Category: Technology

Hackers Expose Gaping Holes in North Macedonia’s IT Systems

Posted on by BIRD

North Macedonia’s officials are trying to persuade the country that after hackers recently leaked dozens of email addresses and passwords from staffers in public institutions, the situation is under control.

But, as they did so, some of the key pages of Skopje’s main local government’s website could not be reached since Thursday – in what looked like yet another serious breach of cyber-security.

Some pages on Skopje city’s official website, including the one about taxes, are currently marked not secure for use due to an “expired security certificate” – which experts said could lead to another breach of data privacy.

Web browsers such as Mozila and Google Chrome blocked access to some of the pages on the skopje.gov.mk website, meaning that the system could either be vulnerable to a hacker attack, or that the website’s users could be vulnerable to a “man-in-the-middle attack”, or MITM.

This is when attackers secretly alter communications between two sides and steal key information, such as passwords, messages or credit card numbers.

The latest security breach came after a Greek hacking group, called “Powerful Greek Army” leaked dozens of email addresses and passwords from staffers in the North Macedonia’s Ministry of Economy and Finance, as well as from the municipality of Strumica – and bragged about their exploits on Twitter on May 10.

When and how the hackers got into these systems is still unclear, but both the North Macedonia’s Interior Ministry in charge of cyber-crime and the Greek authorities promised a swift joint investigation.

Recently, the Powerful Greek Army hacker group also took down the website of the Institute for Sociological, Political and Juridical Research at the country’s main Sts Cyril and Methodius University in Skopje.

Over the past few years, the government has promised to take action following a series of sophisticated and coordinated IT security breaches and hacker attacks on websites containing citizens’ data.

But some consider the country’s current response to cyber threats far too weak.

Speaking about the latest May 10 attack, the authorities shrugged off the threat, insisting that the hacked email accounts could not be accessed with the leaked passwords or with any other data sets. The data obtained by the hackers was more than seven years old, dating from 2013, they added.

“We have no evidence that the current email systems of those institutions have been hacked lately, and we are investigating all the details related to this case,” the government said in an upbeat statement.

It added that official email systems had been updated since 2013, and that protocols with complex passwords for official email addresses have been set, as well as other cybersecurity protocols in the systems that should reduce the risk of systems being compromised.

However, experts warn that although some steps have been taken, they are far from meeting the criteria that are needed. They say the latest incident should be seen as a warning about the kind of cybersecurity practices now being used in the country.

Experts say too many old operating systems are still being used, leaving state institutions vulnerable to hackers attacks, while staffers in these institutions lack proper training on security protocols.

A study in 2018 by the Ponemon Institute, which conducts independent research into data protection, looking at the cost of data breaches, said an average public-sector data breach could cost up to 2 million euros.

Government data breaches are meanwhile two-and-a-half times more likely to remain undetected for a year or more than those in the private sector, said a report by The Daily Swig, which focuses on bugs, viruses and data security issues.

In 2018, the then North Macedonia’s government adopted a national strategy and an action plan on cyber-security, but little has been done since.

In recent years, there have been other examples of poor protection of state institutions. Last year, a former member of parliament was arrested for hacking into the Central Registry.

In 2015, the Ministry of Information Society and Administration and the State Prosecution Office were among several institutions targeted by a hacker group, believed to have ties with jihadist groups in the Middle East.

Outdated operating systems are big concern


Photo: Screenshot

One of the major problems for North Macedonia’s IT systems is that most of the operating systems are outdated, and so are more vulnerable to attacks.

“The security of IT systems in the country most often does not meet the necessary standards,” Milan Popov, a Skopje-based cyber-security engineer with years of experience of IT security in the public sector, told BIRN.

“Old operating systems are still being used, websites often do not use security certificates, and weak passwords are used to log into systems,” he added.

“For example, many state institutions are still using the Windows XP system, known for its security vulnerabilities. All this leads to a great danger of compromising systems and potentially extracting sensitive data from users,” Popov continued.

The government adopted a national strategy and an action plan for cyber-security for the period of 2018-2022 in July 2018. The strategy aimed to define the critical infrastructure, and the role of each institution regarding cybersecurity efforts as a whole.

In 2019, it also formed a National Council for Cyber-security, comprising the ministers of Interior, Defence and Information Society. Although it was two years in the making, the council has held only one meeting so far, in January this year, when it held a constitutive session.

Regarding its goals, the council has stated that it will aim to implement the recommendations and cybersecurity practices of fellow NATO-member countries.

Strong and resilient cyber-defences are part of NATO’s core tasks of collective defence, crisis management and cooperative security.

One of NATO’s main objectives is strengthening its members’ capabilities in cyber-education, training and exercises. Member countries are also committed to enhancing information-sharing and mutual assistance in preventing, mitigating and recovering from cyber attacks.

According to the government budget for 2020, the country is investing just over 6 million euros in institutional IT support, from a projected budget of 71.6 million euros. The same amount was spent on IT support in 2019.

Staff need more education in IT security


Illustration. Photo: Unsplash

The email list published by the Powerful Greek Army hackers was concerning also as the employees of the Ministry of Economy and Finance might have used the same passwords for other accounts.

The attack aimed to reveal just how weak the system’s IT protection was. The hackers also promised a return visit. On their Twitter profile they wrote that they would “not stop attacking Skopje”.

The leaked lists contained examples of worryingly weak passwords. According to cyber-security experts, this alone was a cause of concern when it comes to the security of the administrative systems and the data of employees.

“Some of the security concerns here include passwords leaks, plaintext passwords, passwords that contain a part of the last name, are only in letters or only in numbers, are shorter than eight characters, and are without special characters,” Martin Spasovski, a Skopje-based software engineer, told BIRN.

Some of the methods that hackers use to steal passwords are phishing, password spraying, or keylogging. When it comes to passwords, he said users should always pay attention to password strength. In most cases, a strong password policy can make a difference in preventing such attacks.

To prevent more such incidents, state institutions have to educate IT staff more about the various challenges that hacking threats pose, experts note. “Protection requires a serious investment of hardware and software, but the most crucial need is to educate the IT staff on how to use all of this,” Popov emphasized.

“It’s also extremely important to educate non-IT staff on how to recognize various hazards such as social engineering, malicious websites, or working with sensitive data.”

A study conducted by international cybersecurity scholars in 2018 reached similar conclusions about the importance of training.

“Within public institutions, training in cybersecurity issues both for IT staff and general staff is very limited, and it is often at the discretion of management whether a member of staff is permitted to attend a general cybersecurity training or certification course,” it noted.

The Defence Ministry, one of the main components of the cyber-security critical infrastructure, says it regularly conducts cyber-security training for its employees.

“During 2019, 10 trainings on raising cyber-security awareness were conducted, in which 152 ministry employees participated. The Army also conducted training that covered over 1,200 members,” the Defence Ministry told BIRN in a statement.

For 2020, the Defence Ministry planned to conduct training for 150 employees that was supposed to start in April, but had to delay them because of the pandemic measures.

“Securing the cyberspace, being of utmost importance to all organizations involved in the digital world in any aspect, is the main focus of the Cybersecurity Specialist Academic Track – part of the Computer Networks Academy at SEDC”, Toni Todorov, senior DevOps engineer with SEDC, one of the country’s biggest computer education centres, told BIRN.

“Governments across Europe are heavily investing (and will invest even more) time and resources in raising awareness and remediating the threat to the security of their citizens, especially the digital kind,” Todorov added.

Question Marks over Slovak Quarantine App Fuel Privacy Concern

Posted on by BIRD

A lack of detail on a new smartphone app designed to help authorities in Slovakia track people in home quarantine is raising doubts about its compliance with data privacy rules and fuelling conspiracy theories.

With 28 confirmed deaths to date, Slovakia tops the chart of European countries with the lowest number of COVID-19 victims per capita, a source of pride for politicians and healthcare workers.

But the country is also one of the last in Central and Eastern Europe to introduce any kind of digital technology to help tackle the pandemic.

Last week, parliament passed a bill introducing an app to keep tabs on those in quarantine at home, after the country’s Constitutional Court halted development of a contact-tracing app that had triggered concern over the need for the mass collection of data.

The quarantine app was due to go live on May 18, but authorities postponed the launch saying more testing was needed.

Created by the Slovak IT firm Sygic, the app avoids the need for any mass collection of data, but a lack of detailed information, particularly regarding how the data will be stored and who will have access to it, has many Slovaks worried.

Data rights activists say that, while the government must do what it can to save lives, it must also be transparent in order to earn the trust of the people.

“We understand that this difficult time calls for quick and maybe non-traditional solutions, but we can’t forget the [need for] clear communication, which would dispel concerns about a possible abuse of private data,” said Andrea Cox, director of Digital Intelligence, which works to promote the protection of digital rights in Slovakia.

Last week, Slovak parliament passed a bill introducing an app to keep tabs on those in quarantine at home, after the country’s Constitutional Court halted development of a contact-tracing app that had triggered concern over the need for the mass collection of data. Photo: EPA-EFE/JUSTIN LANE

Constitution vs. public health

For the past two months, Slovaks returning to the country have had to go into state-run quarantine facilities where they are tested for the novel coronavirus and, if negative, allowed home.

But Slovakia’s government, led by Igor Matovic and his anti-establishment OLANO party, has faced widespread criticism over conditions at the facilities.

The government now says the new, voluntary app – based on face biometrics and movement data – will allow people to self-isolate at home if they would rather not enter a state-run facility.

The data will be monitored by the Slovak Public Health authority, which, under the new law, must destroy a person’s data as soon as the required quarantine period is over.

It is still not known, however, where the data that is collected will be stored and who will have access to it.

Introduction of the app follows a Constitutional Court ruling last week that suspended telecommunications legislation adopted in April and that cleared the way for the mass collection of data from smartphones, effectively slamming the brakes on development of a contact-tracing app. Judges ruled that the Telecommunications Act was not specific enough and left unclear how private data would be handled.

It lacked, they said, “necessary guarantees against the misuse of the processed private information” and means of independent oversight.

Matovic said he was confident the new home-quarantine technology would pass muster.

“I think the constitutional court decision cannot prevent us from making the quarantine stay more comfortable for people,” he told a press conference on May 14.

But data privacy advocates are unconvinced.

“It is unacceptable for apps that could affect the everyday life of Slovak citizens to not be communicated properly,” said Eliska Pirkova, Europe Policy Analyst at Access Now, an international data rights advocacy group, during an online discussion on May 15 about the erosion of data rights during the COVID-19 crisis in Slovakia.

“We all know that technologies have the power to discriminate and breach not just the right to privacy, but other rights too. This is what I see as a problem in Slovakia.”

Technology and public trust

Poor communication has created a vacuum in Slovakia filled by misinformation and conspiracy theories about a potential COVID-19 vaccine, the origin of the coronavirus and the threats to privacy proposed by new technology.

Marian Kotleba, leader of the neo-fascist People’s Party Our Slovakia, LSNS, that won eight per cent of votes in Slovakia’s February general election, has shared conspiracies about microchips being implanted into people against their will, while former Prime Minister Robert Fico, leader of SMER-SD, has accused Matovic’s government of planning to spy on people via their phone data.

According to survey conducted by the Slovak Academy of Sciences, a large majority of voters for both parties believe the coronavirus was created in a lab and deliberately disseminated, while just 40 per cent of Slovaks say they would get vaccinated against COVID-19 once a vaccine becomes available.

“Insufficient communication creates space for those who shout the loudest, although they often talk rubbish, from the absurdities about microchips and manipulations to the 5G networks,” Cox told the May 15 online discussion, referring to a conspiracy theory that 5G mobile technology helps spread the virus.

“We want to believe,” she said, “that in designing the latest technological solutions, the officials have kept in mind questions like digital exclusion or discrimination caused by the lack of internet access, or social oversight.”

Need for vigilance

As countries emerge from lockdown, the development of smartphone apps to combat the spread of COVID-19 is being watched with mounting concern by human rights organisations concerned at their potential for abuse.

“Some restrictions on people’s rights may be justifiable during a public health emergency, but people are being asked to sacrifice their privacy and turn over personal data for use by untested technologies,” Deborah Brown, senior digital rights researcher at Human Rights Watch, said last week.

“Containing the pandemic and reopening society are essential goals, but we can do this without pervasive surveillance.”

Erik Lastic, head of the political science department at the Comenius University in Bratislava, said the pandemic had only further underlined the failure of the Slovak state to keep pace with technology. For years, corruption and incompetence have stymied efforts to create an effective digital public administration system. 

“The last decade, at the least, has shown that the state is failing in the development of any information systems,” said Lastic, also taking part in the online discussion. “It would be very unrealistic to expect that the pandemic can suddenly change that.”

Lastic said it was “good” that legislation introduced to combat COVID-19 was limited to the end of 2020, but that the experience of some countries, particularly in sidestepping legal restraints in the fight against terrorism since the 9/11 attacks on the United States, showed the need for vigilance.

“It would be naïve to trust that the state would limit itself and that it wouldn’t use tools that had worked well for it once,” he said.

Hiljade.kamera.rs: Community Strikes Back Against Mass Surveillance

Posted on by BIRD

Serbian citizens have launched the website hiljade.kamera.rs as a response to the deployment of state-of-the-art facial recognition surveillance technology in the streets of Belgrade. Information regarding these new cameras has been shrouded in secrecy, as the public was kept in the dark on all the most important aspects of this state-lead project.

War, especially in the past hundred years, has propelled the development of exceptional technology. After the Great War came the radio, decades after the Second World War brought us McLuhan’s “global village” and Moore’s law on historic trends. Warfare itself has changed too – from muddy trenches and mustard gas to drone strikes and malware. Some countries, more than others, have frequently been used as testing grounds for different kinds of battle.

Well into the 21st century, Serbia still does not have a strong privacy culture, which has been left in the shadows of past regimes and widespread surveillance. Even today, direct police and security agencies’ access to communications metadata stored by mobile and internet operators makes mass surveillance possible. 

As appearances matter most, control over the flow of information is a key component of power in the age of populism. We have recently seen various developments in this context – Twitter shutting down around 8,500 troll accounts pumping out support for the ruling Serbian Progressive Party and its leader and the country’s President Aleksandar Vucic. These trolls are also frequently used to attack political opponents and journalists, exposing the shady dealings of high ranking public officials. Reporters Without Borders and Freedom House have noted a deterioration in press freedom and democracy in the Balkan country.

However, a new threat to human rights and freedoms in Serbia has emerged. In early 2019, the Minister of Interior and the Police Director announced that Belgrade will receive “a thousand” smart surveillance cameras with face and license plate recognition capabilities, supplied by the Chinese tech giant – Huawei. Both the government in Serbia and China have been working on “technical and economic cooperation” since 2009, when they signed their first bilateral agreement. Several years later, a strategic partnership forged between Serbia’s Ministry of Interior and Huawei, paving the way to the implementation of the project “Safe Society in Serbia”. Over the past several months, new cameras have been widely installed throughout Belgrade.  

This highly intrusive system has raised questions among citizens and human rights organisations, who have pointed to Serbia’s interesting history with surveillance cameras. Sometimes these devices have conveniently worked and their footage is somehow leaked to the public, and in some cases, they have not worked or recordings of key situations have gone missing, just as conveniently. Even though the Ministry was obliged by law to conduct a Data Protection Impact Assessment (DPIA) of the new smart surveillance system, it failed to fulfil the legal requirements, as warned by civil society organisations and the Commissioner for Personal Data Protection

The use of such technology to constantly surveil the movements of all citizens, who are now at risk of suddenly becoming potential criminals, has run counter to the fundamental principles of necessity and proportionality, as required by domestic and international data protection standards. In such circumstances, when there was no public debate whatsoever nor transparency, the only remaining option is a social response, as reflected in the newly launched website. 

“Hiljade kamera” (“Thousands of Cameras”) is a platform started by a community of individuals and organisations who advocate for the responsible use of surveillance technology. Their goals are citizen-led transparency and to hold officials accountable for their actions, by mapping cameras and speaking out about this topic to the public. The community has recently started tweeting out photos of cameras in Belgrade alongside the hashtag #hiljadekamera and encouraged others to do so as well.

The Interior Ministry has yet to publish a reworked and compliant Data Protection Impact Assessment (DPIA) but the installation of cameras continues under sketchy legal circumstances.

Bojan Perkov is a researcher at SHARE Foundation. 


Facebook Takes Axe to Pages Showing ‘Inauthentic Behaviour’

Posted on by BIRD

Facebook’s April 2020 Coordinated Inauthentic Behaviour Report, published on May 5, said a total of eight networks of accounts, Pages and Groups were removed in the last month for violating the social media giant’s policy against foreign and domestic interference. 

The report said that these influence operations were “coordinated efforts to manipulate public debate for a strategic goal where fake accounts are central to the operation”.

The media giant said it was working to stop coordinated inauthentic behaviour in the context of domestic and non-state campaigns as well as behaviours acting on behalf of a foreign or government actor.

Two of the removed networks, originating from Russia and Iran, were focused on international issues and were trying to interfere in Bosnia and Herzegovina, Hungary and Serbia, the report said.

As for Russia, Facebook removed 46 Pages, 91 Facebook accounts, 2 Groups, and 1 Instagram account “for violating the policy against​ ​foreign interference​ which is​ ​coordinated inauthentic behaviour​ on behalf of a foreign entity”. 

It said this activity originated not only from Russia but from the Donbass region in eastern Ukraine and the Russian-annexed Crimean Peninsula. The people behind it posted in Russian, English, German, Spanish, French, Hungarian, Serbian, Georgian, Indonesian and Farsi, focusing on a wide range of regions around the world.

“The individuals behind this activity relied on a combination of authentic, duplicate and fake accounts – many of which had been previously detected and disabled by our automated systems. 

“They used fake accounts to post their content and manage Groups and Pages posing as independent news entities in the regions they targeted,” the report said, adding that the networks posted ​about geopolitical and local news including topics such as the military conflict in Ukraine, the Syrian civil war, the annexation of Crimea, NATO, US elections, and more recently the coronavirus pandemic​. ​

Facebook’s investigation linked the activity to people in Russia and Donbass as well as to two media organizations in Crimea, NewsFront and SouthFront. 

Following the report, SouthFront dismissed the claims that it offered misleading coverage concerning the coronavirus pandemic and said it does not operate from Crimea, calling it all “blatant lies”.

A total of $3,150 was spent for ads on Facebook and Instagram and was paid for primarily in US dollars, Russian rubles, and Euros, the report added.

Facebook also removed 118 Pages, 389 Facebook accounts, 27 Groups, and 6 Instagram accounts originating from Iran. 

This activity was focused on a wide range of countries globally, including Algeria, Bangladesh, Bosnia, Egypt, Ghana, Libya, Mauritania, Morocco, Nigeria, Senegal, Sierra Leone, Somalia, Sudan, Tanzania, Tunisia, the United States, Britain and Zimbabwe.

These accounts, the report said, “sometimes repurposed Iranian state media content and posted primarily in Arabic, Bengali, Bosnian, and English about geopolitical and local news relevant to each region including topics like the civil war in Syria, the Arab Spring protests, the tensions between Libya and Turkey, criticism of Saudi involvement in the Middle East and Africa, Al Qaeda’s actions in Africa, the Occupy movement in the US, criticism of US policies in the Middle East and the 2012 US elections.”

As for the people behind the coordinated activity, the Facebook investigation found links to the state Iranian Broadcasting Corporation. 

The remaining six networks of accounts, Pages and Groups​ that were also taken down were based in the US, Georgia, Myanmar and Mauritania, and were targeting domestic audiences in their home countries. 

In total, Facebook removed 732 accounts, 793 Pages, 200 groups and 162 Instagram accounts. The report said they were also sharing misinformation about the COVID-19 pandemic.

“All of the networks we took down … in April were created before the COVID-19 pandemic began, however, we’ve seen people behind these campaigns opportunistically use coronavirus-related posts among many other topics to build an audience and drive people to their Pages or off-platform sites. 

“The majority of the networks we took down this month were still trying to grow their audience, or had a large portion of engagement on their Pages generated by their own accounts,” the report noted.

Contact Tracing: Europe’s Coronavirus Tech Tangle

Posted on by Ivana Jeremic

As countries across Europe gingerly ease restrictions imposed to fight the spread of COVID-19, governments are looking for tech-based solutions to avoid a resurgence in infections.

Experts agree that one of the most effective ways to do this is to introduce some kind of social-tracing system to let people know if they have come into contact with anyone later reported infected. Once alerted, they can self-isolate before further spreading the virus.

European countries are at different stages in developing COVID-19 social-tracing apps that governments can encourage — not require — people to install on their smartphones.

Since privacy watchdogs have decried the use of location data, most nations have chosen Bluetooth-based technology as the best way of registering potential contact with those who have been infected.

While most states in Western and Southern Europe are still tinkering with the technology, some countries in Central Europe have had tech-based solutions for social tracing up and running for weeks. The Czech Republic and Poland are leading the way.

Playing their own game

An Apple iPhone running a test version of the ‘Next Step’ smart phone app using Decentralized Privacy-Preserving Proximity Tracing (DP-3T) to trace COVID-19 infections, in Darmstadt, Germany, 26 April 2020. Germany has changed its course in the debate over a coronavirus tracing app, favoring decentralised data storage over a centrally managed server. Photo: EPA-EFE/BEN WENZ

In Poland, people returning from abroad are required to stay at home for two weeks of quarantine. The government asks them to download an app to verify they are complying with the rules. At random times, users are requested to take selfies and upload them to prove they have not left the house. 

The Polish Ministry of Digital Affairs is also grappling with a Bluetooth-based social-tracing app intended for wider use.

“We’re still working on the application,” Joanna Debek, a communications officer at the ministry, said in a phone interview. “It will be released very soon,” 

But it is the Czech Republic that leads the pack when it comes to “fast-track” COVID-19 measures. 

The country was one of the first EU member states to declare a state of emergency, on March 12. And only a week later, it became the first EU country to make it mandatory for everyone to wear face masks in public. 

The Czech tech sector was also quick to act. In mid-March, the country’s largest search engine, Seznam, introduced a coronavirus tracing feature on its geolocation app, Maps.cz. With a user’s permission, it draws on location data to inform people if they have crossed paths with anyone who has tested positive. 

A month later, the Czech Health Ministry released a Bluetooth-based social tracing app known as eRouska (eMask). The app anonymously detects pairings among different devices on which the app has been installed. Similar technology is now being developed all across Europe.

The app is integrated into a more complex solution called the Smart Quarantine, which combines data from cell phones and payment cards. With a user’s permission, local hygiene stations can use this data to isolate individuals who have come into contact with infected people. 

Jan Kulveit, a senior researcher at the Future of Humanity Institute at Oxford University, is one of the two main strategists for the system developed by Covid19.cz, a group of Czech tech companies and IT enthusiasts working on tech-based solutions out of the current crisis. He said developing an app is the easy part.

“The tricky part is to ensure that these technical solutions are somehow integrated into a system that local hygiene stations can obtain information from, and then act upon,” he said in a phone interview. 

“In this sense, the Czech Republic is a few weeks ahead of Germany and most other European countries. We’re actually currently in contact with several countries who expressed their interest in our model.” 

Coders without borders

A man uses a Swedish version of the COVID-19 Symptom Tracker app on his smartphone in Stockholm, Sweden, 29 April 2020. Lund University developed the application to provide information about the spread of the coronavirus disease COVID-19 in Sweden. Photo: EPA-EFE/Fredrik Sandberg

A key question is how to turn a patchwork of national systems into something that is “interoperable across the EU so that citizens are protected even when they cross borders”, as the European Commission said in a recent news release.

One initiative that sprang up to address the problem is Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT).

Headed by Hans-Christian Boos, a Swiss tech entrepreneur who sits on German Chancellor Angela Merkel’s digital expert council, PEPP-PT is an attempt to create a European-wide solution to the “coronavirus tracing problem”. 

“We’re now in contact with 40 countries worldwide,” Boos told BIRN in a phone interview. “We started as a European project, but maybe we’ll have to rename it now; there are countries from all around the world contacting us.” 

We started as a European project, but maybe we’ll have to rename it now; there are countries from all around the world contacting us.

Hans-Christian Boos, tech entrepreneur

Boos and his team of scientists from across Europe have been developing a set of standards, mechanisms and technologies that could serve as a backbone for various interoperable apps.

Many Western and Southern European governments including France, Belgium, Italy and Spain have pledged to develop their national apps using the standards put together by PEPP-PT, Boos told a news conference last month. 

But no Central or Eastern European country has publicly expressed interest in the initiative. 

“I know that there are countries among those 40 from Eastern Europe,” Boos told BIRN. “They’re interested. I mean why shouldn’t they be?” 

However, since BIRN’s interview with Boos in mid-April, PEPP-PT has had a downhill ride. 

On April 19, more than 300 scientists and researchers published an open letter urging governments not to introduce systems that could “allow unprecedented surveillance on society at large.” 

Although the open letter does not name any specific initiative, the criticism is widely seen as directed at the PEPP-PT social-tracing approach, until then favoured by key EU member states Germany and France. 

Many researchers say the PEPP-PT strategy is too centralised and vulnerable to governmental “mission creep”. This is due to the fact that, under this scheme, user data would be stored on a central server. 

Since the open letter was published, a growing number of researchers have called for the use of a decentralised contact-tracing protocol called DP-3T, developed by Swiss researchers in collaboration with a technology partnership between Apple and Google. 

This has prompted several countries to ditch PEPP-PT for DP-3T. Switzerland, Austria and Estonia are backing the decentralised approach, according to Reuters.

But the biggest blow for Boos and his team came on April 24 when Germany announced it would also adopt a “decentralised” approach, leaving France and Britain alone in the “centralisation” camp. 

Officially, the Czech Health Ministry has left the door open for cooperation with PEPP-PT. 

“We’d like to work with them in the future on standardisation and interoperability of different national solutions,” a ministry spokesperson said in an email. 

But Kulveit from the Future of Humanity Institute expressed skepticism about the pan-European PEPP-PT solution.

“I think that, in the end, the interoperability of all the individual European apps will be based on the Google-Apple solution,” he said.

“In any case, countries shouldn’t be just waiting for one, pan-European solution before developing their own domestic social-tracing apps. You can always just update the protocol later to make them [the apps] talk to each other.” 

Continue reading “Contact Tracing: Europe’s Coronavirus Tech Tangle”

COVID-Related Boom Reveals Video Conferencing’s Dark Side

Posted on by Ivana Jeremic

More than ever before, because of the coronavirus outbreak, use of video conferencing is on the rise.

Whether it is attending work meetings or online seminars and conferences, or taking part in leisure activities like online fitness classes and birthday parties – video conferencing and social media apps have brought huge relief, and a sense of continuity, to people feeling trapped inside their homes by government-imposed lockdowns.

However, while the coronavirus wreaks havoc outside, this time of increased online activities has also generated growing challenges. While some of the most popular video conferencing and video sharing apps, such as Zoom, Houseparty, and TikTok, have seen record-breaking growth in the numbers of users, the apps have also faced serious data breaches and other cybersecurity-related issues.

Cybersecurity experts say that while use of the apps has clearly reduced the risk of people getting infected with the virus by going outside, the same isn’t true for other viral problems, talking about cyberspace.

“Disclosure of personal data, recording sensitive information, or storing people’s profiles on unauthorized servers are some of the risks that go hand in hand with the use of video-conferencing tools,” says Skopje-based cybersecurity practitioner Daniel Trenchov.

“Greater use of virtual telecommunication tools does eliminate pandemic-induced risks,” he adds, “but not necessarily cybersecurity ones.”

Zoom ‘bombing’ is on the rise:


Illustration. Photo: EFE/MATTIA SEDDA

Last Friday, Michael Oghia, a Belgrade-based internet governance consultant, was getting ready for his weekly Zoom conference call with colleagues all over the world.

Usually, the group uses these meetings to chat and discuss ongoing social developments. This time, however, they experienced something more unpleasant.

“Around 45 minutes into the event, when one of the speakers went to share his screen, all of a sudden a child pornography video appeared. Once I realized what was happening, I immediately shut my laptop out of shock,” Oghia said.

“I couldn’t believe it. For a moment I thought that maybe it didn’t even happen. Then re-entered the Zoom call and wanted to see if the others had experienced it. Around 15 or 20 minutes later, another Zoom-bombing happened – again child porn. It was absolutely vile,” Oghia told BIRN.

“Zoom-bombing” incidents like this have become a regular occurrence for those using the app lately. In the last few months, since the coronavirus outbreak started, the app has seen the number of daily users increase hugely from 10 millio to 300 million.

After the incident, Oghia contacted Zoom to report what had happened. The company replied that it would investigate.

“Zoom-bombing is on the rise, and in this particular case, I’ve heard of multiple instances over the past few days of it happening (one group was the UK-based Open Rights Group, for instance),” Oghia explained.

“There will always be issues with safety concerns, but this is no excuse. I’ve used Zoom for years, and the ease of using the platform and the features it has have made video-conferencing easier. But they need to do an even better job at ensuring their privacy and making sure the security features are clear and easy to use.”

The incident prompted Oghia and his colleagues to prepare a short “zoom-bombing” prevention and resources guide to help others that are using Zoom and other video conferencing software.

In its latest statement, Zoom said that it would release an improved version of the app, addressing security concerns about phemonena like “bombing”, while also having upgraded encryption features.

More education in safe use of apps needed:


Illustration. Photo: EPA-EFE/AMEL PAIN

When it comes to the security of video-conferencing apps, several factors are crucial, cybersecurity experts explain. One is having a proper education in the safe use of these social tools.

“These apps have a very useful role and that is why their use should not be avoided, but it is necessary to educate ourselves more, to provide the highest possible protection,” a Skopje-based personal data protection expert, Ljubica Pendaroska, told BIRN.

It is essential to note that not every app is designed for use at home. Zoom was designed for use by large businesses with in-house IT specialists who would set up and control the software when using it, Pendaroska explained.

Now, especially during lockdowns, while Zoom is still mostly used for business purposes, people are using it more for family events such as birthdays, or even wedding celebrations.

“Potential hazards also come from the fact that these apps detect and remove issues most often on the go, or as they occur,” she said.

“What’s particularly concerning is that most of these tools are not encrypted by end-user to end-user, which increases the possibility of so-called ‘interception’ of communications by unwanted and malicious participants,” she added.

Houseparty, another popular video conferencing app, has also faced intense security scrutiny over the last months.

The app is popular with teenagers and youngsters who use it to play various group games, giving it a more fun-based approach compared to other apps. At the same time, these groups are potentially vulnerable to various security issues that can arise.

“There are also apps, for example like Houseparty, where to make it easier to find friends, you can connect your account with phone contacts and social media accounts,” Pendaroska noted. “This enormously increases the potential danger not only for your safety but also for the safety of all these contacts,” she added.

“There could be hacker attacks; during the meeting, the administrator can see details such as the operating system, IP address and location data of each of the participants; also, uninvited users in the communication, if the password is not authenticated, could use the conversation to spread malicious links or send files,” she explained.

Espionage concerns linked to China: 


Illustration. Photo: Pxhere

TikTok, a Chinese video-sharing social network, is increasingly popular in the Balkans, especially among teenagers who post various challenges to each other, such as dance-offs, sing-offs and so on.

But in some parts of the world, there are initiatives to ban it. In the US, lawmakers have introduced a bill to the Senate, which cites the company’s connection to the Chinese government, saying its potential collection of data from US citizens represents a security risk to the US.

Global cybersecurity companies have also identified many security vulnerabilities in the app that could allow malicious actors to manipulate its content and reveal the personal data of its users.

Cybersecurity experts say one way that tech companies could deal with such security risks and the consequences for their users is by having transparency reports.

“This could also include independent security audits of their code looking for weaknesses and flaws – akin to what Microsoft and Apple do with their operating systems, or what Google does with its “bug bounty” program,” Oghia suggested.

When it comes to the users themselves, the best prevention is to know not only what these apps bring to the table, but just as importantly, what their software solutions and vulnerabilities are.

Research by Picodi.com, an international e-commerce platform, says interest in video messaging clients has increased by seven times since the coronavirus restrictions were introduced in many European countries.

WhatsApp was the most frequently searched messaging app in 22 European countries. It is also a favourite app in the Czech Republic, Albania, Romania and Turkey.

Worldwide interest in the Zoom video app is skyrocketing, in Europe as well, with it being the most popular app in 14 countries, including Moldova, North Macedonia and Slovenia.

Besides WhatsApp and Zoom, people were massively using Skype – in Hungary, Poland, Slovakia and Greece, Viber – in Bosnia and Herzegovina and Montenegro, and Microsoft teams – in Croatia and Bulgaria.

Picodi.com analyzed the average number of online search queries of 19 messaging clients which enable video chatting.

Tech Giants Urged to Preserve Blocked Content About Virus

Posted on by BIRD

A total of 75 signatories, including Balkan Investigative Reporting Network, BIRN, have signed a letter asking social media and content-sharing platforms to preserve all data they’ve blocked or removed during the coronavirus pandemic and make it public for researchers and journalists in the future.

“We understand that many platforms have increased their reliance on automated content moderation during the pandemic, while simultaneously removing misinformation and apparently inaccurate information about COVID-19 at an unprecedented rate,” the letter, published on Wednesday, says.

However, the signatories argue that this data will be of great importance to researchers, journalists as well as people working in public health. 

“This is also an unprecedented opportunity to study how online information flows ultimately affect health outcomes, and to evaluate the macro- and micro-level consequences of relying on automation to moderate content in a complex and evolving information environment,” the letter reads.

The signatories ask companies to preserve all data on content removal including but not limited to information about which takedowns did not receive human reviews, whether users tried to appeal takedowns as well as reports that were not acted upon.

They also ask companies to produce transparency reports with information about content blocking and removal related to the novel coronavirus as well as to allow researchers and journalists to access this data, recognizing that privacy will need to be ensured. 

“It will be crucial to develop safeguards to address the privacy issues raised by new or longer data retention and by the sharing of information with third parties, but the need for immediate preservation is urgent,” the letter further reads.

The letter will be sent to social media giants and companies including Facebook, Twitter, Google, Pinterest, Wikimedia, Reddit, Vimeo, Verizon Media and Microsoft.

Apart from BIRN, other organisations that signed the letter included the Center for Democracy & Technology, the Committee to Protect Journalists, Reporters Without Borders, Syrian Archive, PEN America and others. 

Ever since the COVID-19 outbreak started, a lot of information about the virus has spread online, including potential disinformation, fake news and conspiracy theories. 

In a bid to curb this disinformation, many social media outlets have started deleting such content. At the end of March, for example, Facebook deleted a video from Brazilian President Jair Bolsonaro in which he claimed that hydroxychloroquine was effective in treating the COVID-19. 

Twitter also deleted a tweet about a homemade treatment by Venezuelan President Nicolás Maduro, while YouTube banned conspiracy theory videos linking COVID-19 symptoms to 5G networks. 

North Macedonia Leads Region in COVID-19 Tracing App

Posted on by Ivana Jeremic

North Macedonia has become the first country in the Western Balkans to launch a contact-tracing app to tackle the spread of COVID-19, with the government at pains to stress user data will be protected.

StopKorona! went live on April 13 as a Bluetooth-based smartphone app that warns users if they have come into contact with someone who has tested positive for the novel coronavirus, based on the distance between their mobile devices.

The app, downloaded more than 5,000 times on its first day, was developed and donated to the Macedonian authorities by Skopje-based software company Nextsense.

States are increasingly looking at digital solutions to control the spread of COVID-19 as they move to open up their economies while limiting the burden on their health services. The European Union and data protection campaigners, however, have voiced concern over the threat such technology poses to individual privacy.

Presenting the app, Health Minister Venko Filipce said North Macedonia was looking to use “all tools and possibilities” to combat a disease that, as of April 15, had killed 44 people.

Information Society Minister Damjan Manchevski said all data would be securely stored.

“This data is recorded on a secure server of the Ministry of Health,” Manchevski said at the launch. “And no other user has access to mobile numbers, nor is there any data stored about the owner of the number.”

If a person tests positive for COVID-19, they can “voluntarily” submit their data to the Ministry of Health, Manchevski said, enabling the app to warn other users if they come into contact with that person.

Data privacy concerns linger


Macedonian Minister of Health Venko Filipce accompanied by Prime Minister Oliver Spasovski in Skopje, Republic of North Macedonia, 2020. Photo: EPA-EFE/NAKE BATEV

China, Singapore, Israel and Russia are among a number of countries that have developed their own coronavirus mobile tracking apps, mainly using Bluetooth, GPS, cellular location tracking and QR codes. The Chinese government app colour codes citizens according to risk level.

The technology, however, has set alarm bells ringing among data protection campaigners and rights organisations concerned about the threat posed by mass surveillance and loosening of data protection laws.

Nextsense director Vasko Kronevski, however, said his firm’s StopKorona! app adhered to all legal requirements.

“This is a mobile app made by following best practices around the world in dealing with the coronavirus,” he said. “It guarantees the complete protection of users’ privacy.”

“The success will depend on the mass use of the application. It is important to emphasise that we used global experiences from different countries.”

One of those examples is Singapore’s TraceTogether app, which helped the Asian country successfully contain the COVID-19 outbreak within its borders while, unlike most countries, keeping businesses and schools open.

According to data privacy experts, the decentralized design of North Macedonia’s app guarantees that data will only be stored on those devices that run it, unless they voluntarily submit it to the ministry.

“The key part is that the citizen maintains full control over their data until the moment they decide to send it to the Ministry after being diagnosed,” said Danilo Krivokapic, director of the Serbia-based digital rights watchdog SHARE Foundation.

“Additionally, all data stored on the phone is being deleted after 14 days,” he told BIRN. “In that context, the app is in line with the legislation that covers Data Protection.”

Krivokapic stressed that once data is shared with the authorities, the Ministry and all data users are obliged to respect the legal framework regarding privacy and data protection.

EU countries warming up to digital solutions


People wearing face masks in Skopje, Republic of North Macedonia, 2020. Photo: EPA-EFE/GEORGI LICOVSKI

France and Germany are reported to be working on similar contact-tracing apps, while Poland has made the biggest progress within the EU.

Polish authorities have already launched a smartphone app for those in quarantine and are now working on another, similar to StopKorona!

The first app was mandatory for people in quarantine, meaning that they had to upload selfies so the authorities could track their exact location.

According to Krzysztof Izdebski, policy director at ePanstwo Foundation, a Poland-based NGO that promotes transparency and open data, the coronavirus pandemic has already posed significant threats to privacy, with governments deploying technologies primarily created for the surveillance of their citizens.

With the second app, the Bluetooth-based ProteGO, authorities have published the app’s source code online, to get feedback and opinions from IT experts before implementing it.

So ProteGO, said Izdebski, is an example of an app that is trying to meet privacy requirements.

“The data is stored on personal devices for up to two weeks, and only if the user is sick and agrees to share data with respective authorities, they are being sent to the server – without information on the location,” Izdebski told BIRN.

And while digital solutions such as these could become a game-changer in containing the outbreak, experts note that success still depends on how many people are willing to use them.

“For the technical solution to have some results, a substantial number of citizens need to run the apps and to decide to share their data in case they are diagnosed,” said SHARE Foundation’s Krivokapic. “This way, the app can serve its purpose.”

Romania: From ‘Hackerville’ to Cybersecurity Powerhouse

Posted on by BIRD

First there was Guccifer, real name Marcel Lazar Lehel, who hacked the email accounts of the Bush family in the United States; then came Hackerville, the moniker given to the town of Ramnicu Sarat due to the international cybergangs it was home to.

Fairly or not, hackers put Romania on the global online map, honing their skills to strike Internet users and companies in the West, particularly the US.

But today, 30 years since the fall of communism, IT and cybersecurity firms are looking to tap the same rich vein of ambition, ingenuity and education that made Romanian hackers so feared and famous.

“Romania is currently one of the largest pools of talent in the IT&C space,” said Bogdan Botezatu, senior e-threats analyst at Romanian antivirus and cybersecurity giant Bitdefender. 

“Based on our tradition in STAMP [Software Testing Amplification] and research, universities deliver engineers, reverse engineers, people who are highly skilled in IT.”

Romania, he said, is already internationally recognised in the field of cybersecurity, and has the potential to play an even greater role.

Made in Romania – a global leader in cybersecurity

Bitdefender is one of the global leaders in cybersecurity, with more than 500 million customers worldwide and a network of research labs in Romania – the largest such network in Europe – to combat online threats.

Some 40 per cent of the antivirus and digital security companies on the market currently use at least one technology developed by Bitdefender. Such success is unparalleled in Romania, a European Union member state where almost no other company has a significant international footprint.

From Bucharest and other Romanian cities, Bitdefender’s experts have led or participated in operations to halt some of the most damaging cyber attacks the world has seen in recent years. 

In 2018, Bitdefender partnered with Europol, Interpol, the FBI and police in a number of EU countries to take down a group of hackers – believed to be from Russia – behind a ransomware called GandCrab. The inventors of the malware sold it on to other hackers who used it against private and corporate users.


View of the Bitdefender’s central headquarters in Bucharest. Photo: BIRN

“It became such a large phenomenon that half of the ransomware attacks happening at that moment were caused by GandCrab,” Botezatu told BIRN. 

“We managed to decrypt [the computers of] 60,000 victims, saving the victims around 70 million dollars.”

Despite its unusual level of sophistication, GandCrab was created as a way for the private individuals behind it to steal other people’s money.

Another type of cyberthreat, however, is state-sponsored and is known among experts as Advanced Persistent Threats, or APTs. 

The goal in this case is to undermine the functioning of key strategic foreign infrastructures or steal secret information from other states. That was the purpose of NotPetya, or GoldenEye, which emerged in 2017 as the work of hackers suspected to have been working for the Kremlin.

These hackers infected the update servers of an accountancy product widely used in the Ukrainian state administration. Everytime a Ukrainian public servant updated the program, the virus entered his or her computer and encrypted all its files. 

The virus had a worm component and quickly contaminated the entire networks to which infected computers were connected, bringing, for example, the Kiev metro to a halt and shutting down at least one airport, several banks and the radiation monitoring system at Chernobyl.

It spread globally, including to Romania, where Bitdefender took charge of the preliminary investigation that led to the identification of the virus after its researchers identified a pattern in the threats suffered by many users of their antivirus products. 

‘You can’t trace them back’

Like the rest of the former Soviet bloc, Romania spent more than four decades under communism, when education placed a premium on scientific and technological training. 

That expertise – and a resourcefulness developed under communism and during the painful transition to capitalism and democracy after 1989 – is now at the disposal of the EU and NATO as they try to combat cyber threats from Russia and other countries vying for a geopolitical upper hand.

And the Romanian state is doing its bit too, via bodies like the Romanian Information Service, SRI, an intelligence agency that took part in investigations that led to the 2018 exposure of Russian state involvement in a cyber espionage and warfare group called Fancy Bear. 

Also known as Sofacy or APT28, Fancy Bear targeted governments and civil society organisations in countries including the Netherlands, Britain, Germany, Romania and the US.


Bogdan Botezatu from Bitdefender. Photo: BIRN

Botezatu said the fact that the infections happened between 9 a.m. and 5 p.m. Moscow Standard Time led investigators to conclude they were being launched from government offices, said Botezatu of Bitdefender, which uncovered the campaign in 2015.

“Behind these kinds of attacks there is a country, and particularly the intelligence community of that country,” said General Anton Rog, head of SRI’s Cyberint centre.

“Of course, governments don’t act directly; through their intelligence services, they infiltrate or create these cybercrimes groups in a way that you can’t trace them back to say that they work with an information service.”

Most APT attacks, Rog told BIRN, are mounted in order to steal sensitive information. “It is a modality of espionage,” he said, “but through cables and cybernetic tools.” 

SRI’s Cyberint centre relies on tip-offs from foreign agencies, technology that recognises abnormal online activity and cyber informers.

Hybrid attacks

Sometimes the dividing line between financial-motivated attacks and APTs becomes blurred, as in the case of the malware family known as Cobalt Strike.

Cobalt Strike was used by the so-called Carbanak group from Russia and Ukraine to extract more than one billion euros from around 100 banks in over 40 countries, including Romania.

“The technology used is [characteristic of an] APT, but the motivation is strictly financial,” said Botezatu. 

Bitdefender conducted ‘post-mortems’ at two of the affected banks. Botezatu said the malware was “extremely sophisticated”, managing even to access the banks’ payment systems.

“With that level of access, the nefarious individuals authorise fraudulent bank transfers, raise the balance of mule accounts or command affected ATMs to spit out the money for them,” Europol said in a statement on the arrest in Spain of alleged Carbanak leader ‘Denis K’ in a 2018 operation that Romania took part in.

“Our suspicion is that… these attacks are used to make money to sponsor strategic attacks,” said SRI’s Rog. “In our evaluation, we take into account the fact that these groups have members who are in contact with governments or information communities,” he told BIRN, noting the costs and human and technical resources needed to develop malware like Cobalt Strike.

“They [governments] don’t want to spend money from their budget, they want to steal money from other countries and sponsor strategic attacks with it,” Rog said.

Strong cybersecurity “ecosystem”

To strengthen security at home and boost Romania’s role in the global cybersecurity game, SRI’s Cyberint centre says it is trying to create “an ecosystem” already being nurtured by courses offered by Cyberint at several universities across the country.

Likewise, Bitdefender partners with universities and high schools in training the next generation.

They may be people like Alexandru Coltuneac, a White Hat Hacker so called because of his transition from developing an Internet virus as a teenager to using his self-taught skills to help giants like Google, Facebook, PayPal, Microsoft and Adobe test their product security.

“I have set myself a target,” Coltuneac told BIRN. “I want to find at least one vulnerability in a product of each big company.”

Coltuneac, who is one of a number of Romanian White Hat Hackers recognised by Google and other companies as stars of ‘bug hunting’, now runs his own company together with a colleague.

Called LooseByte, the firm offers businesses cybersecurity tests and services to improve their protection levels.

Coltuneac said he finds pleasure in outsmarting the world’s best professionals.

“It’s a way of doing hacking without harming anyone,” he said.

Croatian Proposal to Track Self-Isolating Citizens Alarms Critics

Posted on by BIRD

As Croatian MPs discussed a proposed law amendment, that would allow authorities easier access to citizens’ information amid the ongoing coronavirus epidemic, opposition lawmakers warned that it could limit citizens’ rights to freedom of movement and their privacy.

Last week, the government, led by the conservative Croatian Democratic Union, HDZ, proposed a change of the Electronic Communications Act under which, in extraordinary situations, the health minister would ask telecommunications companies to provide data on the locations of users’ terminal equipment.

While MPs accept that the aim of the proposal is legitimate – to control people prescribed self-isolation, due to numerous violations of such orders – many of them complained that the government did not elaborate the proposal clearly, or with enough safeguards.

Social Democrat MPs and some other parliamentary groups have submitted an amendment seeking more clarity about who can be monitored, how long the surveillance will last, and what authorities will do with the data they collect. They also said the subject of monitoring must be regularly informed that he or she is under surveillance.

On Wednesday, Ombudsperson Lora Vidovic suggested amendments to the proposal, urging that the restriction should apply only “to narrow, clearly and precisely defined situations, only when the health and lives of citizens could not otherwise be effectively protected.

“Clear criteria should be explicitly defined in the law, which will ensure the implementation of this measure over precisely defined categories of citizens, for example, those who have determined self-isolation by the competent authorities,” Vidovic said in a press release.

MPs are also debating whether such a law changes could be passed by an urgent procedure in parliament, as the government wants, or by a simple majority of MPs, or whether a two-thirds majority is needed, as restrictions of such rights are a constitutional matter.

Article 17 of the constitution states that “individual constitutionally guaranteed freedoms and rights may [only] be restricted during a state of war or any clear and present danger to the independence and unity of the Republic of Croatia or in the event of any natural disaster”.

Under the constitution, imposing such restrictions must be decided by a two-thirds majority of all members of parliament.

However, MPs will not vote on the issue on Wednesday since the speaker, Gordan Jandrokovic, has announced that he will first seek the opinion of the Constitutional Court on the proposed “restricting of citizens’ freedoms”, which he said, were only introduced to protect citizens against coronavirus infection.

BIRD Community

Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?

We created BIRD Community, a place where you can have it all!

Join Now