document acceptability, electronic delivery and website authentication. There will be also a positive impact in terms of Competition, especially for companies that provide trust services, which currently operate in a context marked by differences among national laws, which often determine legal uncertainty and additional costs. Taking account of possible future scenarios, an enterprise could participate electronically in a public contract called by the administration of another Member State, without risking blocking its electronic signature due to specific national requirements and interoperability issues. A firm can electronically sign contracts with a counterparty in another Member State without having to worry about any legal requirements for various trust services such as electronic seals, electronic documents or validation time. And more… e-commerce will become more reliable due to the possibility for potential buyers to verify the authenticity of the seller's website.

Significant efficiency improvements also arise with regard to the simplification of administrative formalities. For example, students may register electronically to a foreign university; citizens may send their tax returns online in another Member State, and patients will have online access to their medical records, thanks to the mutual recognition of electronic means of identification. The proposed regulation repeals the rules laid down in Directive 1999/93/EC, and introduces an explicit obligation to confer to qualified electronic signatures the same legal effect as handwritten signatures. In addition, Member States must ensure border acceptance of qualified electronic signatures, in the context of providing public services, and must not introduce any additional requirements that may become barriers to the use of such signatures. This proposal actually gives impetus to the achievement of the objectives of the Legislation Team (eIDAS) Task Force set up by the Commission in order to deliver a predictable regulatory environment for electronic identification and trust services for electronic transactions in the internal market to boost user convenience, trust and confidence in the digital world.