This year, Serbia was, during October, for the third time part of European Cyber Security Month, organised by ENISA, the European Union Agency for Network and Information Security. The Serbian National Internet Domain Name Registry Foundation (RNIDS) organised a panel debate titled Mobile Safety in Serbia, held on 15th October in the Belgrade Cultural Centre’s ArtGet Gallery.
Panel members were experts from all areas that are of significance to Internet security, who addressed a variety of questions – what are the main threats to Internet security for ordinary and business users, how to protect ourselves, what are state institutions doing and what is expected of them and whether and how much we think about security, as well as who handles our data, where they keep it and what the main dangers are that we face online.
In the first block, titled Security of mobile networks and applications, the participants looked at the issues surrounding software security and application privacy from a variety of points of view.
“Unfortunately, early research suggests that probably most applications in use today do not take nearly enough care over the security and privacy of their users. They have numerous weaknesses and can be abused by malicious third parties, often remotely, without the knowledge of the phone’s owner. Sometimes these risks are the consequence of hurried development, carelessness or a lack of knowledge of the security and privacy aspects of the software development cycle. Applications that work with personal or financial data can be especially sensitive – such as e-banking applications, for example,” explained Dragan Pleskonjić, Senior Director of Application Information Security at International Game Technology.
Vladan Joler, director of the Share Foundation, said that web portals in Serbia are increasingly being targeted for DDoS attacks which block access to their content, as well as attacks on the integrity of their databases. “The authorities have not yet shed light on these cases. Journalists have faced social engineering attacks, theft and falsification of their online identity and unauthorised access to private communication. Over the last two years we have seen a major increase in the number of cases of breach of human rights in the online environment in Serbia,” added Joler.
The keynote topic of the second block was New projects and initiatives in the area of cyber-security. Among other subjects covered by Vladimir Radunović, director of the cyber-security and e-diplomacy programme at the DiploFoundation, said that the unique nature of the online risk was that not only could each and every one of us become a victim, but that we could also become an attacker (even without our knowledge).
“Every device connected to the net can be vulnerable to attack, but each can also become a weapon to be used to mount attacks. The lack of protection of devices, as well as carelessness, can allow a criminal (or attacker with some other motive) to take over the device remotely and use it for a cyber-attack (as part of a botnet). This tells us that the traditional approach to security – like gun control – is not possible in cyberspace, since digital devices and the Internet itself are primarily good and useful tools which serve individuals, companies, hospitals, schools, factories and critical infrastructure; but they can become dangerous weapons,” said Radunović, and added that because 80% of the Internet infrastructure was not in the hands of states, security services could not themselves secure the Internet, nor could telecomms companies, nor could anyone else do it alone.
The moderator of the Mobile Security in Serbia panel debate was Slobodan Marković, RNIDS’ advisor for ICT policy and Internet community relations, who said that Internet security was poorly regulated in Serbia and not enough attention was paid to it. “Other than the Interior Ministry’s Department for High-Tech Crime, which investigates cyber-crime, we still have no single institution which would work systematically on improving IT security. The basic framework for the operation of such an institution should be provided by the new Law on Information Security, which is being drafted by the Ministry of Trade, Tourism and Telecommunications. This bill, expected to be passed into law by the end of this year, should be the first step in bringing order to this area. There will be plenty of work for everyone – both the state and the private sector,” Marković said.
- OWASP SeraphimDroid mobile app:
- Draft Law on Information Security (in Serbian): mtt.gov.rs/download/Nacrt%20zakona%20o%20informacionoj%20bezbednosti.pdf
- Report by the CERT working group: rnids.rs/dokumenti/izveštaj-radne-grupe-za-cert
- Share Foundation research: Invisible infrastructure: permissions on mobile devices (in Serbian): labs.rs/sr/nevidljive-infrastrukture-dozvole-na-mobilnim-uredajima