Last December I ranted a bit about Swedish security politics and just a couple of days ago ENISA - the European Network and Information Security Agency - released a report with recommendations on how to structure cyber security efforts within the European Union. Below are a few points that caught my attention.

Related to our lack of information on what is really going on out there:

“We recommend that the EU introduce a comprehensive security-breach notification law.”

“We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime.”

How else are we going to get a good picture of what is actually happening to others and how much it has cost them? My experience says that companies are getting really tired at hearing fictional stories and FUD. We need this.

Related to our inability of acting on issues:

“We recommend that the European Union introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected if they assume full liability.”

Internet have no boundaries. If a computer or network in Sweden is compromised and maliciously managed from Poland their respective ISP need to be responsible for disconnecting that machine and be held liable if they don’t. Our laws need teeth.

Related to vulnerabilities and patches:

“We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle.”

“We recommend security patches be offered for free, and that patches be kept separate from feature updates.”

Without a proper picture of where our vulnerabilities are, how are we supposed to be able to define our risk? Before the patch is available, how are we supposed to be able to counter a specific vulnerability with a countermeasure? A law that requires vendors to quickly notify their customers and the public about a vulnerability will allow companies to make the strategic decisions that is necessary. And of course patches should be free.

Last but not least, we need to collaborate on cybercrime.

“We recommend the establishment of an EU-wide body charged with facilitating international co-operation on cyber crime, using NATO as a model.”

Incidents happends to everyone, it’s just a question of when. Therefor, every company needs to plan for Incident Response. So does every nation and union.

Kudos to Enisa for a good report.

A couple of days ago I learnt from IDG about the disclosure of 100 e-mail accounts from parlaments and other high profile targets world-wide. The incident is also covered in international zines like the Register and Vnunet.

Whats interesting about this is the decision made by the consultant to disclose the information, and his reasoning,

“Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies.

Leaving the ethical and moral discussion aside, which in fact is to obvious to warrant discussion, and instead focusing on the difficulty of disclosing this kind of information. Lets identify the difficulties of informing 100+ victims having their e-mail accounts compromised:

1. Who do we inform of the compromised accounts? We can try the accounts themselves, but we can’t be sure that someone using the credentials removes the e-mail. Does all parlaments have a website? Do they have a technical contact? Just searching for a e-mail adress to target the information with might be very time consuming.
2. Who would understand what we were saying? Even though saying “I have login credentials to your e-mail and can read your e-mail” would likely catch anyones attention, few would understand the extent and seriousness of this. Just getting the attention might be time consuming.
3. Who would believe what you were saying? Prove it, they would say. Yeah, on 100+ accounts.

So what should you do?

• Contact and inform your national incident response team of the situation. Hand them the information and let them own the case. The have the time and resources, and will likely be very keen to help , especially in this case since it is of national interest. I, for instance, would contact SITIC.
• Another possibility is to work with a security partner who have contacts, experience and resources to notify the customers.

This is an example of why we need the security industry.