Computer Crimes – Page 8

July 1, 2017

No More Data Retention in Italy?

Yesterday the Internet Traffic Mandatory Data Retention regulation expired without being re-enacted by the Parliament. This means that at the midnight of June, 30, all the Italian Telcos and ISPs just (or should have) deleted last year Internet usage information from their databases.

Maybe the Parliament and the Data Protection Authority just had a strike of consciousness and decided so, after having “forgotten” for years to stress test the national data retention legislation to check if it could still stands against the EU Court of justice 2014 decision that bashed the data-retention directive.

Or, maybe, the powers-that-be just forgot about the data-retention.

We’ll never know for sure, but fact is that current high profile criminal investigations are now deprived of an important information gathering tool.

May 28, 2017May 28, 2017

AntiPublic, British Airways and the Italian Data Protection Supervisor

Italy just discovered AntiPublic, the next data-leak with about half a million of personal accounts made publicly available by the lack of care of “trusted” websites in handling its “security measures”.

British Airways got a shut down of its IT infrastructure due, according to the Italian newspaper Repubblica.it, a lack of management of the business continuity plan.

This two cases, while unrelated, are both evidence of an infringement of the EU Data Protection Directive (95/46/CE).

In the AntiPublic data-leak the reason why is obvious, as it should be for the British Airways IT infrastructure “freeze”: business continuity, indeed, is one of the security measures that the Data Processor should enforce to avoid damages arising from the unavailability of personal data.

This is a challenge for the (Italian) Data Protection Supervisor. He can either look elsewhere, or open an investigation to ascertain what happened and who is the culprit of these personal data mismanagement.

The EU Directive 95/46 and his own case law? give the Italian Data Protection Supervisor the power to act even outside the national and European jurisdictions,? so there wouldn’t be a motive no to start an investigation.

So, if the Italian Data Protection Authority will actually starts poking around to find out the “truth”, then a message is sent to the business and civil servant community: we don’t need to wait for the General Data Protection Regulation (GDPR) to enter into force, to exercise our prerogatives against no matter who.

Should he, on the contrary, look elsewhere, the message would have a very different meaning. Citizen, companies and public services might be led to think that all the “early warnings” about the upcoming GDPR and the dire consequences of the non compliance are just a pre-emptive notice of some sort of “hidden tax payment through fines” approach, targeted against SME, some big Italian company and a couple of USA multinationals.)

In the meantime, AntiPublic & C shall continue to access unnoticed our personal data, while citizen will continue paying the consequences (in term of damages and lack of services) of the poor compliance to a set of provisions that, just yet, are felt as useless bureaucratic burden.

May 12, 2017May 12, 2017

When Security Becomes Service Disruption: the Banca Popolare di Bari Case

The message reads: For security reasons, this ATM doesn’t provide cash between Friday, 16,30 and Monday, 09,00. We are sorry for the inconvenience.

This way of looking at IT Security reminds me of those Security “Managers” who were use to advise to unplug the Ethernet cable at the daily close of business, to put it back the very next day.

Security can’t be a way to make the customers’ life more miserable. The challenge of a Security Manager is exactly the opposite: let customers doing their business while keeping the environment safe.

March 29, 2017

There Is No Such Thing as “Information” Security

There is no such thing as “information” security. Continue reading “There Is No Such Thing as “Information” Security”

October 1, 2016October 1, 2016

Phoney and the forensics value of Iphone chat

Phoneys is a software that allows a user to change the content of an Iphone chat thus altering the meaning of the conversation.While this is just an entertainment software, it might have some disturbing impacts on a possible criminal investigation.

Indeed, SMS, chat transcripts and messages are routinely used as a source of evidence by lawyers and prosecutors on the basis that if something is on a phone it can be hardly be faked. Of course, this is not always true, of course evidences must be corroborated by independent checks, of course the legal community is not that dumb to give face value to a text on a phone screen. But…

Phoneys allows a malicious person to create a prima facie deceiving fact, by exploiting the fact that a message has actually been sent, thus leading the investigator into thinking that a conversation took place with the intended correspondent. In an emergency context, the necessity of taking immediate action might push him to under evaluate what has been shown as “evidence”, thus jeopardizing the final result.

Maybe this is a either a minor or non-existent issue. But judicial reality has proven to be more surprising then legal-thriller. So, next time you’re confronted with a message as an evidence, why not double check?

Just in case…