IT Security – Page 17

May 12, 2017May 12, 2017

When Security Becomes Service Disruption: the Banca Popolare di Bari Case

The message reads: For security reasons, this ATM doesn’t provide cash between Friday, 16,30 and Monday, 09,00. We are sorry for the inconvenience.

This way of looking at IT Security reminds me of those Security “Managers” who were use to advise to unplug the Ethernet cable at the daily close of business, to put it back the very next day.

Security can’t be a way to make the customers’ life more miserable. The challenge of a Security Manager is exactly the opposite: let customers doing their business while keeping the environment safe.

March 29, 2017

There Is No Such Thing as “Information” Security

There is no such thing as “information” security. Continue reading “There Is No Such Thing as “Information” Security”

December 23, 2016December 23, 2016

EUCJ and the Data Retention and Investigatory Powers Act

A friend of mine asked a quick commentary about a Telegraph news about the European Court of Justice decision that bashed the British Data Retention and Investigatory Powers Act, forcing the ISPs to abid to a one-year Internet traffic data retention period.
Here is my answer:

It is clear that the EUCJ is following its political agenda.
As I said countless times, law enforcement and national security aren’t subjected to the might of the data-protection directive so this legal instrument can’t be enforced to rule investigative powers.
It is false that users are note informed about the retention. There is a law that set forth the duty, so the citizen are supposed to know about it (ignorantia legis non excusat.)
Again, the article and – I suppose – the EUCJ confuses fairly different things: GCHQ is intelligence and – as such – is well out of reach from the DP directive. Other public bodies have the right to perform their investigation to guarantee the respect of the law.
So, the actual problem is quis custodies ipsos custodies. In other words: I have no problem with an agency that accesses my data. But I do have the right to know in real time when it happens and why (or, if there is a secrecy issue, as soon as it is reasonable.)

October 27, 2016

Privacy Shield Dead-On-Arrival?

As expected, Privacy Shield has been challenged in front of the EUCJ.

Before wasting time and money trying to comply with this DOA thing, it would be safe to wait for the judgement.

October 1, 2016October 1, 2016

Phoney and the forensics value of Iphone chat

Phoneys is a software that allows a user to change the content of an Iphone chat thus altering the meaning of the conversation.While this is just an entertainment software, it might have some disturbing impacts on a possible criminal investigation.

Indeed, SMS, chat transcripts and messages are routinely used as a source of evidence by lawyers and prosecutors on the basis that if something is on a phone it can be hardly be faked. Of course, this is not always true, of course evidences must be corroborated by independent checks, of course the legal community is not that dumb to give face value to a text on a phone screen. But…

Phoneys allows a malicious person to create a prima facie deceiving fact, by exploiting the fact that a message has actually been sent, thus leading the investigator into thinking that a conversation took place with the intended correspondent. In an emergency context, the necessity of taking immediate action might push him to under evaluate what has been shown as “evidence”, thus jeopardizing the final result.

Maybe this is a either a minor or non-existent issue. But judicial reality has proven to be more surprising then legal-thriller. So, next time you’re confronted with a message as an evidence, why not double check?

Just in case…