Cyber Security Industry Alliance Newsletter •  Volume 3, Number 10  • September 2007

E.U. Cyber Security Briefs

EU's Frattini Says New Europe–Wide Anti–Terror Measures Needed
Debate Rages Over German Government Spyware Plan
Lords Push for Wide–Ranging Security Improvements
“Promiscuous” RFID a Data Threat, Warns Privacy Watchdog

EU's Frattini Says New Europe-Wide Anti-Terror Measures Needed
Associated Press (09/05/07), AP Staff

The European Union's Justice and Home Affairs commissioner Franco Frattini says more EU-wide anti-terror measures are needed because the threat of terrorism in the European Union remains high. Frattini wants to push ahead with plans to establish a community-wide airline passenger data recording system modeled after a system developed by the United States. Passengers traveling to the United States are required to provide 19 pieces of information within minutes of boarding the plane. Some EU legislators have expressed concern for privacy, but Frattini says European citizens deserve the same protection as U.S. citizens. Other measures would include a plan to set up an explosive database to provide an early-warning system on lost or stolen explosives, and new regulations to deal with the misuse of the Internet by terrorists. Some EU lawmakers question the need for more anti-terror measures, arguing the effectiveness of the measures established after the terror attacks in Madrid and London have not been properly evaluated. “We should look at the efficiency of the EU legislation in this area,” says French Socialist Martine Roure. “Some extremely restrictive measures have been adopted. Some haven't had the results expected, and some might even lend a false sense of security.”


Debate Rages Over German Government Spyware Plan
IDG News Service (09/05/07) Blau, John

After passing anti-hacking legislation earlier this year, members of the German government want to permit the development and use of spyware to monitor suspected terrorists. German interior minister Wolfgang Schauble has been seeking support for a new security law that would permit federal authorities to secretly investigate suspects' Internet use and stored data by allowing authorities to install Trojans carrying remote forensic software on suspects' hard drives. In February, the German Federal Court of Justice ruled that hacking of computers by police is not permitted under Germany's strict phone-tapping laws and that special legislations would be needed. Schauble says the new security law would only be used in a handful of exceptional cases and on those suspected of planning a terrorist attack, but the proposal has still generated heated debate. Kaspersky Lab virus specialist Magnus Kalkuhl says the plan undermines the very purpose of security software and that the idea of allowing officials in a country to spy is disturbing. “What's going to prevent police in Germany from breaking into computers in Italy?” Kalkuhl asks. The use of spyware by law enforcement in not new. In the United States, the FBI uses a tool called CIPAV that can record IP addresses and send the information to government computers. Meanwhile, Switzerland and Austria are both reportedly considering enacting laws that would allow police to monitor computers online, though neither country has released any official information on their spyware plans.


Lords Push for Wide-Ranging Security Improvements
VNUNet (08/10/07) Bennett, Madeline; Neal, David

A report from the House of Lords Science and Technology Committee could trigger significant changes in current U.K. information security practices. One of the suggestions would establish a central Web-based e-crime reporting system, which would help law enforcement agencies gain an understanding of computer crime patterns and would provide companies with a more direct link to police IT specialists. The report also recommends requiring firms to report incidents of data security breaches that could affect customer privacy. “A data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security,” the report says. “We recommend that the government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.” A potentially controversial change the report suggest is to hold IT vendors responsible for weaknesses in their products. McAfee senior security analyst Greg Day says it would be “very difficult” to hold vendors accountable for breaches. “It comes down to how solutions are implemented,” Day says. “You would have to ask, 'Did they have it configured correctly, updated and maintained?'” Butler Group analyst Andy Kellet says the report is overly simplistic and that there needs to be better understanding of how security works and how vendors build and implement solutions.


'Promiscuous' RFID a Data Threat, Warns Privacy Watchdog
Computerworld New Zealand (09/03/07) Jackson, Randal

New Zealand privacy commissioner Marie Shroff warns that the range of applications, and doubt over future uses, makes RFID technology a potential privacy threat. “A study completed recently for the European Parliament noted that while RFID was originally used for logistical purposes, such as identifying cargo, it has now entered the public space on a massive scale: public transport cards; the biometric passport; micro-payment systems; office ID tokens; customer loyalty cards and other applications," Shroff says. Shroff emphasizes that the study says once different RFID systems become connected, and other technologies such as GSM, GPS, CCTV, and the Internet are incorporated, a much wider array of uses will surface and will be far more intrusive. Otago University associate professor of information science Hank Wolfe says it is possible to read passive RFID tags from a distance of at least 40 cm without being detected. Wolfe points out that passports with RFID tags have been successfully read from a distance and copied, creating the opportunity for identity theft. “Privacy law should dictate that all RFIDs should be destroyed at point of sale," Wolfe says. “After that … they have no purpose after sale other than surveillance."