Cybersecurity. The European Parliament is worried.

Anyone who carefully reads the report A7-0167/2012 of 05.16.2012 on the protection of critical information infrastructure of the European Commission will notice that the authors of the report, members of the Committee on Industry, Research and Energy, are very worried. We can also analyze the opinion of the Committee on Civil Liberties, Justice and Home Affairs of the EU with this report and see —you don’t need to read between the lines— that not only those with direct relation with the issue are concerned, but also commissions that aren’t apparently directly affected by issues related to cyber security of critical infrastructures.

If you also have the patience to study the recent report on cybersecurity and cyberdefense 2012/2096 (INI) of the Committee on Foreign Affairs, dated October 17th, 2012, you will realize that the concerns sometimes turn into “fear”, urging everyone to put to work enumerating countless reasons why we should do it (the “considerations” are impressive…).

The outlook is bleak because the “considerations” show many points that we should be working on and even though there is work done, they are not functional for many reasons, all of them logical. The fact is that everything that has to do with cyberthreats is moving very fast, too fast, and the European institutions very slow, too slow. As a society we should be prepared to take control of the situation but, unfortunately, this is one of those cases where I get the impression that the regulator is ahead of civil society because society is not aware of the magnitude of the threat.

This report on cybersecurity and cyberdefense literally says, “the danger posed by cyber-threats and cyber-attacks against government, administrative, military and international agencies is growing rapidly, both in the EU and in the world, and there are important concerns that state and non-state actors, especially terrorists and criminal organizations, can attack critical infrastructures of information and communication institutions and members of the EU, with the chance of causing significant damages including kinetic effects“, taking into account that most cyber incidents, as stated in the report, both in the public and private sector go unreported, urging the authorities to assess the possibility that a EU member state may suffer a cyberattack and talking about the possibility of implementation of the mutual defense clause (Article 42, paragraph 7 of the EU Treaty) without prejudice to the principle of proportionality. In this sense, could be a cyberattack considered a state-backed casus belli?

We leave the question open but in the case that the answer to the above question is yes, there are still other troubling statements in that report: It “notes that recent cyberattacks against European information networks and state information systems have caused extensive damage from the viewpoints of economic and security whose scope has not been adequately evaluated“.

Clearly cyber defense should be part of the common security and defense policy (CSDP) to, among others, to protect and preserve the lives of people, digital freedoms and respect for human rights online. However until June 2012, only 10 Member States have adopted a cybersecurity strategy, the first step to get to work. In Spain is under development.

In any case, both reports urge to develop strategies for cybersecurity and emergency plans for their own systems, asking explicitly to all institutions and agencies to address in their risk analysis the consequences of cyber crisis and emphasizing the importance of awareness. The members are encouraged to increase their investment in R&D in defense to 2% to make it one of the principal support of cybersecurity and cyberdefense.

This is alright, but they are nothing more than petitions done by the EU commission to the European Parliament through its reports and draft reports but… what happens in the meantime in the real world? Are we really doing our duties in this matter? Are we aware of the danger as a society? Are politicians who run our country aware of these risks? Yes? To what degree?

I have my own pinion. We see it in the work we do every day. And we will have to do an enormous effort to awareness society that this is a very important problem for all of us…

(1) Casus belli refers to the fact that is considered a cause or pretext for military action. The term appears in the context of international law of the late nineteenth century as a result of the ius in bello political doctrine. The casus belli, as part of the ius in bello or “law of war”, seeks to regulate the military actions of different countries, so a priori it prohibits the use of armed force to resolve conflicts, but allows the military power against another country under the principle of ultima ratio, ie as a last resort.

(2) In 2010 only a European member had reached 2% in research and development in defense, and thar year five countries had invested nothing.

Cybersecurity policy for digital homes

It sounds like something belonging to companies and executives, but no, not this time. This time we talk about the computer systems or technology that is growing in many of our homes. We are making some progress. Spain and European countries in general have a very high level of ICT penetration whilst many of latin countries, such as Colombia, Mexico, Chile or Perú among others, are advancing a lot.

Increasingly we have more sophisticated equipment at home, with dozens of IP devices (TVs, game consoles, computers, routers, tablets, smartphones, etc..) that take many time to maintain, protecting the assets of our homes that protect our information, our life. I have to take into account: my daughters’ Tuenti (note: Spanish most used social network among youngsters), my wife’s Facebook, my bank accounts, digital photos taken with my great reflex that now, not having to take them to a photo shop to reveal can have any kind of content, the list of friends of my daughter even with geotagged photos, the access to that little camera IP I installed to guard when I’m not at home, and a long list of additional systems that for us and our families are confidential personal information and and even family critical infrastructures…

If we go further, in a few years we will see video entry systems with advanced functions that integrate home automation and can, for example, turn off the lights remotely and even open the door without us physically at home.

Given this, the truth is that we parents have little help when protecting our homes against voayeurs, evildoers or evil people in general.

We find some partial recommendations: get an antivirus and keep it updated, do not use cracked programs, be careful with P2P, and set WAP encryption on your WIFI. WAwhat? All of this can become a hell for ordinary mortals. It is to me and I have work in ICT for many years…

In short, a situation clearly worrying that not only affects home systems but also, directly or indirectly jeopardize corporate networks because nowadays it is very difficult, if not impossible, separate professional and personal technological environments. Thus, technological threats at home can become security threats to the corporate environment so we must be ready to get a really safe digital society, because otherwise I fear that even with all the technology in the world protecting our corporate networks, it will be very complicated.

We return to the same problem over and over again. One of the most effective investments in the field of cybersecurity is training and awareness, but the one that works: practice. It is not the only thing we have to do, but at this point, I think it should be the first thing we must do because people don’t have a clear perception of risk. Yes they do with the physical risk and hired security companies services with monthly payments, but they do not have the same perception of risk in the virtual world.

I have no idea if someday those who dedicate to security (such as me) will be able to educate our fellows of the digital risks or even if we will be able to have a sufficiently attractive offer to make people contract digital security services such as they do with of phisycal guards.

Certainly, I don’t know. However, we are obliged to propose you to apply a basic cybersecurity policy for digital homes that we will try to develop in the following Decalogue and progressively over time and make it simple as possible. Take into account that applying these rules does not absolutely guarantee anything; it simply mitigates partially the risk, reducing directly the likelihood of an digital incident.

If you need professional help, contact with private specialized centers of digital security or public centers devoted to security incident response such as CERTS.

And now, let’s see some of these basic rules of the cybersecurity policy for digital homes:

  • Always change the router password. Never leave nor password nor user default. The “evin ones” know them.
  • Passwords should not be shared. Each member of the family unit must have its own user and their passwords with the privileges appropriate to each person by age and knowledge.
  • A password must be a real password. Potato is a tuber. JM are the initials of my name. “S2” the company where I work. None of them are passwords.
  • The administrator password of shared computers on the network family should be known by mother, father or the head of family and no one else.
  • All computers must have updated antivirus. Some are free for personal use that are great, such as AVG.
  • All computers must be updated. Updates are not an annoying task that take a long time. They are activities of Software manufacturers absolutely necessary for our security.
  • Access to the home wifi network must be protected with the MAC filter if possible. This is not a thing hard to do. It is part of the minimum knowledge that we have to have to manage the security of our home.
  • The wifi key should not be related in any sense with our usual passwords, especially if I’m going to let friends to connect to it (and thus provide them with the wifi key).
  • I don’t give my friends my computer’s password. If they need to access it I type the password without them looking at it. And the same goes for email, social networks, etc.
  • When a file is deleted with the delete key it really does not erase the file. It can be recovered. If you need a file to really disappear from a storage device you must use a secure erase tool (eraser for example)
  • If I have to access the corporate computer from home I always have to ask the IT department in order to do it safely.
  • The installation at home of P2P programs such as emule, Ares, torrent or similar involve many risks. Be very careful with this type of programas.
  • Hacking elements that connect to the network to play online or to download programs of any type introduces a very high risk. Do not break the protections of this type of systems and above all do not let our children surfing with hacked devices.
  • We do not disconnect the Windows firewall just because it is annoying. Try to find out the reason that prevents any program to operate. There are always ways to keep the firewall working and the programmes are correctly working.
  • And above all, use common sense. Most network risks can be controlled with a good dose of common sense and a bit of distrust.

Surely many of you have recommendations of this type that we could use extend the list above. Help us make this list more useful through their comments. We commit ourselves to analyze them and to incorporate them into a set of universal measures of security for our homes and our families, and to publish it in HD (hijosdigitales.es, only in Spanish) and SAW (SecurityArtWork.es) so everybody can use it. They must be simple recommendations that can be applied to non-technical people that need to implement certain standards at their homes. They can be simply resources in the network or small useful applications.

Please, note that this is a post we publish in both HD (hijosdigitales.es) and SAW (SecurityArtWork.es). In first case, we have included it because we have many readers, parents, who are concerned about the safety of their children and their homes in general. In the latter because I firmly believe that to improve the security of our corporations and businesses of all types and colors we have no choice but to promote training and safety awareness of people who are part of them and their environments common technology, including of course their homes. Let’s therefore get to work. Let’s work for a Digital Society safer for our businesses, our homes and our families.

The “hidden” information in your photos (they may be saying things you don’t know)

(Please note this post was originally published in the Spanish version of Security Art Work last 20th Jul 2011)

This post is not about steganography (see the definition we did in another post — Spanish), nor any complex technique developed by a technology expert. This is something much simpler: the geolocation information that some devices —including many smartphones— store on the photos without many users being aware of it. That information is saved in the “hidden” information of the photos and can be easily accessed with programs such as exif reader. Please note that with “hidden information” we do not mean information someone has tried to hide, but information that is unknown to most users of smartphones what in practice is basically the same as what we understand by “hidden”. Usually these devices have an option that allows us to enable or disable geolocation features; for instance, to do so on the Blackberry there is an option called GeoTag in the camera options.

As always the fact that a smartphone can geotag a photo is not a good or bad thing by itself. Our use of this information it’s what makes it a potential hazard so it’s important that everyone, especially the youngest ones, are aware of such information. It must be taken into account that the mixture between the geolocation of a photo and real-time information systems as it is the case of twitter can become an explosive mixture.

We can get an idea of this by visiting the url http://icanstalku.com/ (project currently closed). It’s just scaring.

As we can see, extracting the geolocation data (longitude and latitude stored in the photo information) and using Google Maps we have not only the picture of our beautiful dog that we wanted to share with our friends but also the geolocation of our nice house:

What follows it is a fictional story… or maybe not.

Let’s suppose “bichomalo” (if you want to know who “bichomalo” —Badguy— is check this link: http://www.youtube.com/watch?v=JcB_RfX0BVQ — Spanish) has just found Alice, a nice 15 years old girl who he is obsessed with.

Girl dads’ have bought her the latest smartphone with an Internet flat rate; they don’t know much about technology or security risks. Alice creates her twitter user —of course with her real name— and begins to tweet; it is cool. Soon, she starts sharing photos in their tweets, ignoring that they contain the coordinates of the place where the photo is taken. Bichomalo certainly knows it. He creates a fake profile and follows the girl; a photo of a young blonde girl trimmed down to show only her eyes, downloaded from any corner of the Internet, makes it credible enough. He often tweets girly things and even sends some private messages to Alice.

This friday our girl is at the birthday of her best friend. It took she some time to convince her parents but they finally accepted because she would not be far from home. The party is funny and she tweets many photos, but at 2am she gets tired and decides to go back home, only a few blocks away. “Time 2 go home“, publishes Alice in her twitter… Bichomalo reads it and knows exactly where is she, where is she going and her way to home; almost a hundred photos published over a couple of months with a lot of geolocation data. We don’t need to say anything else.

We can’t deny geolocation it is a useful technology. However, as with any other technology, we must be aware of its dangers and there’s only one way for it: education. Even more when, as we have seen, when its bad use may impact significantly on vulnerable groups as our children.