A few months after the entry into force of NIS 2, security shortcomings continue to be found in many commercial sectors that are impacted by the European Directive and beyond; the situation is known but continues to be serious and sometimes even involves the institutional apparatus.
What is happening
That the NIS 2 Directive would not be enough to solve Italy’s cybersecurity problems was clear to everyone, and I guess no one hoped for such a bold goal. However, it is quite disarming to continue to see data breaches in which personal data (sometimes of a particular category) are exposed with very little regard.
What is happening, then, is that the circulars, directives, decrees, agencies, authorities, follow one another but are not substantially changing the way data are managed. None of the above actions, in fact, seem to instil the right ‘data culture’ within some companies that strut around with websites worthy of a fashion designer, but which, on the whole, manage data in a shameful manner. Let us start with some cases of private companies.
The case of private security
One of the recent cases concerns the private security sector, which carries out many types of activities: from patrolling by agents to remote video surveillance of places to be protected; the latter case is of particular interest. Often these individuals hold the access credentials to the video surveillance systems of hundreds of customers, in a totally insecure manner. A frequent typology is as follows:
| Customer | IP | Username | Password | Type of access |
|---|---|---|---|---|
| Mario Rossi | “”””””:80 | admin | admin | Browser |
| Giulia Bianchi | “”””””:80 | admin | password | DSS |
| Neri Pharmacy | “”””””:9001 | pharmacy | blacks | Browser |
| Neri Shopping Centre | “”””””:513 | centre | commercial | Browser |
From the statements made by the hackers, the inspection activities carried out within some of these companies, and the analysis of the data breaches suffered, what is evident is a double responsibility:
- On the one hand, there is the incompetence of those who collect this data, often within an Excel file without any access protection. Without the slightest concern that this might be stolen or that someone might have unlawful access to this data.
- On the other hand, there is the complete neglect of those who display camera signals on doors such as ’80’ and with ridiculous credentials such as those shown in the table.
The example in the table is clearly artefactual but is identical in complexity to those found in data breaches, so the example is fitting and also quite frightening.
The case of valuables transport
In 2022, during a vulnerability assessment, a flaw was discovered in the vehicle tracking system of a company in charge of transporting valuables. The company had exposed the entire tracking portal on the Internet, with credentials similar to these:
Username: admin
Password: admin1
Access to the system allowed each vehicle to be tracked in real time, with information on position, speed, amount of petrol, stops made, and a further set of data. During the vulnerability assessment it was discovered that this system was, in essence, unprotected and allowed, among other things, messages to be sent to the smartphones of the drivers of the armoured vehicle, with the possible possibility of changing the route. The experiment was carried out and succeeded perfectly.
URG.RIT.
EARLY RETURN
12:00AM
DST: MELZO
DST: GIOIELL.*******
DST: VIA ******
Brief details on the delivery of the material followed. Upon the arrival of the cash van at the indicated street, the jeweller’s shop was not present and the street had no exit. There had been no request for confirmation by the agents in the vehicle, they had simply performed what was requested. During a normal ‘post-incident’ interview, the agents explained that they trusted the message because it came from the official communication channel.
The institutional case of ACN
A different discussion, but still indicative, is the one that is currently affecting the National Cybersecurity Agency. If the basic idea is that the culture of data is lacking in many ‘end users’, it is good to consider that sometimes institutions may also lack it. In the last few hours, Andrea Mavilla, a cybersecurity researcher, has been called out by ‘Il Fatto Quotidiano’ in an article‘Institutional online numbers, computer scientist Mavilla: I warned them, but for them it is just a hoax‘. Mavilla had immediately reported on LinkedIn, to ACN’s official channel, the presence of a database that allegedly contained numbers of numerous public figures, including in the political sphere (including the private number of the President of the Republic Sergio Mattarella). The reply obtained by ACN reported by Il Fatto Quotidiano was as follows: ‘For us there is no database. There are official channels to communicate In case, we will evaluate.’ The problem is that the actual response, the one published on LInkedIn, is in some ways even worse.
While it is true that Mavilla’s communication came through an unofficial channel, it is equally true that a statement of that kind could not be handled with a ‘in case we will evaluate’, which means that he should have repeated the report first and then, perhaps, they would have evaluated it. There, the report was true and it was verified by a newspaper instead of the National Cybersecurity Agency and now files have been opened by the prosecution.
Mavilla’s original post was a comment and ACN’s response was a tad more serious, as it excluded any possibility of evaluation.
Below is the entire exchange between Mavilla and ACN, including the Agency’s institutional replies.
[Mavilla]: But if I told you that all your data is online, would you believe me? Names and surnames of employees with their institutional and personal e-Mails followed by mobile and landline numbers.
[ACN]: Andrea Mavilla no.
[Mavilla]: National Cybersecurity Agency , I could start with Dr Roberta Raso and work my way up to the switchboard operator. I have already written to Dr Raso sending the full list. Try asking. 😜
[ACN]: Andrea Mavilla thank you, then do the same with the head of communication.
[Mavilla]: National Cybersecurity Agency, I wrote in addition to Bruno F
[ACN]: Bah, it looks like a hoax to us. greetings
[Mavilla]: National Cybersecurity Agency,My intention is not to create controversy, but to point out a real problem. I could publish the entire list of your data, but instead of an acknowledgement for having warned you, I would risk a denunciation for dissemination of sensitive or protected information. However, the real responsibility lies with those who failed to adequately protect them. If you would like to discuss this further, you can email me and I will gladly reply. Alternatively, you can check with the people on the list I have shown you, in which I have deliberately left out only the first initial of the surname.
ACN’s initial response (‘no’) and the subsequent one (‘thank you, then do the same with the head of communications’) denote the quality of the government agency’s interaction, in front of a citizen who is declaring that he potentially has a sensitive database on his hands. Among other things, he is declaring this in writing and in full responsibility. This is also what we are talking about when we address the issue of ‘data culture’: how a government agency in charge of cybersecurity, interacts with an external party that declares to have potentially relevant information.
So, when faced with a written statement, on an unofficial channel, a citizen makes a potentially very relevant statement, taking responsibility for it, and the institutional response of the National Cybersecurity Agency was:
Bah, sounds like a hoax to us
The reader will be able to assess the institutional stature of ACN’s reply rather than a reply such as: Please write to us at this address so that we can better verify what you are saying. Best regards.
Conclusions
With regard to private companies, it is good to make it clear that often the strategy adopted is to conceal the incident: I have had several encounters with managers, legal departments, and managers of many of these. The attitude of ‘let’s not raise the dust’ is common and widespread and is, unfortunately, the most common behaviour. On the other hand, it is also true that honesty, ethics, respect and intelligence are characteristics that are not very widespread. Although sanctions and controls are an excellent incentive to bring situations bordering on decency into line, it is also true that the most serious problem is that the culture of data is something that cannot be imposed.
Regarding the case involving ACN, the seriousness is not only in the attitude but in the quality of the response that prevented formal verification. There were two errors, one of form and one of substance, and the second, if possible, is even more serious than the first.
The culture of data must be built generation after generation, taking care to train new managers who are sensitive to the subject and technically and legally prepared. One cannot think of imposing on a company a professional ethic that it clearly does not have and does not even want to have. It is therefore a problem of building a culture that will take a long time to consolidate and which, in the meantime, must be enforced by other methods.
While it is true that culture cannot be imposed, it is equally true that it must be enforced, and in this customers could exercise their rights, running away from those companies that mistreat their personal data or expose them to unnecessary risks. The main problem here is that often, as shown above, it is the customers themselves who mistreat their personal data first. They give them away, expose them, share them, without any regard whatsoever. Multidisciplinary training in cyber risks is the main technique to bring out the missing culture that is required for the management of sensitive services such as, for example, video surveillance. It is a complex activity, difficult to deliver because it requires the establishment of an adequate training team, prepared, clear in its exposition but above all engaging.
Of course, everything becomes more difficult when it is not the private entity but the institutional one that betrays these expectations. Then there is little to do but start worrying.
