Rina Steenkamp - Privacy and technology
[Opinion [...] on the Commission's Communication on "Unleashing the potential of Cloud Computing in Europe" | Privacy considerations of online behavioural tracking | The right to be forgotten - between expectations and practice | Supply chain integrity - An overview of the ICT supply chain risks and challenges, and vision for the way forward | A penny for your privacy - An analysis of the reimbursements in privacy infringement procedures | McAfee Threats report - Third quarter 2012 | Malware report - Q3 2012 | Cyber-security - a shared responsibility | Black tulip - Report of the investigation into the DigiNotar Certificate Authority breach | A survey of privacy and security decreasing third-party content on Dutch websites | Virtual currency schemes | Russian Underground 101 | Monitoring hacker forums | Electric subsector cybersecurity risk management process | Electricity subsector cybersecurity capability maturity model (ES-C2M2) | Cybersecurity for state regulators - with sample questions for regulators to ask utilities | Guide for assessing the high-level security requirements in NISTIR 7628, Guidelines for smart grid cyber security | Lifecycle data protection management - A controbution on how to adjust European data protection to the needs of the 21st century | Facing facts - Best practices for common uses of facial recognition technologies | Neighborhood watch - security and privacy analysis of automatic meter reading systems | 2012 Data breach investigations report | Discussion paper - Australian privacy breach notification]
An opinion of the European Data Protection Supervisor (EDPS).
From '1.4 Focus and structure of the Opinion':
"This Opinion has three goals. The first goal is to highlight the relevance of privacy and data protection in the current discussions on cloud computing. More particularly, it underlines that the level of data protection in a cloud computing environment must not be inferior to that required in any other data processing context. [...] The second goal is to further analyse the main challenges that cloud computing brings for data protection in the context of the proposed Data Protection Regulation, in particular the difficulty to establish unambiguously the responsibilities of the different actors and the notions of controller and processor. [...] The third goal is to identify areas that require further action at EU level from a data protection and privacy perspective, in view of the cloud strategy put forward by the Commission in the Communication."
European Data Protection Supervisor (EDPS): Opinion [...] on the Commission's Communication on "Unleashing the potential of Cloud Computing in Europe" (PDF)
[Open link in this window | Open link in new window]
Additional information:
A report by ENISA.
From '1 Executive summary':
"This study provides a technical perspective on behavioural tracking. It presents a comprehensive view, answering questions such as: Why are users tracked? What techniques are used? To what extent are we tracked today? What are the trends? What are the risks? What protective measures exist? What could regulators do to help improve user privacy?"
ENISA: Privacy considerations of online behavioural tracking (PDF linked from this page)
[Open link in this window | Open link in new window]
Additional information:
A report by ENISA.
From '1 Executive Summary':
"Information security technology plays critical role in enforcing the right to be forgotten. In this paper we review relevant existing technology, and identify technical limitations and challenges when trying to enforce the right. Furthermore, we identify the need for additional definitions and legal clarifications required before appropriate technical means to enforce the right can be implemented."
ENISA: The right to be forgotten - between expectations and practice (PDF linked from this page)
[Open link in this window | Open link in new window]
Additional information:
A report by ENISA.
From '1 Executive summary':
"The root of this report is the assertion that Governments, corporations, organizations, and consumers are increasingly reliant on ICT products and services, and thus on the supply chains that deliver them. As a result of this, reliance threats to supply chains have attracted more attention, including the threat of intentional tampering during development, distribution or operations, or the threat of substitution with counterfeit (including cloned or overproduced) components before or during delivery, and attacks against the economy through the supply chain. The present report identifies the nature of these threats and examines the strategies that may be used to counter them."
ENISA: Supply chain integrity - An overview of the ICT supply chain risks and challenges, and vision for the way forward (PDF linked from this page)
[Open link in this window | Open link in new window]
Additional information:
A thesis by D.L.M. van der Zande.
From the Introduction:
"The main question that will be answered in this thesis is the following: 'Which procedures are available in order to receive and determine compensation for non-pecuniary damages suffered due to an infringement of privacy and do these procedures provide an effective remedy under article 13 ECHR?'"
D.L.M. van der Zande: A penny for your privacy - An analysis of the reimbursements in privacy infringement procedures (PDF)
[Open link in this window | Open link in new window]
NJBlog: A penny for your privacy (2012/11/09)
[Open link in this window | Open link in new window]
Recht.nl: Raamwerk voor berekening immateriële schade na privacyschending (2012/11/12)
[Open link in this window | Open link in new window]
A report by McAfee Labs.
From the introduction to the document:
"We saw a number of changes and reversals in threats this quarter. Database breaches reached an alltime high, surpassing the entirety of 2011, while growth in overall malware numbers dipped a bit from last quarter. Nonetheless, we saw jumps in some categories of malware, including ransomware and signed binaries. Rootkits and Mac malware continue to increase. Password-stealing Trojans and AutoRun malware are also trending strongly upward. [...] This quarter mobile malware almost doubled last quarter’s numbers. Although we predicted this surge, it is still a bit shocking to see it happen."
McAfee Labs: McAfee Threats report - Third quarter 2012 (PDF)
[Open link in this window | Open link in new window]
Security.nl: Nederland geen broeinest besmette websites (2012/11/14)
[Open link in this window | Open link in new window]
A report by Kindsight Security Labs.
From 'Q3 2012 Home Malware Statistics:'
"In fixed broadband deployments in Q3 2012 we found that 13% of residential households show evidence of malware infection. This has slightly decreased from 14% in Q2. 6.5% of households were infected by high-level threats such as a botnet, rootkit or banking Trojan. 8.1% of households were infected with a moderate threat level malware such as spyware, browser hijackers or adware. Some households had multiple infections including both high and moderate threat level infections."
Kindsight Security Labs: Malware report - Q3 2012 (PDF)
[Open link in this window | Open link in new window]
Security.nl: 13% thuisnetwerken besmet met malware (2012/10/31)
[Open link in this window | Open link in new window]
A speech by the Vice-President of the European Commission responsible for the Digital Agenda, Neelie Kroes.
From the speech:
"[...] according to Eurostat, by January 2012 only 26% of enterprises in the EU had a formally defined ICT security policy with a plan for regular review. This share rose to over 50 % among those enterprises whose principal activity was ICT. This is however not enough. [...] The European Strategy for Cyber-Security, which I plan to present with Commissioner Malmström and High Representative Ashton, would provide a comprehensive vision on cyber-security and would address both the EU and the international dimension. [...] In the context of the Strategy, I also plan to present a legislative proposal setting up a high level of network and information security across the EU, with a view to ensuring the smooth functioning of the internal market. First, I plan to require the Member States to be appropriately equipped and to cooperate among themselves. We need to have no weak links across the EU. Secondly, I am considering extending to new sectors (enablers of key Internet services, banking, energy, transport, health, public administrations) the obligations to adopt risk management measures and to report significant incidents to competent authorities that currently apply in the telecom sector in the EU."
Neelie Kroes: Cyber-security - a shared responsibility
[Open link in this window | Open link in new window]
Tweakers.net: Kroes - bedrijven doen te weinig aan ict-beveiliging (2012/11/06)
[Open link in this window | Open link in new window]
A report by Fox-IT.
From '1.1 Background':
"DigiNotar B.V. was a Certificate Authority that provided digital certificate services. The digital certificates were used to secure Internet traffic, to issue (qualified) electronic signatures and to provide data encryption. DigiNotar also issued government accredited PKIoverheid certificates. During the months of June and July of 2011, the security of DigiNotar was breached and rogue certificates were issued. One of these certificates, a rogue Google certificate, was abused on a large scale in August of 2011 targeting primarily Iranian Internet users. At the end of August the intrusion became public knowledge and set into motion a chain of events that eventually led to the removal of all the Certificate Authorities that were hosted by DigiNotar from trust lists and ultimately the bankruptcy of the company. On September 3 of 2011 the Dutch state publicly expressed the intention to take over the operational control of DigiNotar, including the responsibility for the commissioned investigation into the intrusion of DigiNotar’s network by Fox-IT. [...] The interim report with the preliminary findings of Fox-IT was provided to DigiNotar and was published on September 5, 2011 by the Dutch state."
Fox-IT: Black tulip - Report of the investigation into the DigiNotar Certificate Authority breach (PDF linked from this page)
[Open link in this window | Open link in new window]
Security.nl: DigiNotar-hacker lekte per ongeluk IP-adres (2012/10/31)
[Open link in this window | Open link in new window]
Computable: Feitenonderzoek OM naar Diginotar doodgebloed (2012/11/07)
[Open link in this window | Open link in new window]
A paper by Matthijs Koot.
Abstract:
"Many websites include content from other websites that are beyond their control. We refer to such content as 'third-party content'. We performed a survey of the inclusion of third-party content by some 2,000 Dutch websites from various societal sectors (government, banking, insurance, energy, etc.). It turns out that 75% of the websites include some form of third-party content, and that 35% include third-party code. According to Google SafeBrowsing diagnostics, 30 out of the 239 domains that we manually qualified as 'third-party domain' have hosted malware in the last 90 days. We list by sector the top-10 third-party domains from which content is included, as well as the number of websites including content from them. Privacy and security risks associated with the inclusion of third-party content are discussed. The paper concludes with recommendations to mitigate those risks."
Matthijs Koot: A survey of privacy and security decreasing third-party content on Dutch websites (PDF)
[Open link in this window | Open link in new window]
The third party diary - Een onderzoek naar derde partijen op overhedswebsites
[Open link in this window | Open link in new window]
Nu.nl: Overheidssites sturen gegevens door naar derden (2012/11/01)
[Open link in this window | Open link in new window]
A report by the European Central Bank.
From the Executive Summary:
"Virtual currency schemes differ from electronic money schemes insofar as the currency being used as the unit of account has no physical counterpart with legal tender status. The absence of a distinct legal framework leads to other important differences as well. Firstly, traditional financial actors, including central banks, are not involved. The issuer of the currency and scheme owner is usually a non-financial private company. This implies that typical financial sector regulation and supervision arrangements are not applicable. Secondly, the link between virtual currency and traditional currency (i.e. currency with a legal tender status) is not regulated by law, which might be problematic or costly when redeeming funds, if this is even permitted. Lastly, the fact that the currency is denominated differently (i.e. not euro, US dollar, etc.) means that complete control of the virtual currency is given to its issuer, who governs the scheme and manages the supply of money at will."
European Central Bank: Virtual currency schemes (PDF)
[Open link in this window | Open link in new window]
WebWereld: Europese Centrale Bank ziet gevaren in Bitcoin (2012/11/07)
[Open link in this window | Open link in new window]
A report by Max Goncharov.
From the Introduction:
"This paper discusses fundamental concepts that Russian hackers follow and the information they share with their peers. It also examines prices charged for various types of services, along with how prevalent the given services are in advertisements. The primary features of each type of activity and examples of associated service offerings are discussed as well."
Max Goncharov: Russian Underground 101 (PDF)
[Open link in this window | Open link in new window]
Cops in cyberspace: Russische ondergrondse economie heeft cybercrime 'gedemocratiseerd' (2012/11/07)
[Open link in this window | Open link in new window]
A Hacker Intelligence Initiative, monthly trend report by Imperva.
From '2. Methodology':
"Imperva analyzed one of the largest-known hacker forums with roughly 250,000 members. Known as 'content analysis,' Imperva used the forum’s sophisticated search capability to analyze conversations by topic using specific keywords. Specifically, we summarized the volume of threads addressing a multitude of topics. Though there are many forums that are small and solely focused on committing cybercrime, we don’t have access to these. The site we examined is not a hardcore crime site, but it’s not entirely softcore. New hackers come to this site to learn and, on the other hand, more experienced hackers teach to gain 'street cred' and recognition."
Imperva: Monitoring hacker forums (PDF)
[Open link in this window | Open link in new window]
Security.nl: Beveiligingsbedrijf gluurt weer mee op hackerforum (2012/11/01)
[Open link in this window | Open link in new window]
Guidelines by the U.S. Department of Energy.
From '1. Introduction':
"The electricity subsector cybersecurity Risk Management Process (RMP) guideline has been developed by a team of government and industry representatives to provide a consistent and repeatable approach to managing cybersecurity risk across the electricity subsector. It is intended to be used by the electricity subsector, to include organizations responsible for the generation, transmission, distribution, and marketing of electric power, as well as supporting organizations such as vendors."
U.S. Department of Energy: Electric subsector cybersecurity risk management process (PDF)
[Open link in this window | Open link in new window]
Smart Grid Security Blog: Evaluating electric cybersecurity measure for measure (2012/09/04)
[Open link in this window | Open link in new window]
A publication by the Carnegie Mellon University.
From '1. Introduction':
"This document describes the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). The goal of this model is to support ongoing development and measurement of cybersecurity capabilities within the electricity subsector [...]"
Carnegie Mellon University: Electricity subsector cybersecurity capability maturity model (ES-C2M2) (PDF)
[Open link in this window | Open link in new window]
Smart Grid Security Blog: Evaluating electric cybersecurity measure for measure (2012/09/04)
[Open link in this window | Open link in new window]
A report by Miles Keogh and Christina Cody.
From the Introduction:
"We often hear reports of cyber attacks in the news, but how serious are the threats to our country's essential utility infrastructure, such as electricity, gas, water and telecommunications? Many State utility regulators have begun asking how to best protect the services, information and data that are valuable to customers, companies, as well as the country. [...] This primer addresses cybersecurity – particularly for the electric grid – for State utility regulators, though we hope that it will be useful for a wide audience of policymakers in this field."
Miles Keogh and Christina Cody: Cybersecurity for state regulators - with sample questions for regulators to ask utilities (PDF)
[Open link in this window | Open link in new window]
Smart Grid Security Blog: Evaluating electric cybersecurity measure for measure (2012/09/04)
[Open link in this window | Open link in new window]
OMS Smart Grid Interoperability Panel.
From '1. Executive Summary':
"Guide for Assessing the High-Level Security Requirements in NISTIR 7628 provides a set of guidelines for building effective security assessment plans and a baseline set of procedures for assessing the effectiveness of security requirements employed in Smart Grid information systems."
Smart Grid Interoperability Panel: Guide for assessing the high-level security requirements in NISTIR 7628, Guidelines for smart grid cyber security (PDF)
[Open link in this window | Open link in new window]
Smart Grid Security Blog: Evaluating electric cybersecurity measure for measure (2012/09/04)
[Open link in this window | Open link in new window]
An article by Alexander Alvaro.
From the article:
"In January this year, the European Commission presented its proposal for a new data protection regulation in Europe. The new regulation has the potential to bring the existing framework up to date with technological and societal developments and may even outlive the life expectancy of the 17 year-old existing data protection framework. However, in my opinion, the proposal as it stands at the moment is still only a patchwork of good ideas. It is lacking an overall comprehensive approach making sure that we achieve actually enforceable standards, which guarantee that the fundamental rights of our citizens remain respected on one hand, and on the other allows for innovative business models to be developed."
Alexander Alvaro: Lifecycle data protection management - A controbution on how to adjust European data protection to the needs of the 21st century
[Open link in this window | Open link in new window]
Data Protector: Hooray - more data protection compliance diagrams (2012/10/18)
[Open link in this window | Open link in new window]
A report by the FTC.
From the Executive Summary:
"On December 8, 2011, the Federal Trade Commission [...] hosted a workshop [...] to explore developments in this rapidly evolving field. Panelists discussed a number of issues, including: recent advances in facial recognition technologies; current and possible future commercial uses of facial recognition technologies; ways consumers can benefit from these uses; and privacy and security concerns raised. Following the workshop, the FTC received eighty public comments discussing these issues from private citizens, industry representatives, trade groups, consumer and privacy advocates, think tanks, and members of Congress. In this report, FTC staff has synthesized those discussions and comments in order to develop recommended best practices for protecting consumer privacy in this area, while promoting innovation."
FTC: Facing facts - Best practices for common uses of facial recognition technologies (PDF)
[Open link in this window | Open link in new window]
Privacy Lives: FTC recommends best practices for companies that use facial recognition technologies (2012/10/24)
[Open link in this window | Open link in new window]
A paper by Ishtiaq Rouf, Hossen Mustafa, Miao Xu, Wenyuan Xu, Rob Miller and Marco Gruteser.
Abstract:
"Research on smart meters has shown that fine-grained energy usage data poses privacy risks since it allows inferences about activities inside homes. While smart meter deployments are very limited, more than 40 million meters in the United States have been equipped with Automatic Meter Reading (AMR) technology over the past decades. AMR utilizes wireless communication for remotely collecting usage data from electricity, gas, and water meters. Yet to the best of our knowledge, AMR has so far received no attention from the security research community. In this paper, we conduct a security and privacy analysis of this technology. Based on our reverse engineering and experimentation, we find that the technology lacks basic security measures to ensure privacy, integrity, and authenticity of the data. Moreover, the AMR meters we examined continuously broadcast their energy usage data over insecure wireless links every 30s, even though these broadcasts can only be received when a truck from the utility company passes by. We show how this design allows any individual to monitor energy usage from hundreds of homes in a neighborhood with modest technical effort and how this data allows identifying unoccupied residences or people's routines. To cope with the issues, we recommend security remedies, including a solution based on defensive jamming that may be easier to deploy than upgrading the meters themselves."
Ishtiaq Rouf, Hossen Mustafa, Miao Xu, Wenyuan Xu, Rob Miller and Marco Gruteser: Neighborhood watch - security and privacy analysis of automatic meter reading systems (PDF)
[Open link in this window | Open link in new window]
Security.nl: Slimme meterkast meldt inbreker wanneer woning leeg is (2012/10/22)
[Open link in this window | Open link in new window]
A report by Verizon.
From the Executive Summary:
"This year our DBIR includes more incidents, derived from more contributors, and represents a broader and more diverse geographical scope. The number of compromised records across these incidents skyrocketed back up to 174 million after reaching an all-time low (or high, depending on your point of view) in last year’s report of four million. In fact, 2011 boasts the second-highest data loss total since we started keeping track in 2004."
Verizon: 2012 Data breach investigations report (PDF)
[Open link in this window | Open link in new window]
Security.nl: Meeste bedrijven eenvoudig gehackt (2012/10/24)
[Open link in this window | Open link in new window]
A discussion paper by the Commonwealth of Australia, Attorney-General's Department.
From the Foreword by the Ausralian Attorney-General:
"In May 2008, the Australian Law Reform Commission (ARLC) concluded a 28-month inquiry into the effectiveness of the Privacy Act 1988 and related laws as a framework for the protection of privacy in Australia. In its report, the ALRC made 295 recommendations for reform in a range of areas, including creating unified privacy principles, updating our credit reporting system, and strengthening the powers of the Privacy Commissioner. The Government has responded to the majority of their recommendations through the introduction of the Privacy Amendment (Enhancing Privacy Protection) Bill in Parliament in May 2012. One of the ALRC's other recommendations was that a mandatory data breach notification scheme be introduced. In responding to this recommendation, the threshold question that must be asked is whether the introduction of such a scheme is warranted."
Commonwealth of Australia, Attorney-General's Department: Discussion paper - Australian privacy breach notification (PDF)
[Open link in this window | Open link in new window]
Inside Privacy: Australian government launches discussion paper on privacy breach notification (2012/10/19)
[Open link in this window | Open link in new window]