Victor Neal

Issues with the Met's information systems have contributed to failures to protect children at risk of sexual exploitation, according to a report by Her Majesty's Inspectorate of Constabularies (HMIC).

Published today, the 113-page report [PDF] following HMIC's inspection into national child protection, reported how London's Metropolitan Police Service (MPS) has had issues with its IT systems that are contributing to failures to protect vulnerable children.

Police staff told HMIC that information on the Met's Crime Recording Information System (CRIS), which holds data regarding children's circumstances and vulnerability, was “not easy to locate” and “complicated” while the system's usage was “neither universally adhered to nor universally understood”.

This is particularly a concern with regards to the force's risk assessments, according to HMIC, which said that in many incidents the cops failed to reflect the intelligence their systems held or simply made inaccurate assessments.

HMIC reported that some cases were graded as being of only “medium risk of harm on the basis that the children in question were 'streetwise and able to take care of themselves'.”

In one such incident, the report went on to explain, a 13-year-old girl who went missing overnight was assessed as only being at medium risk because she was “streetwise” despite the Met's communications centre receiving a report that the child was “alone and unsafe in a house with three men”.

Connectivity issues with the Met's IT systems meant this information was “in an email inbox in the MPS for 14 hours before the force acted on it.”

HMIC stated that such findings “in relation to the flagging and retrieval from the police computer systems of relevant information about child protection issues are a particular concern.”

IT explained that the difficulty of locating information on the current force IT systems risks cases being dealt with in isolation is leading to potential intelligence gaps.

The report concluded: "The lack of connection between the MPS IT systems, databases and spreadsheets used to record such analyses exacerbates this problem. As a result, much of the information on victims, offenders and risk is kept in isolated pockets across the force. This contrasts sharply with the free movement of people (both victims and offenders) around the capital." ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads

The Register - Security

Checkpoint has found an image obfuscation trick it thinks may be behind a recent massive phishing campaign on Facebook that's distributing the dangerous Locky ransomware.

The security firm has not released technical details as the flaw it relies on still impacts Facebook and LinkedIn, among other unnamed web properties.

The flaw as described is, in this writer's opinion, ultimately of little risk to El Reg's tech savvy readers, but folks who can be conned into downloading and running unknown executables are at risk.

The attack is also significant in that it breaks Facebook's security controls.

In a proof-of-concept video by Checkpoint researchers Roman Ziakin and Dikla Barda, an attacker is shown exploiting the flaw by sending a .jpg image file through Facebook Messenger.

The victim must click the attachment, an act that generates a Windows save file prompt asking the victim for the save directory to which the now .hta file will be downloaded.

FB image preview

Images sent over Messenger appear as previews, not attachments.

They must then double-click the saved .hta file to unleash the Locky ransomware.

While the attack is not automated and, it does break Facebook's hypervigilant security model and is fairly regarded by Checkpoint as a Facebook "misconfiguration".

Facebook will undoubtedly fix the flaw; The Social Network™ already warns users who open a browser javascript console to protect against malicious code.

Checkpoint's chaps says the attack is useful because Facebook is a trusted asset.

“As more people spend time on social networking sites, hackers have turned their focus to find a way into these platforms,” Ziakin and Barda write.

“Cyber criminals understand these sites are usually white listed, and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities."

Facebook's javascript console warning

Facebook's javascript console warning.

Those users who do open the hta file will unleash one of the worst ransomware variants in mass circulation, encrypting their local files in a way that leaves backup restoration or ransom payment as the only options available to them.

There is no decryption method for Locky, and most victims will find their backup files also deleted.

Locky is under active development. Its authors have recently switched to the .zzzzz encrypted file extension with a new downloader that has lower antivirus detection rates. ®

Youtube Video

Sponsored: Magic quadrant for enterprise mobility management suites

The Register - Security

Despite months of reminders and warnings, more than one-third of websites will become inaccessible come 2017. There is barely a month left before major browsers start blocking websites using certificates signed with the SHA-1 hash, but 60 million-plus websites still rely on the insecure encryption algorithm, according to the latest estimates from security company Venafi.

Starting Jan. 1, Mozilla's Firefox browser will show an "Untrusted Connection" error for sites using a SHA-1 certificate, and Google's Chrome browser will drop all support for SHA-1 and completely block sites using SHA-1 certificates. Microsoft has said its Edge and Internet Explorer browsers will start blocking the sites outright on Feb. 1, 2017.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

These error messages are different from the browser warnings users typically see for incorrectly configured site certificates, which users can ignore and still access the site. In the case of Google, Chrome will display a network error with no way for the user to bypass and still get to the site. Mozilla will allow Firefox users to override the error message if the issuing certificate authority is included in Mozilla's CA Certificate Program.

Users will no longer be able to access these websites after the deadline, significantly disrupting business operations, warned Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. While there has been significant progress with the migration -- Mozilla said last month that the use of SHA-1 on the web since May 2016 has dropped from 3.5 percent to 0.8 percent -- enough websites are still relying on the weak certificates. These organizations are at risk for security breaches, compliance problems, and outages affecting security, availability, and reliability.

The case for the SHA-1 migration

For years, experts have warned of the security weaknesses in SHA-1 that make the hash particularly susceptible to collision attacks. The National Institute of Standards and Technology (NIST) called for dropping support for SHA-1 back in 2006. New collision attacks have significantly lowered the cost of breaking SHA-1 algorithm, raising concerns that it won't be long before there is a serious cryptographic break. As such, the transition deadline for SHA-1 is long overdue.

"Successful attacks on SHA-1 are well within reach of nation states and other sophisticated adversaries, and these allow them to 'mint' trusted SHA-1 certificates," Bocek said. As early as 2012, attackers were able to distribute the Flame malware using forged Microsoft MD5 certificates.

The industry has been moving away from the insecure cryptographic function toward more secure alternatives, but the migration has been both challenging and time-consuming. The average organization has more than 23,000 keys and certificates, and most typically have poor visibility over how these certificates are being used within their environment. They struggle to get started because they have to first identify all the SHA-1 certificates that need to be replaced. This isn't as simple as getting new certificates from the certificate authority and slotting them in place. It's a multistep process of identifying all the certificates that need to be changed, deploying and testing the new certificates, revoking old certificates, and setting up controls to manage the new certificates.

For many organizations, the process of migrating away from SHA-1 to SHA256 or other safer cryptographic functions is like an unpleasant visit to the dentist, Bocek said.

The coming changes in browsers

Major web browsers have been warning of the impending changes for months. Chrome and Firefox currently display a certificate error warning for sites using SHA-1 certificates issued on or after Jan. 1, 2016. Edge and Internet Explorer have already stopped displaying the address bar lock icon, which indicates the site is secured and trusted, for sites using SHA-1.

Chrome 56, scheduled to be released at the end of January, will be the first version of the browser with support for SHA-1 certificates removed completely. However, the browser will distinguish between certificates chained to a public certificate authority and those chained to local CAs until 2019 to support enterprises who want to continue using SHA-1 certificates for internal applications. Starting with Chrome 54, site administrators will have to deploy the EnableSha1ForLocalAnchors policy to allow certificates chained to local trust anchors. This policy must be set, or SHA-1 certificates chained to locally installed CAs will also started being blocked by Chrome 57, expected in March 2017.

Google may choose to remove support for locally signed SHA-1 certificates before 2019 in the event of a serious cryptographic break. Enterprises should be using this two-year reprieve to migrate those internal certificates off SHA-1.

Firefox 51, currently in Developer Edition and expected to be released in January, would display the Untrusted Connection message starting January, but users will be able to override the warning for the time being. Support for SHA-1 certificates from publicly trusted CAs will be completely disabled "in early 2017," Mozilla said. SHA-1 certificates that chain up to a manually imported root certificate, as specified by the user, will continue to be supported, but Mozilla encouraged enterprises to migrate those certificates as soon as possible.

Don't wait until things are broken

Online trust relies on all the players working together, and digital certificates are a key component of the trust equation. If the organization relies on weak certificates, they are undermining the trust model. Certificate authorities were supposed to stop issuing SHA-1 certificates after Jan. 1, 2016, for example. If the CA is still issuing SHA-1 certificates, then organizations should change CAs.

Cryptographic projects are hard and the price for making a mistake during deployment can be high, so many businesses have stuck their heads in the sand instead of dealing with the migration to SHA-2. However, the deadline isn't going away, and the organizations will see actual business impact for delaying the process. Many organizations will be operating with smaller IT staff as employees take time off before the end of the year, making the process even more challenging. Even so, it will be far better to work on the bulk of the migration in the time left, rather than try to fix the problems after things start breaking in January.

"Leaving SHA-1 certificates in place is like putting up a welcome sign for hackers that says, 'We don't care about the security of our applications, data, and customers,'" Bocek said.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.

InfoWorld Security

Google reminded the world that starting with Chrome 56, scheduled for release near the end of January 2017, websites signed with SHA-1 certificates will no longer be trusted, and visiting them will return an interstitial message from the browser indicating the site is not trustworthy.

Joining with other major browser makers, Google has gradually reduced support for SHA-1 over the past year, starting by removing support for newly issued SHA-1 certificates at the beginning of 2016. Despite raising the possibility that support for SHA-1 would be removed entirely on an accelerated basis this year, browser companies have not taken that step.

"The SHA-1 cryptographic hash algorithm first showed signs of weakness over eleven years ago, and recent research points to the imminent possibility of attacks that could directly impact the integrity of the web [public key infrastructure (PKI)]," Andrew Whalley, of the Google Chrome security team, wrote in a blog post. "To protect users from such attacks, Chrome will stop trusting certificates that use the SHA-1 algorithm, and visiting a site using such a certificate will result in an interstitial warning."

In a nod to organizations that use SHA-1 certificates within private PKIs, Google added a settable option, EnableSha1ForLocalAnchors, to allow organizations to continue using SHA-1 for certificates that chain to a local trust anchor. Those organizations wishing to use this option to extend the lifetime of those private SHA-1 certificates must begin using it with Chrome 57, which is scheduled for a March 2017 release to the stable channel. "Since this policy is intended only to allow additional time to complete the migration away from SHA-1, it will eventually be removed in the first Chrome release after January 1st 2019," Whalley wrote.

However, Whalley warned support for SHA-1 may be removed entirely before 2019 "if there is a serious cryptographic break of SHA-1. Enterprises are encouraged to make every effort to stop using SHA-1 certificates as soon as possible and to consult with their security team before enabling the policy."

The SHA-1 deprecation effort began to accelerate in 2015 after security researchers reported malicious actors with relatively little computing resources could successfully brute-force the secure hashing algorithm and create fake websites that appeared legitimate.

Later that year, leading browser developers began signaling their intention to accelerate the drop-dead date for removing support for SHA-1 certificates from browser and other parts of the internet infrastructure.

Mozilla announced in October 2015 it might begin dropping support for SHA-1 certificates in the Firefox browser as early as July 2016. In December 2015, Google announced it, too, might speed up its timetable for SHA-1 deprecation in the Chrome browser to match Mozilla's move, though neither company followed through on that possibility. Microsoft, too, has made progress on SHA-1 deprecation.

SHA-1 has been considered a prime candidate for deprecation for at least 12 years; security expert Bruce Schneier reported in 2004 that researchers announced weaknesses in the SHA-1 and MD5 hashing algorithms. Less than a year later, after noting the first attack on SHA-1 that had been shown to be faster than a brute-force attack, Schneier reiterated his call: "It's time for us all to migrate away from SHA-1."

Next Steps

Find out more about how SHA-3 is shaping up as a next-generation security tool

Learn more about the importance of the upcoming transition to SHA-2

Read about using a secure hashing algorithm to improve security

SearchSecurity: Security Wire Daily News

The insecure implementation of the OTA (Over-the-air) update mechanism used by numerous Android phone models exposes nearly 3 million phones to Man-in-the-Middle (MitM) attacks and allows adversaries to execute arbitrary commands with root privileges.

The vulnerable OTA update mechanism is associated with Chinese software company Ragentek Group, which didn’t use an encrypted channel for transactions from the binary to the third-party endpoint. According to security researchers at AnubisNetworks, this bug not only exposes user-specific information to attackers, but also creates a rootkit, allowing an adversary to issue commands that could be executed on affected systems.

Android OTA Updates The code from Ragentek contains a privileged binary for OTA update checks as well as multiple techniques to hide its execution. Located at /system/bin/debugs, the binary runs with root privileges and communicates over unencrypted channels with three hosts. Responses from the remote server include functionalities to execute arbitrary commands as root, install apps, or update configurations.

The issue, tracked as CVE-2016-6564, is that a remote, unauthenticated attacker capable of performing a MitM attack could replace the server responses with their own and execute arbitrary commands as root on the affected devices.

Similar to the issue found in Android devices running firmware coming from Shanghai ADUPS Technology Co. Ltd., the bug in Ragentek’s Android OTA update mechanism is included out of the box. The two issues aren’t related, but they are similar to a certain point, as both allow for code execution on smartphones. The ADUPS firmware was found to siphon user and device information in addition to allowing the remote installation of apps.

The CERT advisory associated with this vulnerability reveals that multiple smartphones from BLU Products are affected, along with over a dozen devices from other vendors, namely Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO. BLU is said to have already issued a software update to resolve the issue, but the remaining devices might still be affected.

While analyzing the bug, AnubisNetworks discovered that the unencrypted data transmission starts soon after starting the first-use setup process, and that the inspected device, a BLU Studio G, attempted to contact three pre-configured domains. Two of them were unregistered and the researchers acquired them, which provided them with visibility into the population of affected devices.

This also provided security researchers with the ability to check the type of commands that are supported in the vulnerable setup. One of the interesting findings was that an explicit check was created to mask the fact that “/system/bin/debugsrun” and “/system/bin/debugs” were running. Their presence would be hidden or skipped in the user output, the researchers also say.

Deeper analysis revealed that the Java framework too has been modified to hide references to this process. The researchers found a modified next() method in the core java.util.Scanner class to exclude references to the aforementioned binary names and say that the nextInt() method was modified to always return a pid of 10008 for the processes. What’s more, the local sqlite database that the binary logged events, stored system and user information and fetched from, was located at /system/bin/unint8int, the researchers reveal.

Although the researchers have no explanation on why the author of the process attempted to purposely hide the presence of both the process and local database on the device, they do say that the attempt wasn’t a comprehensive one.

Overall, over 2.8 million distinct devices, across around 55 reported device models, were observed connecting to the researchers’ sinkholes. Interestingly enough, some of the provided device models couldn’t be linked to real world devices, and the security researchers included all of them in an “Others” category.

Related: Backdoor in Some Android Phones Sends Data to Server in China

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Thousands of security professionals flock to cybersecurity conferences such as RSA Conference and Black Hat, but...

what is the value of conferences to CISOs? Are any cybersecurity conferences more valuable than others for hiring and security strategizing?

Cybersecurity conferences have become a lucrative business for the organizers, the venues and the vendors that seek face time they would not otherwise have with participants. Multi-track, multi-session conferences introduce new concepts and approaches, and can provide a refresher in a particular topic. They can also be a means to comply with continuing professional education credits for maintaining a certification. Conferences do not help security professionals develop proficiency in any particular topic since the sessions are typically 50 to 90 minutes long. Even more technical seminars that include hands-on training for a certification do not replace actual on-the-job experience.

Thousands of people attend the RSA Conference, Black Hat, DEFCON and ISACA conferences. The majority of those who attend are professional cybersecurity practitioners, auditors, cybersecurity consultants, vendors and developers. But should the CISO attend or should she be satisfied with sending staff and focusing on those skills they deem necessary for their development?

CISOs are key targets for cybersecurity vendors. They will receive numerous calls and emails per day from vendors touting the best products and services in the market for their needs. Vendors will offer to pay for luncheons, free demos of their product, and even pay for a flight to their headquarters to try out their product and visit with key vendor staff and management. But, over time, the CISO will have most of her calls screened. Cybersecurity conferences are the perfect place for vendors to meet CISOs they would have otherwise had a difficult time meeting.

Most cybersecurity conferences will have CISO luncheons or special events for CISOs by invitation only. Free conference registration for CISOs is also likely. But is this of any value to the CISO? Of course they can and should be valuable. Cybersecurity conferences are a great opportunity for CISOs to become aware of new technologies, new cybersecurity protection and monitoring tools, and to network with other cybersecurity professionals and other CISOs.

CISOs need training just like anyone else. This training should not just cover how to be a better CISO, but should also include technical training to help better manage projects in the enterprise. However, the last thing a CISO wants is to get railroaded during vendor fairs by those whose calls she has purposely avoided -- which can be hundreds during a given month. The CISO can sometimes be a bit of a celebrity at these conferences. Vendors stumble over themselves to greet the CISO and grab whatever amount of time they can to introduce their product or service.

Another question is whether cybersecurity conferences are good venues to meet and identify potential candidates for hire. Unless the CISO happens to meet someone she likes, most cybersecurity conferences are geared toward providing education and vendor exhibits, not for hiring.

Regardless of the aim, CISOs should attend these conferences. They should go to keynote addresses, sessions of interest and the vendor fairs. CISOs can blend into the crowd of attendees if they do not want to be noticed, but they should attend the CISO luncheons to meet other CISOs and exchange business cards. Cybersecurity conferences are a good opportunity for CISOs to earn their continuing professional education credits. However, they should not feel obligated to have sponsoring vendors visit or have a proof of concept done unless there is a particular value.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn how to hire for specialized cybersecurity positions

Check out the pros and cons of untraditional security staffing

Find out more about the changes in CISO responsibilities

This was last published in November 2016

SearchSecurity: Security Wire Daily News

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Cryptsetup Vulnerability Grants Root Shell Access on Some Linux Systems

November 15, 2016 , 3:28 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Regulation May Be Best Answer to IoT Insecurity

November 16, 2016 , 1:10 pm

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am

Threatpost | The first stop for security news

The European Union has published its proposal (PDF) for a revised Regulation on the export of dual use goods. The primary purpose is to overhaul and simplify the existing controls that were designed to limit the proliferation of weapons of mass destruction (WMDs); but it also introduces new controls over the export of cyber surveillance and computer intrusion tools.

More explicitly, it aims at preventing "the misuse of digital surveillance and intrusion systems that results in human rights violations" in line with the 2015 Human Rights Action Plan and the EU Guidelines for Freedom of Expression. New laws are necessary because existing legislation does not provide sufficient control over cyber-surveillance technologies.

It is a difficult area since cyber-surveillance and intrusion are both recognized as legitimate practices for some governments and some law enforcement agencies (especially in the name of national security). The problem is to allow and even simplify sales and exports to acceptable companies and governments while restricting it from those companies and countries that might use it to abuse the human rights that are protected by the EU constitution.

Misuse of these technologies can have -- and have had -- dire effects; and this is explicitly acknowledged by the EU. These technologies, notes the Introductory Memorandum, have "been misused for internal repression by authoritarian or repressive governments to infiltrate computer systems of dissidents and human rights activists, at times resulting in their imprisonment or even death." Under such circumstances, it goes on, continued export of cyber-surveillance runs counter to the EU's own human rights requirements, "such as the right to privacy and the protection of personal data, freedom of expression, freedom of association, as well as, indirectly, freedom from arbitrary arrest and detention, or the right to life."

The EU's proposed solution "sets out a two-fold approach, combining detailed controls of a few specific listed items with a 'targeted catch-all clause' to act as an 'emergency brake' in case where there is evidence of a risk of misuse. The precise design of those new controls would ensure that negative economic impact will be strictly limited and will only affect a very small trade volume."

Privacy International (PI) is one of the organizations that has long campaigned for stricter rules on the export of surveillance technologies. In a recent report (PDF) published in August 2016, it called for a new approach combining corporate social responsibility with export restrictions. "While pro-active due diligence on the behalf of companies is a necessary start," it suggests, "without instruments capable of restricting transfers and shining a light on the companies and the trade, surveillance technologies developed in and traded from the West will further undermine privacy and facilitate other abuses."

The export of encryption technologies is also covered in the new proposal. Encryption is considered 'dual use' and therefore regulated by many countries. However, different countries have different standards, and the EU has concluded that this gives those countries an unfair trading advantage.

The proposal is expected, says the Memorandum, "to improve the international competitiveness of EU operators as certain provisions - e.g. on technology transfers, on the export of encryption - will facilitate controls in areas where third countries have already introduced more flexible control modalities. The proposal's new chapter on cooperation with third countries is also expected to promote the convergence of controls with key trade partners and a global level-playing field, and thus to have a positive impact on international trade."

Details of the new Regulation were leaked in July. Since that time PI has lobbied the EU for additional improvements. In a statement sent to SecurityWeek, PI comments, "The eventual proposals only differ slightly however, with the main change being that the definition of 'cyber-surveillance' technology has been narrowed. The actual annex which contains a detailed list of what technology has been subject to control has also been published. In addition to spyware used to infect devices, mobile phone interception tech, and mass internet monitoring centres, the Commission has proposed to add unilateral EU categories. Currently these are listed as telecommunications monitoring centres and lawful interception retention systems."

While PI welcomes the new regulation, it believes it could be better and should have been done much sooner. It points out that more than half of the world's surveillance companies that it has identified are based in the EU, and that it has been known since 1979 that "a UK company had provided the necessary wiretapping technology to the genocidal regime of Idi Amin in Uganda." 

The proposals, says PI, "encapsulate the best and worst aspects of the European Union. Their stated intent reflects Europe's commitment to fundamental rights, and - as a regulation - it will be binding on all member states, massively magnifying the effect of any legislation. But it adds, "The policy making process has been marked by technical and bureaucratic complexities detached from individuals, making it vulnerable to the interests of industry, powerful national governments, and civil society."

FinFisher GmBH and the Hacking Team are two EU companies that are likely to be affected by the new regulation. This would also have included Vupen if it had not closed down and resurrected itself as Zerodium in the US.

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:


SecurityWeek RSS Feed

Vulnerable: SuSE OpenStack Cloud 5
SuSE Manager Proxy 2.1
SuSE Manager 2.1
SuSE Linux Enterprise Software Development Kit 12 SP1
SuSE Linux Enterprise Software Development Kit 11 SP4
SuSE Linux Enterprise Server for SAP 12
SuSE Linux Enterprise Server 12-LTSS
SuSE Linux Enterprise Server 12 SP1
SuSE Linux Enterprise Server 11 SP4
SuSE Linux Enterprise Server 11 SP3 LTSS
SuSE Linux Enterprise Server 11 SP2 LTSS
SuSE Linux Enterprise Point of Sale 11-SP3
SuSE Linux Enterprise Desktop 12 SP1
SuSE Linux Enterprise Debuginfo 11 SP4
SuSE Linux Enterprise Debuginfo 11 SP3
SuSE Linux Enterprise Debuginfo 11 SP2
Redhat Enterprise Linux Workstation Optional 6
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Server Optional 6
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux HPC Node Optional 6
Redhat Enterprise Linux HPC Node 6
Redhat Enterprise Linux Desktop Optional 6
Redhat Enterprise Linux Desktop 6
Redhat Enterprise Linux Desktop 5 client
Redhat Enterprise Linux Client Optional 7
Redhat Enterprise Linux 7 Client
Redhat Enterprise Linux 5 Server
Oracle Enterprise Linux 7
Oracle Enterprise Linux 5
ISC BIND 9.5.1 P3
ISC BIND 9.5.1 P1
ISC BIND 9.5 a2
ISC BIND 9.5 a1
ISC BIND 9.4.3 P3
ISC BIND 9.4.3
ISC BIND 9.4.1 -P1
ISC BIND 9.4.1
ISC BIND 9.4 rc2
ISC BIND 9.4 rc1
ISC BIND 9.4 b4
ISC BIND 9.4 b3
ISC BIND 9.4 b2
ISC BIND 9.4 b1
ISC BIND 9.4 a6
ISC BIND 9.4 a5
ISC BIND 9.4 a4
ISC BIND 9.4 a3
ISC BIND 9.4 a2
ISC BIND 9.4 a1
ISC BIND 9.3.6 P1
ISC BIND 9.3.6
ISC BIND 9.3.5
ISC BIND 9.3.4
ISC BIND 9.3.3 rc3
ISC BIND 9.3.3 rc2
ISC BIND 9.3.3 rc1
ISC BIND 9.3.3 b1
ISC BIND 9.3.3 b
ISC BIND 9.3.3
ISC BIND 9.3.2 -P2
ISC BIND 9.3.2 -P1
ISC BIND 9.3.2
ISC BIND 9.3.1
ISC BIND 9.2.8
ISC BIND 9.2.7 rc3
ISC BIND 9.2.7 rc2
ISC BIND 9.2.7 rc1
ISC BIND 9.2.7 b1
ISC BIND 9.2.7
ISC BIND 9.2.6 -P2
ISC BIND 9.2.6 -P1
ISC BIND 9.2.6
ISC BIND 9.2.5
ISC BIND 9.2.4
ISC BIND 9.2.3
ISC BIND 9.2.2
ISC BIND 9.2.1
+ Caldera OpenUnix 8.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
+ SCO Unixware 7.1.3
ISC BIND 9.1.3
ISC BIND 9.1.2
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
ISC BIND 9.1.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Caldera OpenUnix 8.0
+ HP Secure OS software for Linux 1.0
+ Redhat Linux 7.1 ia64
+ Redhat Linux 7.1 i386
+ Redhat Linux 7.1 alpha
+ Redhat Linux 7.1
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
ISC BIND 9.0.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
ISC BIND 9.7.1-P2
ISC BIND 9.7.1 P1
ISC BIND 9.7.1
ISC BIND 9.7.0 P2
ISC BIND 9.7.0
ISC BIND 9.6.1-P3
ISC BIND 9.6.1-P2
ISC BIND 9.6.0-P1
ISC BIND 9.5.2-P2
ISC BIND 9.5.2-P1
ISC BIND 9.5.1b1
ISC BIND 9.5.0b2
ISC BIND 9.5.0b1
ISC BIND 9.5.0a7
ISC BIND 9.5.0a6
ISC BIND 9.5.0a5
ISC BIND 9.5.0a4
ISC BIND 9.5.0a3
ISC BIND 9.5.0-P2-W2
ISC BIND 9.5.0-P2-W1
ISC BIND 9.5.0-P2
ISC BIND 9.4.3b2
ISC BIND 9.4.3-P5
ISC BIND 9.4.3-P4
ISC BIND 9.4.3-P1
ISC BIND 9.4.2-P2-W2
ISC BIND 9.4.2-P2-W1
ISC BIND 9.4.2-P2
ISC BIND 9.3.5-P2-W2
ISC BIND 9.3.5-P2-W1
ISC BIND 9.3.5-P2
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
CentOS CentOS 5

SecurityFocus Vulnerabilities

USN-3094-1: Systemd vulnerability | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads

Ubuntu Security Notices