Facebook admitted late last week that some developers have sold user IDs (UIDs) to data brokers. The popular social-networking site said it has taken steps to prevent this in the future, including a six-month suspension of some developers. In a post Friday on the company's Developer Blog, Facebook's Mike Vernal said the company has "discovered some instances where a data broker was paying developers for UIDs." He noted that the developers were less than a dozen, mostly small developers, and that none of the apps were in the top 10 on the platform. He also noted that some sharing of UIDs happened "inadvertently" due to "an issue with the way that web browsers work." He added that no evidence was found that this "sharing" resulted in the collection of private user information. With a user ID, a user's public information, including name, can be found. The Journal found that at least one data broker, RapLeaf, had correlated the user IDs with its own database of Net users, and had shared the Facebook IDs with other firms.

This kind of data correlation can help to create a user behavioral profile. RapLeaf said the sharing wasn't intentional, and has agreed to remove all the UIDs it has. The company is no longer allowed to conduct activities on the Facebook platform.

(Source: News Factor Network)

Full story

News Factor Network

A former IT staffer has been sentenced to a year and a day in prison for stealing sensitive information belonging to his co-workers and using the data to make money filling out online health surveys. Cam Giang, 31, was fired from the University of California San Francisco Medical Center earlier this year after investigators discovered that he'd been using the names, birthdays and Social Security numbers of other UCSF employees to fill out hundreds of online surveys.

The point was to collect online vouchers, worth US$100 each. He had worked at the medical center's IT department for five years and had access to the sensitive information through his job, according to court records. Between January and April of this year, Giang filled out 382 surveys before the company that was paying for them, StayWell, figured out what was going on. StayWell had been offering UC employees the gift vouchers as incentives to fill out health surveys, but it grew wise to the scam. The company received complaints from employees who couldn't fill out the survey. When StayWell investigated, it turned out that Giang had already filled out surveys in their names.

(Source: Computer World)

Full story

Computer World

Make your password strong, with a unique jumble of letters, numbers and punctuation marks. But memorize it — never write it down. And, oh yes, change it every few months. These instructions are supposed to protect us. But they don’t.

Some computer security experts are advancing the heretical thought that passwords might not need to be “strong,” or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we aren’t paying enough attention to more potent threats. Here’s one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes — including the strongest passwords you can concoct — and then sends it surreptitiously to a remote location.

(Source: The New York Times)

Full story

The New York Times

With its millions of users, the world’s most popular social network has become a perfect target for hackers exploiting such a dense concentration of potential victims. Apart from phishing attacks or spam, which are now easily recognized by many Internet users, hackers are employing new methods, which for the moment at least, are proving to be successful. What to do if your Facebook profile has been hacked

Step 1: Firstly, remove all permissions that have been given to the malicious application. This is a simple process: from Account > Application settings in the top-right corner of your Facebook profile. This ensures that the application will not continue to have access to your profile once the password is changed.

Step 2: Change the login password! To keep your identity safe, it is advisable to change your password and the user name (it’s a good idea to do this from time to time anyway). This is also easy: Go to Account > and Account Settings in the menu in the top left corner of your Facebook profile. It is also advisable to use strong passwords that cannot easily be guessed.

(Source: Panda Security)

Full story

Panda Security

While social media use has grown dramatically across all age groups, older users have been especially enthusiastic over the past year about embracing new networking tools. Social networking use among internet users ages 50 and older nearly doubled—from 22% in April 2009 to 42% in May 2010.

- Between April 2009 and May 2010, social networking use among internet users ages 50-64 grew by 88%--from 25% to 47%.

- During the same period, use among those ages 65 and older grew 100%--from 13% to 26%.

- By comparison, social networking use among users ages 18-29 grew by 13%—from 76% to 86%.

(Source: Pew Research Center)

Full story

Pew Research Center

The personal details of thousands of football fans who bought World Cup tickets from official FIFA outlets have been stolen and sold for up to £500,000. Investigators are now trying to establish who purchased the information, which includes the passport details and dates of birth of up to 250,000 supporters, amid concerns it could have fallen into the hands of criminal gangs or even terrorist groups. The massive data breach, which leaves fans open to identity theft and fraud, is now the subject of a criminal investigation. It has been alleged that an employee of one ticketing agency may have been offering the information for sale. The stolen database is understood to have been compiled by FIFA, football’s world governing body, in the run-up to the 2006 World Cup in Germany.

(Source: Daily Mail)

Full story

Daily Mail

On 23 November 2010 the Belgian Privacy Commission will organize an international conference on privacy and scientific research. The conference will take place in the context of the 2010 Belgian EU presidency and focuses on several target groups, first of all the European data protection authorities, but also national and international academics and researchers. Two areas of scientific research will be examined: historical and clinical-medical research. The conference is primarily intended as a discussion forum on best practices in both areas. That is why workshops will be organized alongside the traditional plenary sessions.

"Privacy & Scientific Research: from Obstruction to Construction" was opted for as the working title of the conference, the objective of the event being a reflection on how to integrate privacy protection in scientific research without making it an obstacle. And what's more, the quality of research will only be improved thanks to privacy protection.

(Source: Commission For The Protection Of Privacy)

Full story

Commission For The Protection Of Privacy

It might go against conventional wisdom, but a new report from the Pew Internet & American Life Project is adding fuel to the argument that young people are fast becoming the gurus of online reputation management, especially when it comes to social networking sites. Among other things, the study found that they are most likely to limit personal information online — and the least likely to trust free online services ranging from Facebook to LinkedIn and MySpace.

Marlene McManus, 21, is among those young adults. On the job hunt since graduating from Clark University in Massachusetts, she's been "scouring" her Facebook page, removing photos that contain beer cups and any other signs of college exploits. She's also dropped Twitter altogether. "I have to present a public face that doesn't have the potential to hurt my image," McManus says.

(Source: AP)

Full story

AP

Facebook Chief Executive Mark Zuckerberg said the Internet social network will roll out new privacy settings for its more than 400 million users, amid growing concerns that the company is pushing users to make more of their personal data public. "Many of you thought our controls were too complex," said Zuckerberg in an opinion piece published on Monday in The Washington Post.

"Our intention was to give you lots of granular controls; but that may not have been what many of you wanted. We just missed the mark," said the 26-year-old Zuckerberg, who co-founded Facebook in his Harvard dorm room in 2004. In the coming weeks, Zuckerberg promised, Facebook will add privacy controls that he said would be much simpler to use. Facebook will also give users an easy way to turn off all third-party services, Zuckerberg said.

(Source: Reuters)

Full story

Reuters

As much heat as Facebook has taken recently for its privacy policies and the freedom with which it shares data across the Web and around the world, Facebook is still not the biggest threat to online privacy--you are. A study by Consumer Reports illustrates that users are really their own worst enemy when it comes to online privacy.

Here are some of the key findings of the Consumer Reports survey: • A projected 1.7 million online households had experienced online identity theft in the past year. • An estimated 5.4 million online consumers submitted personal information to e-mail (phishing) scammers during the past two years. • Among adult social network users, 38 percent had posted their full birth date, including year. Forty-five percent of those with children had posted their children's photos. And 8% had posted their own street address. • An estimated 5.1 million online households had experienced some type of abuse on a social network in the past year, including malware infections, scams, and harassment.

(Source: PC World)

Full story

PC World

Blippy, a social networking site that allows users to share their purchases and discuss shopping with others, will revamp its security plans and hire a Chief Security Officer after an embarrassing incident in which the site accidentally published a few of its members' credit card numbers on Google.

Blippy Co-founder and CEO Ashvin Kumar said in a blog post this week that the slip-up occurred as a result of a technical oversight back in February that caused raw transaction data to appear within the HTML code on some Blippy pages for about half a day. Kumar said Blippy executives have hammered out a security plan that aims to prevent further security missteps. It includes hiring a Chief Security Officer and associated staff that will focus solely on issues relating to information security. Blippy will also undergo regular 3rd-party infrastructure and application security audits and create a security and privacy center, in addition to other measures included in the plan.

(Source: ComputerWorld)

Full story

ComputerWorld

Four U.S. senators want Facebook to make it easier for its more than 400 million users to protect their privacy as the website develops new outlets to share personal information. It marks the second time in the past three days that Schumer has expressed his misgivings about a series of changes that Facebook announced last week. The new features are designed to unlock more of the data that the online hangout has accumulated about people during its six-year history.

Schumer sent a letter Sunday to the Federal Trade Commission calling for regulators to draw up clearer privacy guidelines for Facebook and other Internet social networks to follow. The political pressure threatens to deter Facebook's efforts to put its stamp on more websites, a goal that could yield more moneymaking opportunities for the privately held company. Facebook's expansion "raises new concerns for users who want to maintain control over their information," the senators wrote in their preliminary draft.

(Source: AP)

Full story

AP

"A hacker who calls himself Kirllos has obtained and is now offering to sell 1.5 million Facebook IDs at astonishingly low prices — $25 per 1,000 IDs for users with fewer than 10 friends and $45 per 1,000 IDs for users with more than 10 friends. Looking at the numbers, Kirllos has stolen the IDs of one out of every 300 Facebook users. Quoting: 'VeriSign director of cyber intelligence Rick Howard told the New York Times that it appeared close to 700,000 had already been sold. Kirllos would have earned at least $25,000 from the scam. Howard told the newspaper that it was not apparent whether the accounts and passwords were legitimate, but a Russian underground hacking magazine reported it had tested some of Kirllos' previous samples and managed to get into people's accounts.'"

(Source: Slashdot)

Full story

Slashdot

History was made the other evening when the UK's three wannabe prime ministers took centre stage for a TV debate. This was the culmination of weeks of rehearsals, practice runs and body language training. But what if I then tell you that every mobile phone call made by one of the campaign teams preparing for this TV event was secretly recorded and analysed, enabling their rival to understand everything from the campaign strategy through to the likely rebuttal to a particular question? Illegal? Of course. Farfetched? No longer. The past few months has seen the mobile phone industry thrown into turmoil as the computer hacking community has carried out successful attacks against mobile phone call security. I wrote an article about such a hack a while back, but at that point it remained a theory rather than a practical way to listen into mobile phone calls.

(Source: IT Director)

Full story

IT Director

Patients whose medical identities are stolen face serious lingering effects. Fraudulent healthcare events can leave erroneous data in medical records. This erroneous information–like information about tests, diagnoses and procedures–can greatly affect future healthcare and insurance coverage and costs. Patients are often unaware of medical identity theft until a curious bill or a surprising line of questioning by a doctor exposes the issue. Then, the burden of proof is often with the patient and it can be difficult to get the patient’s legitimate medical records cleaned up. The consequences can also be life threatening and can lead to serious medical errors and fatalities.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

(Source: Infosec Island)

Full story

Infosec Island 

Police hunting a hacker who had attacked a US school's systems found themselves cornering a "very intelligent" 9 year old instead, it has emerged. When passwords for teachers at Spring Hill Elementary, Virginia, were changed without authorisation the school board initially thought a hacker had broken into the school district's Blackboard system. Police were called in to investigate in mid-March and were quickly able to trace the incident back to a PC at the home of a 9 year-old school student.

The youngster's mother was initially chief suspect in the hack but after speaking to her and and her son police came to the surprising conclusion that they were dealing with a 'kindergarden' hacker.

(Source: The Register)

Full story

The Register

The report, from researchers at the University of California, Berkeley and the University of Pennsylvania, is among the first quantitative studies looking at young people's attitudes toward privacy as government officials and corporate executives alike increasingly grapple with such issues.

Among the findings:

• Most people — 86 percent — believe that anyone who posts a photo or video of them on the Internet should get their permission first, even if that photo was taken in public. Among young adults 18 to 24, 84 percent agreed — not far from the 90 percent among those 45 to 54.

• Forty percent of adults ages 18 to 24 believe executives should face jail time if their company uses someone's personal information illegally — the same as the response among those 35 to 44 years old.

(Source: AP)

Full story

AP

China has issued new restrictions on Internet use, requiring those wanting to set up a website to meet regulators and provide identity documents, in a move slammed Wednesday by one rights group. The new rules come as the United States has stepped up pressure on Beijing to break down its vast system of web controls -- the so-called "Great Firewall of China" -- for the more than 380 million people now online in the country.

Washington issued those calls after US Internet giant Google said last month it was considering pulling out of China over cyberattacks and Chinese government censorship of its search results. China's Ministry of Industry and Information Technology issued the new guidelines to local authorities on February 8 and lifted a ban imposed in December on individuals acquiring .cn domain names, state media said Tuesday.

(Source: AFP)

Full story

AFP

There are two aspects you have to consider when negotiating security and privacy with a service provider. First, you have to have the correct principles encoded in your contract. Second, you have to worry about how well they are executed by the provider. If you read most service contracts you will see that "law enforcement assistance" sections are usually vague. It is up to you to negotiate terms that address key issues of data protection and safeguard your rights:

* Demand that law enforcement requests are properly documented. Show me the warrant. A phone call from agent Bob at headquarters is not a warrant.

* Demand that you are notified of any requests that may affect your data. You have the right to contest warrants in court and most corporations do contest them.

* Demand that each data access request, whether granted or not is documented.

(Source: ComputerWorld)

Full story

ComputerWorld

China will gradually move to cut censorship of the Internet, but it will take a long time, the man credited with inventing the World Wide Web said Wednesday.

Commenting on Google's threat to pull out of China, Tim Berners-Lee said Beijing was having to move "carefully" in opening up Internet openness, but said the "genie is out of the bottle" in terms of access. "I think that openness increases steadily. Every time you open it the genie comes out of the bottle and it's very difficult to put it (back) in the bottle," he told AFP. Speaking on the sidelines of the World Economic Forum (WEF) annual meeting in Davos, Switzerland, he said: "The Internet has a tradition of bit by bit increasing openness.

(Source: AFP)

Full story

AFP

The design of the future German identity card has been unveiled. Credit-card sized and made of polycarbonate, it will be issued from November 2010 on. The new card aims to ease the citizens' transactions with government and businesses and to increase security as well as to enhance public confidence in electronic services.

The front side has the image of the federal eagle, whereas on its reverse side the Brandenburg Gate is depicted. The new card contains numerous security features in order to increase protection against forgery. A special feature is that the holder's details are digitally stored. It is also capable to carry a digital signature. Both features will allow card holders to complete commercial online transactions as well as official business with government offices.

(Source: eGov Monitor)

Full story

eGov Monitor

Facebook is trying to strengthen security on its Web site with some outside help. Computer security company McAfee Inc. will now scan and repair the computers of Facebook users whose accounts have been compromised, the company said Wednesday. The scanning process will be added to the steps that Facebook already makes the users of such accounts go through if they want to reclaim their pages.

Facebook says spam and viruses affect a tiny percentage of its users. But hackers are increasingly targeting the social sites as they become a core part of the Web. Spokesman Barry Schnitt said Facebook spends a lot of time and resources to keep users' accounts secure.

(Source: AP)

Full story

AP

People who post intimate details about their lives on the internet undermine everybody else's right to privacy, claims an academic. Dr Kieron O'Hara has called for people to be more aware of the impact on society of what they publish online. "If you look at privacy in law, one important concept is a reasonable expectation of privacy," he said. "As more private lives are exported online, reasonable expectations are diminishing."

The rise of social networking has blurred the boundaries of what can be considered private, he believes - making it less of a defence by law. We live in an era that he terms "intimacy 2.0" - where people routinely share extremely personal information online.

(Source: BBC)

Full story

BBC

Got an e-mail list of customers or readers and want to know more about each such as their full name, friends, gender, age, interests, location, job and education level? Facebook has just the free feature you're looking for, thanks to its recent privacy changes. The hack, first publicized by blogger Max Klein, repurposes a Facebook feature that lets people find their friends on Facebook by scanning through e-mail addresses in their contact list.

Using a simple scraping tool, a marketer could then turn a list of e-mail addresses into a rich, full-fledged set of marketing profiles, with names, pictures, ages, locations, interests, photos, wall posts, affiliations and names of your friends, depending on how users have their profiles set.

(Source: CNN)

Full story

CNN

Australia said Tuesday it would push ahead with a mandatory China-style plan to filter the Internet, despite widespread criticism that it will strangle free speech and is doomed to fail.

Communications Minister Stephen Conroy said new laws would be introduced to ban access to "refused classification" (RC) sites featuring criminal content such as child sex abuse, bestiality, rape and detailed drug use. Blacklisted sites would be determined by an independent classification body via a "public complaint" process, said Conroy, admitting there was "no silver bullet solution to cyber-safety".

(Source: AFP)

Full story

AFP

A Canadian woman on long-term sick leave for depression says she lost her benefits because her insurance agent found photos of her on Facebook in which she appeared to be having fun.

Nathalie Blanchard has been on leave from her job at IBM in Bromont, Quebec, for the last year. The Canadian Broadcasting Corp. reported Saturday she was diagnosed with major depression and was receiving monthly sick-leave benefits from insurance giant Manulife. But the payments dried up this fall and when Blanchard called Manulife, she says she was told she was available to work because of Facebook.

(Source: AP)

Full story

AP

Facebook outlined changes to its privacy policy on Thursday and asked for feedback from the social network's more than 300 million users. Members will have until November 5 to send in their comments about the proposed changes.

"This is the next step in our ongoing effort to run Facebook in an open and transparent way. After the comment period is over, we'll review your feedback and update you on our next steps." Some of the changes to Facebook's privacy policy are the result of pressure from Canada, whose privacy czar conducted an investigation into its handling of personal information.

(Source: AFP)

Full story

AFP

I am advised to "avoid giving my credit card online" and to be "careful when banking online" and to use random, complex passwords that I never repeat and never write down. So, as long as I refrain from commerce, stay indoors and have a superhuman memory, I should be fine!

I worry about identity theft and take measures, throughout the year, to defend my identity. So here's some identify defense advice that's actually practical: * Don't sign credit cards. I sign mine "See ID". Why give a card thief my signature too?

(Source: ComputerWorld)

Full story

ComputerWorld

Networks of hacked computers are being used more than ever to click on advertisements, a scam known as click fraud that cheats search engines, publishers and ad networks out of revenue.

For the third quarter of the year, 42.6% of fraudulent clicks came from botnet-infected computers, according to Click Forensics, a company that produces tools to detect and filter out fraudulent clicks. The figure is the highest in four years, when Click Forensics began producing reports. For the same quarter a year ago, botnets accounted for 27.5% of bad clicks. Botnets are a powerful tool for hackers.

(Source: ComputerWorld)

Full story

ComputerWorld

Microsoft admitted Hotmail users had been tricked into revealing their passwords, 10,000 of which had been published online.

The spam is being sent from users' accounts to contacts in their address books - so recipients will think it came from one of their friends. While the new spam is not malicious in itself, it does point the contact in the direction of something that is — a "shopping" website. The trick is, the shopping site is not a real one. The scam persuades victims to order goods online by credit card, leaving them vulnerable to identity theft and fraud.

(Source: Fox News)

Full story

Fox News

Hotmail and several other Web e-mail providers were recently hit by phishing attacks that gleaned usernames and passwords.It's terribly insecure, but the string of digits 1234567 is a popular password on Hotmail, according to security researcher Bogdan Calin, who analyzed 9,843 stolen Windows Live Hotmail passwords that were posted on a Web site.

In a blog post, Calin said the following were the most common passwords in the Hotmail collection: 123456, 123456789, alejandra, 111111, alberto, tequiero, alejandro and 12345678.

(Source: ComputerWorld)

Full story

ComputerWorld

Tens of millions of U.S. computers are loaded with scam security software that their owners may have paid for but which only makes the machines more vulnerable, according to a new Symantec report on cybercrime.

Cyberthieves are increasingly planting fake security alerts that pop up when computer users access a legitimate website. The "alert" warns them of a virus and offers security software, sometimes for free and sometimes for a fee. "Lots of times, in fact they're a conduit for attackers to take over your machine. They'll take your credit card information, any personal information you've entered there and they've got your machine,"

(Source: Reuters)

Full story

Reuters 

About a third of UK employees throw sensitive documents in the bin instead of shredding them, research suggests. The study also found almost three-quarters of workers felt their organisations could do more to protect their customers' sensitive information.

The data was compiled for National Identity Fraud Prevention Week. Identity fraud costs the UK more than £1.2bn annually. The UK's Fraud Prevention Service says 60,000 people have fallen victim so far this year.

(Source: BBC)

Full story

BBC 

Security researchers are warning that Web-based applications are increasing the risk of identity theft or losing personal data more than ever before.

The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what personal data they make public, won't be easy.

(Source: PCWorld)

Full story

PCWorld 

Scammers have grabbed the Hotmail passwords that leaked to the Web and are using them in a plot involving a fake Chinese electronics seller to bilk users out of cash and their credit card information, a security researcher said.

"We've seen a 30% to 40% increase in these types of spam messages in the last several days," said Patrik Runald, senior manager of Websense's security research team. "By 'these types of spam,' I mean messages that are advertising great consumer electronics bargains, such as cameras and computers."

(Source: ComputerWorld)

Full story

ComputerWorld

IPhone lovers and other smartphone users should take heed: A security researcher showed ways to spy on a BlackBerry user during a presentation Wednesday, including listening to phone conversations, stealing contact lists, reading text messages, taking and viewing photos and figuring out the handset's location via GPS.

And ironically, Sheran Gunasekera, head of research and development at ZenConsult, said the BlackBerry is one of the most secure smartphones available, in some ways better than the iPhone.

(Source: ComputerWorld)

Full story

ComputerWorld

Investigators in the United States and Egypt have smashed a computer "phishing" identity theft scam described as the biggest cyber-crime investigation in US history, officials said Wednesday.

The Federal Bureau of Investigation said 33 people were arrested across the United States early Wednesday while authorities in Egypt charged 47 more people linked to the scam. A total of 53 suspects were named in connection with the scam in a federal grand jury indictment, the FBI said.

(Source: AFP)

Full story

AFP

Privacy and security are foundational to health care reform. Patients will trust electronic health care records only if they believe their confidentiality is protected via good security.

As vice chairman of the federal Healthcare Information Technology Standards Committee, I have been on the front lines in the debate over the standards and implementation guidance needed to support the exchange of health care information. Over the past few months, I've learned a great deal from the committee's privacy and security workgroup.

(Source: ComputerWorld)

Full story

ComputerWorld

It's your birthday. And thanks to your Facebook profile, everybody knows that. Your wall fills up with well wishes from hundreds of "friends." Sure, it's nice to be noticed. But security experts are skeptical about whether sharing information, such as birthdays, with a broad audience is a bright idea. "It's all about providing the bad guy with intelligence," said Robert Siciliano, CEO of IDtheftsecurity.com.

Many people use their birthdate in passwords and personal identification numbers, and security questions often ask for it to resend a lost password. So broadcasting a birthdate could help cybercriminals pose as others as they log on to various Web sites, experts warned.

(Source: CNN)

Full story

CNN

Web surfing is no longer a solo affair. Facebook, Twitter, and other social networks have quickly become an integral part of the online culture, and with them comes a whole new array of potential security threats.

Social networking is built on the idea of sharing information openly and fostering a sense of community. Unfortunately, an online network of individuals actively sharing their experiences and seeking connections with other like-minded people can be easy prey for hackers bent on social-engineering and phishing attacks. It's important to be aware of the threats, and to maintain a healthy skepticism in your online interactions.

(Source: ComputerWorld)

Full story

ComputerWorld

Many major social networking sites are leaking information that allows third party advertising and tracking companies to associate the Web browsing habits of users with a specific person, researchers warn.

That's the conclusion of a study on the leakage of personally identifiable information on social networks done at AT&T Labs and the Worcester Polytechnic Institute. "In some cases, the leakage may be unintentional, but in others, there is clever and surreptitious anti-privacy engineering at work," the EFF said.

(Source: ComputerWorld)

Full story

ComputerWorld

A third of Web users under 25 claim they don't care about their "digital tattoo" and the items they post online, says Symantec. Symantec said a "digital tattoo" is created by all the personal information web users post online and can easily be found through search engines by a potential or current employer, friends and acquaintances, or anyone who has malicious intent.

The security firm revealed that nearly two-thirds of all those surveyed had uploaded personal photographs, while 79 percent had at least part of their address online and nearly half had their mobile phone numbers online.

(Source: PCWorld)

Full story

PCWorld

Web sites that collect information about visitors in order to target advertising on their own pages would be required to prominently disclose what information they gather. Web sites that share user information with outside advertising networks, which place ads on sites all over the Internet, would be required to obtain user approval before collecting data. Web sites that deal with sensitive personal information, such as medical and financial data, sexual orientation, Social Security numbers and other ID numbers, would be subject to the opt-in rule.

Rep. Rick Boucher, chairman of the House Energy and Commerce Subcommittee on Communications, Technology and the Internet, hopes to put in a bill governing Internet advertising.

(Source: AP)

Full story

AP

Parents who install a leading brand of software to monitor their kids' online activities may be unwittingly allowing the company to read their children's chat messages - and sell the marketing data gathered.

Software sold under the Sentry and FamilySafe brands can read private chats conducted through Yahoo, MSN, AOL and other services, and send back data on what kids are saying about such things as movies, music or video games. The information is then offered to businesses seeking ways to tailor their marketing messages to kids.

(Source: AP)

Full story

AP

In an age in which instant news and constant life streams from Facebook and Twitter change the way we communicate, the rules of etiquette surrounding these interactions are still evolving. What happens when I expected a phone call about something and read about it in a status update instead? What's the polite response to a distant friend posting bad news on Facebook? What to do with sensitive information?

Good etiquette on Facebook might not apply on Twitter or in an e-mail. These days, milestones like marriage, pregnancy, breakups and divorce are being described over more forms of communications than ever. Because it's so new, there is sort of a gray area of what the manners are,"

(Source: AP)

Full story

AP

A coalition of 10 U.S. privacy and consumer groups has called for new federal privacy protections for Web users, including a requirement that Web sites and advertising networks get opt-in permission from individuals within 24 hours of collecting personal data and tracking online habits.

In a broad set of new recommendations for privacy regulations released Tuesday, the groups also called on the U.S. Congress to prohibit Web sites and ad networks from collecting behavioral information about children under age 18, whenever it's possible to distinguish the age of the Web user, and to require that online businesses inform consumers about the purpose of the information collection.

(Source: ComputerWorld)

Full story

ComputerWorld

If Google Inc. digitizes the world's books, how will it keep track of what you read? That's one of the unanswered questions that librarians and privacy experts are grappling with as Google attempts to settle a long-running lawsuit by publishers and copyright holders and move ahead with its effort to digitize millions of books, known as the Google Books Library Project.

Librarians and the online world have different standards for dealing with user information. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons.

(Source: ComputerWorld)

Full story

ComputerWorld

Facebook has agreed to make worldwide changes to its privacy policy as a result of negotiations with Canada's privacy commissioner. Last month the social network was found to breach Canadian law by holding on to users' personal data indefinitely.

It will also make it clear that users can deactivate or delete their account. "These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far better protected," said Canadian privacy commissioner Jennifer Stoddart.

(Source: BBC)

Full story

BBC

Users of social networking sites such as Facebook and Twitter could face higher insurance premiums because burglars may be using them to find out their personal details. The Digital Criminal report, which polled 2,000 social network users, found nearly two fifths had posted details of their holiday plans, with nearly two thirds of 16-24 year-olds doing so.

"I call it 'internet shopping for burglars'. It is incredibly easy to use social neyworking sites to target people, and then scope out more information on their actual home using other internet sites like Google Street View, all from the comfort of the sofa."

(Source: Telegraph)

Full story

Telegraph

Users of social networks are concerned about security but few are taking the steps necessary to protect themselves against online crime, according to a survey released on Wednesday.

Nearly 20 percent of those surveyed said they have experienced identity theft, 47 percent have been victims of malware infections and 55 percent have seen "phishing" attacks, in which hackers seek to capture password information. They also suggested that passwords be changed at least once a month and that friends or coworkers not be allowed to access one's personal computer.

(Source: AFP)

Full story

AFP

The German government warned job-seekers Friday to avoid posting potentially compromising pictures or remarks on social networking sites such as Facebook, citing a study about their use by employers. Consumer affairs minister Ilse Aigner "calls on citizens who use the Internet often to think about what they put online," a spokeswoman for her ministry told a regular government news conference.

28 percent of the around 500 German companies polled searched for information about their would-be employees' hobbies, political opinions and personal lives.

(Source: AFP)

Full story

AFP

Albert Gonzalez, the man described by federal authorities as the kingpin of a gang responsible for stealing more than 130 million payment cards, is a computer addict constantly looking for ways to challenge his abilities, according to his lawyer. He has had an unhealthy obsession with computers since the age of 8. "He was self-taught, He didn't go out in the sandbox or play baseball. The computer was his best friend."

"It wasn't healthy. It's a sickness. It's a problem that has not been addressed in our society."

(Source: ComputerWorld)

Full story

ComputerWorld

Switzerland's data protection watchdog on Friday demanded that Google immediately withdraw the "Street View" facility it has started offering on its map of Switzerland. Federal data protection and transparency officer Hanspeter Thuer released a statement warning that the US-based Internet giant was not respecting conditions he set to respect personal privacy in Switzerland.

The online service, which began in the United States, has sparked controversy because the snapshots also inadvertently capture passers-by on camera, sometimes in embarrassing or private moments.

(Source: AFP)

Full story

AFP

A Canadian model has won a landmark case in a New York court after Google was forced to disclose the online identity of a blogger who anonymously posted derogatory comments about the Vogue covergirl. The ruling came after Liskula Cohen, 36, filed suit in a bid to unmask the identify of her tormentor, who posted suggestive photographs of Cohen on the blog and described her as a "ho" and a "psychotic, lying, whoring... skank."

Google said that while the company does not tolerate "cyber bullying" it is also respectful of privacy. "We sympathize with anyone who may be the victim of cyber bullying,"

(Source: AFP)

Full story

AFP

US prosecutors have charged a man with stealing data relating to 130 million credit and debit cards. Officials say it is the biggest case of identity theft in American history.

They say Albert Gonzalez, 28, and two un-named Russian co-conspirators hacked into the payment systems of retailers, including the 7-Eleven chain. Prosecutors say they aimed to sell the data on. If convicted, Mr Gonzalez faces up to 20 years in jail for wire fraud and five years for conspiracy.

(Source: BBC)

Full story

BBC

A researcher looking into the attacks that knocked Twitter offline last week discovered another, unrelated security problem. At least one criminal was using a Twitter account to control a network of a couple hundred infected personal computers, mostly in Brazil.

Networks of infected PCs are referred to as "botnets" and are responsible for so much of the mayhem online, from identity theft to spamming to the types of attacks that crippled Twitter. A Twitter account that was used to send out what looked like garbled messages. But they were actually commands for computers in a botnet to visit malicious Web sites, where they download programs that steal banking passwords.

(Source: AP)

Full story

AP

Worried that your relationship is going south? Maybe it's time to get off Facebook. A study released by the University of Guelph in Ontario shows that the Facebook social network increases jealousy in users' romantic relationships. The study, which was published in the latest issue of CyberPsychology and Behaviour, concluded that the more time people spend on Facebook, the more jealous they get.

"This may include details about their partner's friendships and social exchanges, especially interactions with previous romantic or sexual partners." The simple availability of information -- whether it's a girlfriend's posts, or photos and details about her friends and exes -- seems to increase a person's desire to search for even more information, say researchers.

(Source: ComputerWorld)

Full story

ComputerWorld

Parents have been warned of a new teenage trend of "sexting", in which children exchange explicit photos of themselves by text. More than a third of secondary school children have been sent messages containing sexual content, a survey showed.

Researchers found youngsters were regularly being sent sex texts or "sexts" - often by their school friends. The messages contain images of sex acts involving young people but more generally of boys and girls exposing themselves. Material is sent to mobile phones via texts, transferred using Bluetooth or uploaded to social networking groups. Girls are bullied into taking, and sharing, explicit pictures of themselves, the charity warned.

(Source: Telegraph)

Full story

Telegraph

Facebook, MySpace and other social networking sites are inceasingly being targeted by cyber-criminals drawn to the wealth of personal information supplied by users, experts warn. Data posted on the sites -- name, date of birth, address, job details, email and phone numbers -- is a windfall for hackers, participants at Campus Party, one of the world's biggest gatherings of Internet enthusiasts, said.

A vicious virus Koobface -- "koob" being "book" in reverse -- has affected thousands Facebook and Twitter users since August 2008, said Asier Martinez, a security specialist at global IT solutions provider Panda Security.

(Source: AFP)

Full story

AFP

The U.S. Department of Health and Human Services (HHS) is about to rule whether health care entities will need to notify patients if their de-identified data -- patient data that has been stripped of all potential for identifying individuals, which is often used for research and development -- is breached. As it stands now, de-identified data is not subject to the new breach-notification rules imposed by the HITECH privacy provisions of the 2009 American Recovery and Reinvestment Act (ARRA) stimulus package. The debate pits privacy activists on the one side -- who often support notification -- with health care organizations on the other, which say the quality of health care hangs in the balance.

(Source: ComputerWorld)

Full story

ComputerWorld

The news report begins with shots of a tense space shuttle launch. Engineers hunch over computer banks and techno music pounds in the background. There is a countdown, a lift-off, and then you see a young man in a black T-shirt and sunglasses, apparently reporting from space.

This is the Hacker News Network, and after a decade offline it is lifting off again, this time with a quirky brand of video reports about security. They're the guys who famously told the U.S. Congress that they could take down the Internet in about 30 minutes, and who helped invent the way that security bugs are reported to computer companies.

(Source: ComputerWorld)

Full story

ComputerWorld

Being the chief executive has its privileges. And one of them may be a blissful ignorance of your company's data breach risks.

According to a study to be released Tuesday by the privacy-focused Ponemon Institute, companies' chief executives tend to value cybersecurity just as--if not more--highly than their executive colleagues. But compared to lower-level execs, CEOs also tend to underestimate the frequency of cyberthreats their organization faces.

(Source: Forbes)

Full story

Forbes

The popular social networking site Facebook is not doing enough to protect the personal information it gets from subscribers, and it gives users confusing and incomplete information about privacy matters, Canada's privacy commissioner said on Thursday.

"It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," Privacy Commissioner Jennifer Stoddart said in a report on an investigation into Facebook.

(Source: Reuter)

Full story

Reuter

The microblogging service Twitter is taking legal advice after hundreds of documents were hacked into and published by a number of blogs.

"We are in touch with our legal counsel about what this theft means for Twitter, the hacker and anyone who accepts...or publishes these stolen documents, " said Twitter's Biz Stone. In a blog posting he wrote that "About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked.

(Source: BBC)

Full story

BBC

New York's attorney general charged Thursday that Tagged.com stole the identities of more than 60 million Internet users worldwide — by sending e-mails that raided their private accounts. Andrew Cuomo said he plans to sue the social networking Web site for deceptive marketing and invasion of privacy.

"This company stole the address books and identities of millions of people," Cuomo said in a statement. "Consumers had their privacy invaded and were forced into the embarrassing position of having to apologize to all their e-mail contacts for Tagged's unethical — and illegal — behavior."

(Source: AP)

Full story

AP

The Obama administration is moving cautiously on a new pilot program that would both detect and stop cyber attacks against government computers, while trying to ensure citizen privacy protections.

Any involvement of the NSA - the agency oversees electronic intelligence-gathering - in protecting domestic computer networks worries privacy and civil liberties groups who oppose giving such control to U.S. spy agencies.

(Source: AP)

Full story

AP

China has announced it would indefinitely postpone a mandate requiring all personal computers sold in the country to be accompanied by a controversial content-filtering application, state media reported.

A June 24 letter from the U.S. Department of Commerce to the Chinese government listed "numerous concerns raised by global technology companies, Chinese citizens, and the worldwide media about the stability of the software, the scope and extent of the filtering activities and its security weaknesses."

Despite such communication, there has been no indication so far from the Chinese government that the rule will be revoked, only delayed.

(Source: CNN)

Full story

CNN

A blind Boston-area teenager was sentenced to more than 11 years in prison Friday for hacking into the telephone network and harassing the Verizon investigator who was building a case against him.

Matthew Weigman, 19, was part of a group of telephone hackers that met up on telephone party lines and was associated with more than 60 "swatting" calls to 911 numbers across the country. Weigman, known as "Little Hacker," became involved in telephone hacking around age 14 and continued to operate until last year.

(Source: PCWorld)

Full story

PCWorld

An alleged spammer could face jail time in connection with a Facebook lawsuit after a judge referred him to the U.S. Attorney General's Office for criminal proceedings.

Judge Jeremy Fogel of the U.S. District Court for the Northern District of California referred Sanford Wallace (who has been dubbed a "spam king" for his long and aggressive history in e-mail marketing) l to the U.S. Attorney General's Office for criminal proceedings for allegedly violating an injunction that prohibited him from accessing Facebook.

Facebook filed a lawsuit against Wallace and two other men in February for spamming and phishing schemes through the social-networking site. The following week, Judge Fogel issued a temporary restraining order barring Wallace and two other alleged spammers, Adam Arzoomanian and Scott Shaw, from accessing Facebook's network.

(Source: PCWorld)

Full story

PCWorld

A federal grand jury in New Jersey today indicted three people, and five people were arrested in Italy, all in connection with hacking into the IT systems of thousands of companies around the world to gain free access to telephone services, according to the U.S. Attorney's Office in Newark, N.J.

A multinational team of investigators worked jointly to round up the alleged hackers and their financial backers in the scheme to gain access into the systems of many companies -- 2,500 in the U.S. alone -- to steal access codes that the victim companies used to route phone calls through telecom systems, the office said.

The value of all the stolen services was unclear, though the U.S. Attorney's Office said the thieves routed more than $55 million worth of telephone calls over telecommunications networks in the U.S. "This was an extensive and well-organized criminal network that worked across continents," said New Jersey's acting U.S. attorney, Ralph J. Marra Jr., in a statement.

(Source: ComputerWorld)

Full story

ComputerWorld

Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.

And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could. The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions.

(Source: AP)

Full story

AP

"Spam dropped 15% across the board," said Bradley Anstis, director of technology strategy at Marshal8e6. "We especially noticed [the drop] over the weekend," he said, adding that the decline picked up steam slowly.

Last Tuesday, a federal court ordered the plug pulled on 3FN, an ISP operated by Belize-based Pricewert, after the FTC complained that the company hosts spam botnet command-and-control servers, as well as sites operated by child pornographers, identity thieves and other criminals.

(Source: ComputerWorld)

Full story

ComputerWorld

A Hampton, New Hampshire, man has pleaded guilty to fraud charges for his role in a scheme to empty brokerage accounts by installing malicious Trojan horse software on victims' computers.

According to court documents, Alexey Mineev set up several "drop accounts" that were then wired funds stolen from banking and brokerage accounts between July and December 2007. He pleaded guilty to one count of money laundering on Wednesday, according to Mike Ruocco, deputy to Judge Paul Gardephe of the U.S. District Court for the Southern District of New York, who is presiding in the case.

The criminals would infect PCs with malicious Trojan software that would steal account numbers and passwords whenever victims logged into their accounts online.

(Source: ComputerWorld)

Full story

ComputerWorld

An Australian woman who cyber-stalked an American Idol contestant was jailed for 26 months. Tanya Maree Quattrocchi pleaded guilty to stalking 2004 American Idol runner-up Diana DeGarmo by hacking into her My Space account and hijacking email accounts belonging to the singer, national news agency AAP reported.

Victorian County Court judge Lisa Hannan described Quattrocchi's offences as serious and said she had no option but to send her to jail. "It is important that you understand the fact you perpetrated your offending using cyberspace does not diminish its significance," Melbourne's Herald Sun newspaper quoted Hannan as saying. She said the victims of such crimes had no doors to lock or alarms to activate, adding: "They are constantly vulnerable."

(Source: AFP)

Full story

AFP website

"In a document that outlines a Digital Japan Creation Project, dubbed the ICT Hatoyama Plan, Japan’s Ministry of Internal Affairs and Communications revealed plans to build a massive cloud computing infrastructure to support all of the government’s IT systems. Called tentatively the Kasumigaseki Cloud, the new infrastructure will be built in stages from now until 2015."

"The goal of the project consolidate all government IT systems into a single cloud infrastructure to improve operation efficiency and reduce cost. 'The Kasumigaseki Cloud will enable various ministries to collaborate to integrate and consolidate hardware and create platforms for shared functions,' according to MIC. 'Efforts will be made to efficiently develop and operate information systems with the aim of greatly reducing electronic government–related development and operating costs while increasing the pace of processing by integrating shared functions, increasing collaboration among systems, and providing secure and advanced governmental services.'

According to the MIC, the Kasumigaseki Cloud will eliminate the need for individual ministries to maintain their own IT systems by consolidating current data centres, and allow each ministries to use only the computer resources necessary through the cloud platform. Additional proposals were put forth to develop and implement ubiquitous Green ICT solutions, including initiatives like the Kasumigaseki Cloud, boost ICT human resources, and the creation of 'safe and secure networks' for the public.

Read the full story on Green Telecom here.

This blog entry was shared through Bill St Arnaud's blog spot

At the recent RSA Conference 2009 in San Francisco, United States, McAfee CEO DeWalt called for a global security architecture.

"Security threats are on the rise as the economy declines, and the solution will likely come from collaborative partnerships that span all IT platforms and international boundaries." "DeWalt painted a grim picture of the security landscape. Consumer confidence has gone down while unemployment and has risen, he said. And as the economy has gone into a tailspin, cybercrime has seen a sharp upward spike, with more malware detected in 2008 than in the previous five years combined. Last year, 80 percent of cybercrimes were financially motivated, he added."

"Many organizations are vastly underprotected or fail to regularly update patches and security software, which have opened up copious threat vectors for attackers, DeWalt said. In addition, the explosion of malicious threats in the last year can also be attributed to lack of user education and best security practices, as well as lack of comprehensive security." "One of the solutions, DeWalt proposed, would be to build comprehensive security architecture across numerous IT platforms that would be able to interoperate with companies' existing network infrastructure. That architecture would ultimately allow organizations to create correlating reports for every department and system, while allowing greater overall visibility into their organization's network, DeWalt said." "Cross-platform collaboration provides IT administrators a panoramic view into their network and allows communication across the threat vectors to shore up otherwise unseen security holes." "That same type of collaborative architecture will ultimately be required to extend across international borders and throughout global networks as the threats continue to become more sophisticated and the attacks more prevalent, DeWalt said. "The most depressing part of this is that we do not have a global architecture in place," he said. "We need to work together. Undoubtedly, (attacks) will continue to increase."

Read the full story on ChannelWeb.

A new report of the mobile industry shows that some progress has been made by the 26 mobile operators signed up to the "European Framework for Safer Mobile Use by Younger Teenagers and Children” brokered by the Commission in February 2007 (IP/07/139). These operators serve around 580 million customers, 96% of all EU mobile customers. "The new report of the mobile phone industry association shows that mobile operators have started to take seriously their responsibilities to keep children safe when using phones," said EU Telecoms Commissioner Viviane Reding.

50% of 10 year-old, 87% of 13 year-old and 95% of 16 year-old children in the EU have a mobile phone, but half of European parents worry mobile phone use might expose their children to sexually and violently explicit images (51%) or bullying by other children (49%), according to a survey. The European Commission today called on mobile operators to do more to keep children safe while using mobile phones by putting in place all the measures in the voluntary code of conduct, signed by 26 mobile operators in 2007. The report published by the GSM Association, the trade body of the mobile phone industry, showed that national self-regulatory codes based on the framework agreement brokered by the European Commission now exist in 22 Member States, 90% of them in line with the 2007 agreement, and 80% of operators have put in place measures to control child access to adult content.

Read the full EC press release from 20 April 2009 here.

More information on the GSMA report onimplementation of the framework agreement on "Safer Mobile Use by Younger Teenagers and Children" can be found here.

The British Computer Society (BCS)'s website shares information and advice on how to stay safe while shopping online in a set of "Golden Rules" compiled by Global Secure Systems (GSS).

The twelve golden rules to safely shopping online include the below (detailed information available on the BCS website):

1. Most malware exploits are known problems with software and operating systems. The hacker, or code writer, is relying upon people being lazy and not keeping systems up to date. For this reason it is very important to keep your anti-virus product up to date with the latest signature files and operating system updates from Microsoft.
2. Never go online without ensuring you have your personal firewall enabled.
3. Don't ever select the remember my password option when registering online as your passwords are then stored on the PC, often in plain text, and are the first thing that a fraudster will target. Some
4. Ensure that your credit cards are registered with your card provider's online security services such as Verified by Visa and MasterCard SecureCode.
5. Use only one card for online shopping, maintaining a limit on the card as low as possible or even using a top-up card for your online purchasing.
6. Be sure to use a credit card and not a debit card.
7. Be sure to check your statements regularly, and if there is any sign of irregular activity, report it straight away.
8. Always check for the little padlock at the bottom right hand corner of the browser (when using Internet Explorer) before entering your card details. 
9. Make a habit of checking the site's privacy policy for details of how your personal information will be used and only provide the minimum of personal information, especially in online forms.
10. Never shop from sites that you arrive at from clicking links in unsolicited marketing emails (spam). 
11. It is important to remember that you could be doing everything right, but that the vendor may do something wrong. A vendor may well be storing all your credit card data on a single server.
12. Finally, don't rely on previous customer's testimonials - they are part of the organisation's marketing and not necessarily factual. The golden rule of commerce is still the same as it ever was - if the offer looks too good to be true, it probably is!

The full set of "Golden Rules to Safe Internet Shopping" can be found here.

For more information see the British Computer Society (BCS) and Global Secure Systems (GSS) websites.

ITU is pleased to announce the launch of its 2009 Cybersecurity and ICT Applications Essay Competition.

The 2009 ITU Cybersecurity and ICT Applications Essay Competition is open to current students and recent graduates in economics, political science, law, literature, telecommunications, computer science, information systems and related fields between the ages of 20 and 30 years old. The winners of the 2009 Essay Competition will be offered the opportunity of a consultancy contract within the ITU Development Sector's ICT Applications and Cybersecurity Division for three months. The winners will be given a contribution towards the cost of an economy class flight from their place of residence. In addition, they will be paid the sum of CHF 6000 towards living expenses for the duration of the contract.

To enter the competition you need to submit an essay on one of the following essay topics:

• Mobiles for Development: Enabling Low-Cost e-Applications for Rural and Remote Areas (e-Health, e-Government, e-Environment)
• Protecting Children and Youth in the Internet and Mobile Age: Innovative Technical and Social Solutions
• Connecting the World Responsibly: Empowering Women and Girls Through Creative Uses of ICTs
• Personal Information Online (internet/mobiles): Responding to User Safety Concerns

All applications should be submitted online through the competition website.

The deadline for applications is 14 June 2009.

We look forward to reviewing your applications and wish you the best of luck in the competition!

1 April 2009 was the start of a new anti-piracy law in Sweden where, according to traffic data, an immediate and significant drop (over 30 per cent) occurred in the nation's overall Internet traffic.

"The combined traffic passing through Sweden's Internet Exchange Points usually peaks around 160 Gbit/s, but on Wednesday it peaked at around 110 Gbit/s. That's a huge drop in traffic, and is presumably a direct result of less file sharing taking place. ... Another interesting observation is that there was more traffic than usual during the last days before the law took effect. Were people hoarding films and music? On Tuesday (the day before the law went live) traffic peaked at nearly 200 GBit/s, roughly 25% above normal levels."

Read the full story and view the related statistics at CircleID. 

The Anti�]Phishing Working Group (APWG) and IPC has released a new idustry advisory document titled: "What to do if your site has been hacked by phishers". The purpose of the document is to provide website owners with specific actions they can take when they have been notified that their website or webserver has been infiltrated and used for phishing.

The document notes that "Some phishers use compromised computers to host malicious or illegal activities, including identity theft, fraudulent financial activities, as well as collecting personal information and business identities from their victims for future use. Others attack or 'hack' into and gain administrative control over the legitimate web sites of businesses and organizations of all sizes. Such hacked web sites disguise the bad acts the phishers perform. More importantly, web site hackers are fully aware that the web sites they hack and 'own' are reputably legitimate."

"Law enforcement and anti�]phishing responders respect and operate under established business, technical, and legal constraints when they seek to remedy or take down hacked web sites. These measures protect legitimate web site operators but unfortunately serve the attacker as well by extending the duration of the attack. The Anti�]Phishing Working Group (APWG) offers this document as a reference guide for any web site owner or operator who suspects, discovers, or receives notification that its web site is being used to host a phishing site. The document explains important incident response measures to take in the areas of identification, notification, containment, recovery, restoration, and follow�]up when an attack is suspected or confirmed. This document serves a guideline for web site owners."

See the full APWG "What to do if your site has been hacked by phishers" Industry Advisory here.

Despite the number of data breaches which have occured in the UK over the past year, the UK Government has now authorised 390,000 professionals (including local authorities, police, health service and children's charities) direct access to contact details on all under 18-year-olds in England.

This  224 million pounds ContactPoint database was developed following the death of Victoria Climbie in 2000, when Social Services were highly criticised for lack of coordination and adequate follow-up of children at risk.

It is hoped that this database will go some way to preventing children from slipping through the net.

The Conservatives voiced their concern by stating that this database was "another expensive data disaster waiting to happen". The Liberals were equally opposed, calling it an "intrusive and expensive project".

(Source: BBC NEWS)

Full Story

BBC website

NYTimes writes that "A new digital plague has hit the Internet, infecting millions of personal and business computers in what seems to be the first step of a multistage attack. The world’s leading computer security experts do not yet know who programmed the infection, or what the next stage will be. In recent weeks a worm, a malicious software program, has swept through corporate, educational and public computer networks around the world."

"Known as Conficker or Downadup, it is spread by a recently discovered Microsoft Windows vulnerability, by guessing network passwords and by hand-carried consumer gadgets like USB keys. Experts say it is the worst infection since the Slammer worm exploded through the Internet in January 2003, and it may have infected as many as nine million personal computers around the world."

This article was accessed through Dave Farber's list.
See the full article in NYTimes here.

Well-known British Child Psychologist, Tanya Byron compares the dangers of letting children use the Internet without supervision to allowing them to cross dangerous roads without assistance.

"Government must be co-ordinated in its approach, we must have a national strategy" Byron states, adding,

"Now Obama has laid out his ambitious strategy and France has just published its own, too, there's a bit of a race on to lead the way in protecting children online...."

She encourages parents to take an interest in their children's online activity as well as providing commonsense advice such as putting the family computer in the living room as opposed to the child's bedroom.

(Source:Telegraph)

Full story

A number of children at a London girls school were suspended from school as a result of posting "deeply insulting comments" about a staff member who is reported to be receiving counselling as a result.

The group of girls, aged between 11 and 18 signed up as members of The Hate Society on Facebook. The headteacher of Grey Coat Hospital School, Rachel  Allard stated, "We can confirm that a number of pupils have been given fixed term exclusions for between 2 and 15 days after the school became aware of their involvement in a hate campaign about a member of staff using an open Facebook group.."

(Source: Telegraph)

Full story

Telegraph website

The Federal Trade Commission has approved four new rule provisions under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), which aim to clarify the Act’s requirements.

The new rule provisions address four topics: (1) an e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page to opt out of receiving future e-mail from a sender; (2) the definition of “sender” was modified to make it easier to determine which of multiple parties advertising in a single e-mail message is responsible for complying with the Act’s opt-out requirements; (3) a “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial e-mail display a “valid physical postal address”; and (4) a definition of the term “person” was added to clarify that CAN-SPAM’s obligations are not limited to natural persons.

Continue reading the news release here.

BBC News recently reported the arrest of five hackers described as being among the most active on the internet. The hackers, who include two 16-year-olds, are accused of disrupting government websites in the United States, Asia and Latin America. Spanish police say the hackers co-ordinated attacks over the internet and hacked into 21,000 web pages over two years.

Read the full report here.

Information Security experts recently revealed that government networks in Blighty and UN computers have been hacked and ensnared in a botnet. According to Websense, the attacks happened in March using some sort of SQL injection. It was said that the number of computers compromised is impossible to know but an estimate could be around 100,000 URLs. "A victim reaching a hacked site will be redirected a different page, hosted on a Chinese server. The IP address keeps changing within the JavaScript making it hard to locate."

Read the full article here.

Dan Kaminsky, director of Penetration Testing IOActive, Inc., gives a presentation on wildcard and NXDOMAIN redirection services. It discusses typosquatting, DNS ad injection, and provides several examples showing how these phishing trends work. Basically, it is quite possible for non-existent domains to be created validly on any random server, and to be near undetectable. Kaminsky concludes that "even small amounts of failed net neutrality can lead to catastrophic side effects on Internet security" and that "even if everything was 100% SSL, if the ISP could require code on the box, they could still bypass the crypto, and alter the content."

Access Dan Kaminsky's full presentation here.

A report by the UK media regulator, Ofcom, has reported that 'millions of children are using social networking websites intended for older users.'

Despite the minimum age requirement  of between 13 and 14 yrs set by Bebo, MySpace and Facebook, the report found that more than 25% of UK 8-11yr olds have a social network profile.

The Home Office is due to disclose a set of guidelines for such sites involving best practice, security and privacy on Friday 4th April.

This report by Ofcom showed a "significant difference" between the perception of risks in using social network sites between parents and children.

James Thicket, director of market research, Ofcom stated, "While people are aware of the status of their profile, there is a general lack of awareness of the issues attached to them around privacy and safety". He also added, "People put aside concerns about privacy and safety believing they have been taken care of by someone else".

The lack of child protection in such social network sites is further demonstrated by the following Ofcom figures:

41% of children allowed their profile to be viewed by anyone -

16% of parents did not know if their child's profile could be seen by strangers -

The vulnerability of children (especially younger ones) to online predators cannot be ignored and Mr Thickett goes on to say,

"Children are using these sites with a far lower awareness of some of the issues and rules that these sites entail".

Ofcom  plan to monitor and review the new guidelines agreed by social networks and the Home Office.

Dr Rachel O'Connell, Bebo chief safety officer, said, "We're working with the regulatory bodies. It's critical to our business that we adhere to these guidelines".

For more information see BBC and The Guardian.

The Guardian newspaper reports that the first UK national strategy for child Internet safety (which includes a streamlined system for classifying  computer games and codes of practice for social networking sites) will be set out today, 27th March 2008.

This comprehensive and detailed report  carried out by child psyhologist, Dr Tanya Byron, showed that parents are worried about online predators and children are worried by cyber bullying.

One of her proposals includes new codes of practice to regulate social networking sites, such as Bebo and Facebook, and standards on privacy and harmful content.

Dr Byron states that these social networking sites should be asked to agree on codes of practice on harmful content and calls for an independent body to evaluate whether the site is meeting such standards.

She is planning to say that the online explosion has rendered parents as "...the Internet immigrants" and children as "...the Internet natives.." leaving parents lagging behind as as result of the fast past of technology.

Dr Byron is reported to have said yesterday, "Ironically parents' concerns about risk and safety of their children in the streets and outside has driven a generation of children indoors, where it could be argued they are being exposed to a whole new set of risks".

Suprisingly, the British Board of  Film Classification system fails to provide any indication about the actual content of computer games or to explain their age rating.

Full article here.

The UK government is pledging action to protect teachers from bullying through mobile phones and the Internet.

During the NASUWT Annual Conference 24-27 March 2008, Secretary of State for Children, Schools and Families, Ed Balls, is expected to address union members declaring that the cyber bullying of teachers should be regarded as a "serious disciplinary offence".

A "cyber bullying taskforce" for England will be responsible for preventing teachers from being targeted by pupils.

NASUWT leaders (the largest UK wide teachers' union) want mobile phones classified as "potentially offensive weapons" as well as a ban on online allegations.  Until now the government taskforce  has focused on the effects of cyber bullying on children, but with the increasing numbers of teachers being harassed online, the situation for teachers can no longer be ignored.

The cyber bullying taskforce includes representatives from anti-bullying and children's charities, the Internet industry and teachers' groups.

The general secretary of NASUWT, Chris Keates, stated, "I am pleased the government accepts that we need strong policies in schools which focus on teachers. Increasingly, teachers' lives are being destroyed by what pupils are doing" and added, "pupils who once had to content themselves with exhibiting poor behaviour when face to face with the teacher, now increasingly use technology to support their indiscipline. Relying on industry self-regulation to resolve this problem is the equivalent of waiting for hell to freeze over".

Read full article at BBC website.

Another "security lapse" has allowed unauthorised access to personal photos posted on Facebook. What makes this situation all the more worrying is that it happened after a recent upgrade to the website's privacy controls.

This incident was verified by the Associated Press after they were alerted by computer technician, Byron Ng.

Facebook spokeswoman, Brandee Barker stated, "We take privacy very seriously and continue to make enhancements to the site".

This latest lapse is yet another warning about the dangers of sharing photographs and personal information online, even when such websites attempt to assure its members that their information cannot be accessed by everyone.

Even after such warnings, increasing numbers of teenagers and young adults are still publishing personal details on the Internet.

MySpace.com, the only online social network larger than Facebook, also experienced a similar security lapse last year.

Full story at CNN website.

Reuters recently reports on cyber warfare, from the Cold War Soviet oil pipeline explosion to the current information security situation. "The pipeline explosion was probably the first major salvo in what has since become known as cyber warfare. The incident has been cropping up in increasingly urgent discussions in the U.S. on how to cope with attacks on military and civilian computer networks and control systems - and how and when to strike back. Air traffic control, power plants, Wall Street trading systems, banks, traffic lights and emergency responder communications could all be targets of attacks that could bring the U.S. to its knees."

According to Director of National Intelligence Michael McConnell's testimony to a Senate committee, "[the US] information infrastructure - including the Internet, telecommunications networks, computer systems and embedded processors and controllers in critical industries - increasingly is being targeted... by a growing array of state and non-state adversaries." The Pentagon adds that it detects three million attempts to infiltrate its computer networks every day. On a report of the US Government Accountability Office, an audit of 24 government agencies, including Defense and Homeland Security, had shown that "poor information security is a widespread problem with potentially devastating consequences" pertaining to the inevitable involvement of civilians with private companies owning more than 80 percent of the infrastructure.

"Unlike traditional defense categories (i.e. land, sea and air), the military capabilities required to respond to an attack on U.S. infrastructure will necessarily involve infrastructure owned and operated by the private sector," according to Jody R. Westby, CEO of Global Cyber Risk and a champion of better public-private coordination to cope with cyber attacks.

The article further discusses the importance of public-private coordination and the power of botnets in this warfare. A scenario of the damage extent and how the cyber warfare may unfold was also drawn from an interview with Westby.

Read the full article here.

An unexplained "security breach" at the US supermarket chain, Hannaford Bros., resulted in 1800 reported (to date) cases of fraud after about 4.2 million unique card numbers were exposed. This is reported to be one of the largest data breaches ever.

Although the supermarket chain is said to have become aware of the breach on February 27, 2008, investigators report that it actually began on December 7, 2007 and Hannaford Bros. vice president of marketing, Carol Eleazer stated that, "it wasn't contained until 10 March, 2008".

The company's president and CEO, Ronald C. Hodge stated, " We have taken aggressive steps to augment our network security capabilities. Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions".

The US Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed that they are investigating this case.

Beth Givens, director of Privacy Rights Clearinghouse said that debit card holders involved in this incident were most at risk of fraud. Banks generally cover costs from fraudlent charges on credit cards but it might prove more difficult in proving fraud once a criminal has cleared out an individual's bank account.

Visa and MasterCard  state in their contracts with retailers that they do not divulge the source when a data breach occurs. Such a law  does nothing to help either the customer or the retailer in these situations.

Following criticism of the delay in notifying the public about this breach, Carol Eleazer said, " We moved with all deliberate speed to get out to customers with information that we could have confidence in..."

Read full article at CNN website.

The Washington Post's Security Fix features an article on vishing scams reporting three recent vishing attacks and how these attacks were done. According to the article, a series of well-orchestrated wireless phone-based phishing attacks against several financial institutions took place last week illustrating how scam artists are growing more adept at fleecing consumers by exploiting security holes in seemingly unrelated Internet technologies.

"The scams in this case took the form of a type of phishing known as "vishing," wherein cell-phone users receive a text message warning that their bank account has been closed due to suspicious activity, and that they need to call a provided phone number to reactivate the account. Victims who called the number reached an automated voice mail box that prompted callers to key in their credit card number, expiration date and PIN to verify their information (the voice mail systems involved in these sorts of scams usually are run off of free or low-cost Internet-based phone networks that are difficult to trace and shut down)."

The article also pointed out the importance of installing the latest security updates on the Web servers as well as the use of non-obvious passwords to help mitigate these kinds of vishing attacks.

Read the full article on the Washington Post.

Once more there is some discussion about privacy laws regarding the content of e-mails.This  time it concerns the publishing of letters reportedly sent by e-mail by an aide to the Mayor of London, Ken Livingstone. The American writer GK Chesterton is said to have argued that the best reason for leaving the country and moving to the city was to avoid everyone knowing your business.

Such a move might be laughable now, as it appears that privacy no longer exists. The author Clive James suggests,

"...every computer you sit down at, is a direct pipeline to universal publicity for any thought you dare to express..."

Indeed with the planned closure of around 3000 post offices in London, sending a letter by post may soon be a thing of the past.

Full article at BBC website.

Time Warner's AOL Internet Divison is buying the social networking site, Bebo, for $850m cash.

Social networking sites are valuable to online advertisers as the information posted by members is very valuable to online advertisers who can then target them with those products and services which match their profiles.

Bebo is reported to have 40 million members worldwide, many of whom are within the 13-24 year old age range and thus attractive to advertisers. ComScore report that Bebo is the UK's second most popular social networking site after Facebook. In the US, Bebo is the third biggest social networking site, after MySpace and Facebook. ComScore report that Bebo is the world's ninth most popular social site.

Read full article at bbc website.

The ICANN Security and Stability Advisory Committee (SSAC) recently released an advisory on fast and double flux attacks. "'Fast flux' is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes." This Advisory describes the technical aspects of fast flux hosting and fast flux service networks. It explains how the DNS is exploited to abet criminal activities that employ fast flux hosting, identifying the impacts of fast flux hosting, and calling particular attention to the way such attacks extend the malicious or profitable lifetime of the illegal activities conducted using these fast flux techniques. It describes current and possible methods of mitigating fast flux hosting at various points in the Internet. The Advisory discusses the pros and cons of these mitigation methods, identifies those methods that SSAC considers practical and sensible, and recommends that appropriate bodies consider policies that would make the practical mitigation methods universally available to registrants, ISPs, registrars and registries (where applicable for each).

Read the full advisory here.

The UK  industry watchdog, the Press Complaints Commission (PCC), will undertake an investigation into the use of material taken from personal profiles on social networks by newspapers.

Tim Toulmin, director of the PCC has said that his organisation had received complaints from people about material "that is being re-published when they themselves are the subject of news stories", and suggests that guidelines are necessary in order to guide the press in their use of social network content. Due to the present lack of boundaries, the PCC has commissioned Ipsos MORI to conduct research into public attitudes. In addition, Mr Toulmin points out that social networking sites have a responsibility to advise their users about the implications of uploading personal information to public, or semi-private spaces and goes one step further, saying, "..the press do have obligations over and above those that govern the online community".

However, Bob Satchwell, Director of the Society of Editors stated that the press should be subject to the same regulation as the public.

The recent media interest in the large number of suspected suicides among young people in Brigend, UK, has caused concern about the way social network profiles were being used by journalists.

The British Journal of Photography has stated that the publication of images on social networks does not automatically grant rights to republish photographs elseware.

Read full article on BBC website

The European Commission recently proposed a new Safer Internet programme to enhance the safety of children in the online environment. Encompassing recent communications services from the Web 2.0, such as social networking, the new programme will fight not only illegal content but also harmful behaviour such as bullying and grooming. With a budget of €55 million, the programme, which builds further on the successful Safer Internet programme started in 2005, will run from 2009 to 2013.

The proposed new programme will:

• Reduce illegal content and tackle harmful conduct online.
• Promote a safer online environment.
• Ensure public awareness.
• Establish a knowledge base.

Read the full press release here.
For more information on the Safer Internet Programme, click here.

Websense Security Labs has discovered that Google’s popular web mail service Gmail is being targeted in recent spammer tactics. Spammers in these attacks managed to create bots that are capable of signing up and creating random Gmail accounts for spamming purposes. Websense believes that from the spammers’ perspective, there are four main advantages to this approach. First, signing up for an account with Google allows access to its wide portfolio of services. Second, Google’s domains are unlikely to be blacklisted. Third, they are free to sign up. And fourth, it may be hard to keep track of them as millions of users worldwide are using various Google services on a regular basis. According to Websense, these accounts could be used by spammers at any time for abusing Google’s infrastructure. A wide range of attacks could be possible as the same account credentials can be used to target various services offered by Google.

A detailed analysis report is provided showing the entire process of the CAPTCHA breaking hosts. Read more about the analysis report here.

Once more there is controversy over a new database due to go online in September 2008, which will hold the school records of all UK school pupils aged 14years and over. Amid security concerns from a number of sources, the British government is under pressure not to implement it.

The Learning and Skills Council (LSC)  insist that it is not a "tracking system" and would in fact be using existing information that had been collected a number of times already. David Russell, national director of resources at the LSC, said "It will only hold factual information such as name, surname, age, postcode, qualifications achieved and courses attended."

Under the Managing Information Across Partners (MIAP) system - to be launched on Thursday 21st February 2008 by Higher Education Minister Bill Rammell - the number will stay with them until they retire.

However, data security watchdog, the Information Commissioner stated that no database could be totally secure and a spokesman added, "We have provided advice and assistance to help ensure that this system is watertight and secure - but no system is immune to human error and breaches can and do occur..."

Last year, the British government put another planned database of children, ContactPoint, on hold, pending a security review and changes to the system including its access controls. ContactPoint is designed for use by child protection agencies. The review was ordered after the loss by HM Revenue and Customs of two discs containing the personal and bank details of 25 million people.

Read full article at the BBC News website

Nnamdi Chizuba Anisiobi, age 31, of Nigeria; Anthony Friday Ehis, age 34, of Senegal; and Kesandu Egwuonwu, age 35, of Nigeria have pleaded guilty to charges related to spam e-mail that promised U.S. victims millions of dollars from an estate and a lottery, the U.S. Department of Justice announced Wednesday. The three were arrested in Amsterdam on Feb, 21, 2006. One of the case scenarios was an e-mail sent by the defendants to thousands of potential victims purporting to be from an individual suffering from terminal throat cancer who needed assistance distributing approximately US$55 million to charity. According to the DOJ, the fraud victims lost $1.2 million by giving the defendants advance fees. "Anisiobi pled guilty to one count of conspiracy, eight counts of wire fraud and one count of mail fraud. Ehis pled guilty to one count of conspiracy and five counts of wire fraud. Egwuonwu pled guilty to one count of conspiracy, three counts of wire fraud and one count of mail fraud. The maximum penalty for mail and wire fraud is 20 years in prison. The conspiracy charge carries a maximum penalty of five years in prison." A fourth defendant, Lenn Nwokeafor, was also reported to have fled to Nigeria. He was subsequently arrested by the Nigerian Economic & Financial Crimes Commission on July 27, 2006, and is now being held by the Nigerian authorities pending extradition to the U.S..

Read the full article on The New York Times.

Net-Security.org recently interviewed Nitesh Dhanjani and Billy Rios, well-known security researchers that have recently managed to infiltrate the phishing underground. The interview gives readers a rundown on how Dhanjani and Rios saw an extraordinary amount of sensitive customer account information, obtained the latest phishing kits, located and examined the tools used by phishers, trolled sites buying and selling identities, and even social engineered a few scammers. They also expose on this interview the tactics and tools that phishers use, illustrate what happens when your confidential information gets stolen, discuss how phishers communicate and how they phish each other.

Read the full interview here.

The past week marks the one-year anniversary of the emergence of the spam-enabling Storm worm, a tenacious strain of malicious software that probably speaks more about the future of online crime than almost any other malware family circulating online today. A chronological account from security firm Trend Micro visually sums up Storm's evolution. Dmitri Alperovitch, director of Secure Computing, said federal law enforcement officials who need to know have already learned the identities of those responsible for running the Storm worm network, but that U.S. authorities have thus far been prevented from bringing those responsible to justice due to a lack of cooperation from officials in St. Petersburg, Russia, where the Storm worm authors are thought to reside. 

Alperovitch believes the majority of Storm worm victims are Microsoft Windows users who for whatever reason have ignored the best advice of security professionals by not running anti-virus software and/or regularly applying software security updates. Indeed, the infection statistics seem to support that analysis. According to Vincent Gullotto, head of Microsoft's security research and response team, Microsoft's "malicious software removal tool" -- shipped as part of its monthly patch updates -- has removed an average of 200,000 versions of the Storm worm from Windows systems each month since November, when the software giant first started shipping removal routines for Storm.

According to Trend, nearly 12,000 pieces of Storm-connected malware were unleashed online over the past year (this includes the Trojan that drops the payload, the Storm worm itself, as well as regular -- sometimes hourly -- updates pushed out to infected machines to stay a step ahead of any anti-virus software installed on the host system.) As big as Storm got this past year, Symantec's numbers help put things in a bit more perspective. Storm-related malware made up slightly more than one-quarter of one percent of all potential malicious code infections in 2007, Symantec said.

Read the full article on the Washington Post.

Information Week reports that the CIA admitted on Friday at a New Orleans security conference that cyberattacks have caused at least one power outage affecting multiple cities outside the United States. According to Alan Paller, director of research at the SANS Institute, CIA senior analyst Tom Donahue confirmed that online attackers had caused at least one blackout. Information about which foreign cities were affected by the outage and other information related to the attack were not disclosed. According to Paller, a written statement from Donahue read, "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

The conference was on sharing data about cyberattacks on critical utilities and resources, and methods of attack mitigation. Discussions also include the new SCADA, Supervisory Control And Data Acquisition, and Control Systems Survival Kit, a document of best practices for SCADA systems.

Read the full article here.

A documentary, "The New Face of Cybercrime," created by Academy award nominated director Fredric Golding and presented by Fortify Software, provides a face to the criminals' intent on hacking into systems today. Candid interviews with many industry leaders and executives of large organizations taking steps against these attacks are also included, providing perspective on how they think about these threats and what they are doing about them throughout their companies.

The Storm Worm botnet, using its huge collection of infected computers, is now sending out phishing emails directing people to fake banking sites that it also hosts on the computers it remotely controls, according to F-Secure and Trend Micro. Apparently, Storm has never been involved in phishing up to this point, however, the new campaign may indicate, according to F-Secure, that Storm's controllers have figured out how to divide the massive army into clusters which it is now renting out to others. F-Secure and Trend Micro both reported that the phishing scam was using a technique known as fast-flux DNS to keep the phishing site alive. Fast-flux works by constantly changing the IP address in the internet's phone book system (known as DNS) and having multiple computers in the botnet host the phishing site. This makes it very difficult to blacklist a IP address and since the site isn't being hosted by a company that researchers could contact to take down the site, the site lives longer.

According to Paul Ferguson, an advanced threat researcher for security giant Trend Micro, the spam emails were sent from a different segment of the botnet than the phishing sites were hosted. The site used for phishing was just registered on Monday. Anti-phishing filters, such as the ones bundled into Opera, Firefox and IE7, have gotten pretty good at quickly adding sites to their blocked list, however, "the issue becomes how do you work to take it down and find the perpetrators," said Ferguson.

Read Ferguson's article on this incident on Trend Micro's Malware Blog.
Read the full article on Wired Blog Network.

Pushdo trojan, a fairly new and prolific threat being circulated in fake "E-card" emails, is classified as a more sophisticated "downloader" trojan due to its control server. According to the analysis of Secureworks, when executed, Pushdo reports back to one of several control server IP addresses embedded in its code. The server listens on TCP port 80, and pretends to be an Apache webserver. Any request that doesn't have the correct URL format will be answered with the following content:

The Bender Bending Rodriguez text is simply misdirection to mask the true nature of the server - if the HTTP request contains the following parameters, one or more executables will be delivered via HTTP:

The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload.

Pushdo's detection of the physical hard drive serial number as a identifier not only provides a unique ID for the infected system, but can also reveal information such as whether the code is running in a virtual machine or not. This could be a way for the malware author to spy on anti-virus companies using automated tools to monitor the malware download points.

Another anti-anti-malware function of Pushdo is that it looks at the names of all running processes and compare them to a list of anti-virus and personal firewall process names. Instead of killing off these processes, however, Pushdo merely reports back to the controller which ones are running, by appending "proc=" and a list of the matching process names to the HTTP request parameters. This enables the authors to determine which anti-virus engines or firewalls are preventing the malware from running or phoning home, by their absence from the statistics. This way the Pushdo author doesn't have to maintain a test environment for each AV/firewall product.

Recently, an e-card email containing a newer variant of Pushdo was received. Apparently taking notice that the Bleeding Snort project had published a signature (sid 2006377) to detect the Pushdo request variables in transit, the author has now changed the request to be less fingerprintable. An example of the new request format is:

GET /40e800142020202057202d4443574d414c393635393438366c0000003c66000000007600000002 HTTP/1.0

Apparently, the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild. Although it is unclear just how large the Cutwail botnet has become, the ambition of the project rivals that of other more well-known spam botnets, such as Storm.

Read the complete analysis on Pushdo here.
Read the blog entry detailing the trouble Sophos are having with the Pushdo trojan.

The OPTA Commission has imposed a fine of 1 million Euros on three Dutch enterprises, operating under the company name DollarRevenue, and their two directors, due to their unlawful installion of software on more than 22 million computers belonging to Internet users in the Netherlands and elsewhere. They primarily used misleading files, making Internet users believe that they were about to download apparently innocent files, whereas they actually contained DollarRevenue software. "They also used botnets, thereby installing files without user intervention. Each day 60,000 installations occurred on average. A total of more than 450 million program files were illegally placed on 22 million computers." With the enterprises and their directors having deliberately contravened provisions of the Universal Service and End Users Decree [Besluit universele dienstverlening en eindgebruikers], based on the Telecommunications Act [Telecommunicatiewet] and designed to promote safe Internet usage and to protect the privacy of Internet users, fines totalling 1 million Euros were imposed.

Read the full article on the OPTA website.

According to McAfee, the website of the French Embassy in Libya is currently under attack through IFRAME injection. With the visit by Libyan President Muammar Khadafi in the country, controversy is stirring up which has apparently triggered interest among people behind the attack. The iframe routes the victim to sites hosted through Hong Kong provider, then it redirects the victim to Russia and Ukraine where exploit and downloaders are used (Exploit-YIMCAM and downloader-AUD). McAfee warns people not to attempt reaching the site as it is still dangerous.

For more information, visit the McAfee Blog.

PC Tools recently discovered a social-engineering attack that uses trickery rather than a software flaw to access victim's valuable information. It is a new program that can mimic online flirtation and then extract personal information from its unsuspecting conversation partners. The program is believed to be making the rounds in Russian chat forums such as CyberLover. According to PC Tools, the "bot" cannot be easily distinguished from a real potential suitor, and the software can work quickly establishing up to 10 relationships in 30 minutes. It then compiles a report on every person it meets complete with name, contact information, and photos, which then may be made available for fraudulent activities. "Although the program is currently targeting Russian Web sites, PC Tools is urging people in chat rooms and social networks elsewhere to be on the alert for such attacks. Their recommendations amount to just good sense in general, such as avoiding giving out personal information and using an alias when chatting online."

Read the full article here.

Kelly Jackson Higgins, Senior Editor of Dark Reading wrote on how cyberwarfare has evolved into a growing underground market. According to experts, international cyber-spying is considered as the biggest threat for 2008 with the malware economy mimicking legitimate software markets. Malware suppliers are reportedly offering tools that make it easy for criminals with little technical know-how to commit their crimes, and many now advertise their 'products,' and offer support services as a value-add. These, as well as cyber-spying trends, are among the many findings of McAfee's annual Virtual Criminology Report released on 29 November 2007. The report was based on input from more than a dozen security experts from NATO, the FBI, SOCA, The London School of Economics, and the International Institute for Counter-Terrorism.

"What struck me through most of this report is the threat is more evolutionary than revolutionary -- things we've talked about as potentially developing are now status quo," says David Marcus, senior research and communications manager for McAfee. "That's the disturbing part. Cyberwarfare, or state-sponsored malware, is business as usual." According to the report, what further concerns governments is that this malware, as well as the burgeoning market for zero-day exploits, sold in the black market can also be used for targeting government, banks or other sensitive infrastructures, such as the power grid.

Read the full article here.

A Taxonomy of Privacy by Daniel J. Solove, an associate professor at the George Washington University Law School, won the Privacy Enhancing Technologies award 2006. This paper attempts to identify privacy problems in a comprehensive and concrete manner, and it aims to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law.

“Privacy is a concept in disarray,” Solove says. “Abstract incantations of ‘privacy’ are not nuanced enough to capture the problems involved. The law has often failed to adequately protect privacy, and privacy problems are frequently misconstrued or inconsistently recognised. Without an understanding of what the privacy problems are, how can privacy be addressed in a meaningful way?”

His taxonomy defines threats to privacy from the perspective of the individual, in four categories of potentially harmful activities — information collection, information processing, information dissemination and invasion. With the help of this more comprehensive taxonomy, Solove hopes that privacy considerations can be better recognised and balanced against opposing interests.

Read the full paper here.

USA Today reports on the current spam statistics, and reiterates how spam continues to exponentially increase despite anti-spam softwares, filters and legislations. According to market researcher IDC, "the total number of spam e-mail messages sent worldwide, 10.8 trillion, will surpass the number of person-to-person e-mails sent, 10.5 trillion." Spam sent is also said to have reached 60 billion to 150 billion messages a day. As for phishing, the Anti-Phishing Working Group said new phishing sites soared to 30,999 as of July 2007, from 14,191 in July 2006. MessageLabs adds that one in 87 e-mails is tagged as phishing scams now, compared with one in 500 a year ago.

The fight against spam has nonetheless expanded and grown too. Built-in spam defenses of Google's Gmail, social-networking sites such as Facebook and MySpace which enable users to control who has access to their personal profile, to exchange e-mail with friends, family and business associates, and phishing filters provided by Microsoft on its Internet Explorer browser are some of the common filters made available to users. In the same effort to stop spam, Yahoo, eBay and PayPal recently announced their use of DomainKeys, an e-mail-authentication technology. Other anti-spam technologies include CertifiedEmail from Goodmail Systems, a new breed of e-mail services, and Boxbe. "The multilayered-defense approach has worked to stop such scourges as image spam, which varied the content of individual messages — through colors, backgrounds, picture sizes or font types — to slip through spam filters. Image spam made up half of all spam in January. Since software makers came up with a solution, image spam has dropped to 8% of all spam, Symantec says."

Read the full article here.

A new research paper on the Russian Business Network (RBN), Russian Business Network - Additional Analysis, by David Bizeul has recently been published online. Bizeul spent the past three months researching the RBN, a virtual safe house for Russian criminals responsible for malicious code attacks, phishing attacks, child pornography and other illicit operations.

To read the paper, visit bizeul.org.
This paper is also available at the SANS Internet Storm Center website.

A presentation on Infrastructure and Applications for Large-Scale DNS Data Collection by Keith Mitchell, OARC Programme Manager, Internet Systems Consortium, AusCERT given on 21 May 2007 is now available online. This presentation provides an introduction to Internet Domain Name System (DNS), background information on OARC, and a wealth of domain statistics from OARC. The "Day in the Life of the Internet" (DITL) research project which aims to improve "network science" by building up baseline of regular Internet measurement data over 48-hour periods was also discussed as well as a case study on the Root Server DDoS Attack on 6 February 2007. For more information, visit the OARC website.

Microsoft releases the Asia Pacific Legislative Analysis: Current and Pending Online Safety and Cybercrime Laws, a study providing a high-level snapshot of the status of computer security, privacy, spam and online child safety legislation in the Asia Pacific region. Detailed analyses of these laws specific to Australia, China, Hong Kong, India, Indonesia, Japan, Malaysia, New Zealand, The Philippines, Singapore, South Korea, Taiwan, Thailand and Vietnam are also provided in this paper. For more information regarding this document, contact Julie Inman Grant, Regional Director, Corporate Affairs of Internet Safety and Security at Microsoft Asia Pacific. More Cybersecurity Legislation and Enforcement related resources are available at the CYB website.

Baltimoresun.com reports on Bush's announcement of a plan to prevent cyberspace attacks on U.S. interests. A $154 million budget was requested as preliminary funding for the initiative, which current and former government officials say is expected to become a seven-year, multibillion-dollar program to track threats in cyberspace on both government and private networks. Lawmakers who recently received briefings on the initiative, however, continue to have many questions, and some remain concerned about the legality of the program and whether it provides sufficient privacy protections. According to a former government official familiar with the proposal, the total start-up costs of the program are about $400 million. "The proposal 'will enhance the security of the Government's civilian cyber networks and will further address emerging threats,' Bush wrote to Congress as part of his request for additional money for cyber security and other counterterrorism measures. The initiative would first develop a comprehensive cyber security program for the government and then do the same for private networks, the former government official said."

Read the full article here.

Email Submission Operations: Access and Accountability Requirements by Carl Hutzler, Dave Crocker, Pete Resnick, Eric Allman, and Tony Finch has recently been released as Best Current Practice (BCP) 134. This document provides recommendations for constructive operational policies between independent operators of email submission and transmission services to mitigate the propagation of spam and worms. Its goal is to improve lines of accountability for controlling abusive uses of the Internet mail service. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. For more information, click here.

The article, Myth of privacy busted; Web advertisers scan e-mails, by Louise Story published on the International Herald Tribune, reports on the issue of online advertisers probing on privacy for marketing puposes. "At a meeting of the U.S. Federal Trade Commission about online privacy Thursday, the regulator's commissioner, Jon Leibowitz, said the agency would be exerting a tighter grip over online advertising. Leibowitz said that rules about the privacy policies of sites may need to be established... But some people from the online industry said the FTC should stay out." According to Randall Rothenberg, president and chief executive of the Interactive Advertising Bureau, if the FTC regulates online advertising, this could limit recent ''extraordinary pattern of innovation.''

After eight years since the FTC's public workshop on the use of consumer data in online ads, a lot of the hypothetical scenarios described back then are now a widespread reality. However, many executives in the advertising industry do not see anything wrong with online targeting, arguing that the practice benefits consumers, who see more relevant ads. They add further that for consumers, providing some innocuous personal data is a small trade-off for free access to the rich content of the Internet, much of which is ad-supported. A growing concern, even among online companies, about what information is being used to deliver ads to people is quite evident however.

''The market is getting edgier and edgier, and what is accepted in the marketplace gets dodgier and dodgier,'' said Martin Abrams, the executive director of the Center for Information Policy Leadership. ''We have really moved to a world where we say consumers need to police the market, and, increasingly, it is a harder world to police.''

Read the full article here.

The 2008 Workshop on the Economics of Information Security (WEIS), founded on "a strong and growing interdisciplinary tradition, bringing together information technology academics and practitioners with social scientists and business and legal scholars to better understand security and privacy threats," will be held on 25-27 June 2008 in Hanover, New Hampshire. This workshop will be hosted by the Center for Digital Strategies at Dartmouth College's Tuck School of Business, in partnership with the Institute for Information Infrastructure Protection (I3P). For more information about this event, visit the WEIS 2008 website.

An article on CIO, Who's Stealing Your Passwords? Global Hackers Create a New Online Crime Economy, provides a detailed account of Don Jackson's discovery of Gozi, 76service.com and the new online crime economy. It also illustrates the evolution of online crime from trojans to sophisticated networks selling bot services. Don Jackson is a security researcher for SecureWorks, one of dozens of boutique security firms that have emerged to deal with the Internet security. From an executable file, Gozi, that Jackson discovered on a friend's computer, he was led to this professionally-run business-like network, later identified as the 76service.com, where he uncovered a "3.3 GB file containing more than 10,000 online credentials taken from 5,200 machines—a stash he estimated could fetch $2 million on the black market." It was also mentioned that "Lance James’ company Secure Science discovers 3 million compromised login credentials—for banks, for online email accounts, anything requiring a username and password on the Internet—and intercepts 250,000 stolen credit cards. On an average week, Secure Science monitors 30-40GB of freshly stolen data, 'and that’s just our company,' says James."

Read the full account of Don Jackson on the CIO website.

On an interview with Interpol by CNN, Kristin Kvigne, assistant director of Interpol's trafficking in human beings unit, discussed how Interpol currently addresses the growing concern on child pornography and child abuse online. A brief rundown on investigations related to the recently identified child pornographer Christopher Paul Neil was also discussed. According to Kvigne, the latest technological tools utilized by Interpol have greatly aided in the progress of their on-going investigation and manhunt. The Interpol officer further stressed that "Interpol has got great tools in place for preventing people with prior convictions, et cetera, to enter into countries unknown. Countries can use the notice system that Interpol has in alerting other countries as to their traveling potential sex offenders. And Interpol would like to see that used more by law enforcement globally." According to the interview, "Interpol has half a million more pictures of child sex abuse. In fact, more than half a million, with maybe 10,000 or 20,000 kids in them -- 10,000 or 20,000 victims. They've rescued roughly 600." More on Interpol related news here.

Incidentally, Facebook, a popular social networking website, recently expressed its renewed efforts to protect its users from online predators. "The precautions will include a new safety disclosure for parents and a more efficient complaint process to report unsolicited sexual advances and inappropriate content, New York Attorney General Andrew Cuomo announced Tuesday at a news conference. Facebook will also allow an independent examiner -- chosen and paid for by the company, but approved by the attorney general -- to report on its compliance for the next two years." According to CNN, this recent announcement followed an investigation into Facebook launched by Cuomo wherein tests conducted by investigators "revealed 'significant defects' in safety controls and the company's response to complaints." Read the full article on the CNN website.

BBC Hardtalk interviewed the international president of the growing UK-based Internet company, Bebo aimed at young people.  The interview tackles the current issues regarding internet security among young people on social networking sites amidst concern about numerous registered paedophiles in such websites.

More details on this interview here.

A paper on wealth of Internet miscreants, "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants," is available online on the ICSI Center for Internet Research website. The paper discusses "an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, [the researchers] measure how the shift from “hacking for fun” to “hacking for profit” has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year."

To access the paper, click here.

The Washington Post recently reported on the Russian Business Network, an Internet business based in St. Petersburg which has become a world hub for Web sites devoted to child pornography, spamming and identity theft. Cybercrime groups including those responsible for about half of last year's incidents of phishing are said to be operating from the company's computer network system.

"The company 'is literally a shelter for all illegal activities, be it child pornography, online scams, piracy or other illicit operations,' Symantec analysts wrote in a report. 'It is alleged that this organized cyber crime syndicate has strong links with the Russian criminal underground as well as the government, probably accomplished by bribing officials...' But Alexander Gostev, an analyst with Kaspersky Lab, a Russian antivirus and computer security firm, said the Russian Business Network has structured itself in ways that make prosecution difficult. 'They make money on the services they provide,' he said -- the illegal activities are all carried out by groups that buy hosting services... In addition, Gostev said, criminals using the Russian Business Network tend to target non-Russian companies and consumers rather than Russians, who might contact local authorities. 'In order to start an investigation, there should be a complaint from a victim. If your computer was infected, you should go to the police and write a complaint and then they can launch an investigation,' Gostev said. Now, he added, his company and the police both have information, but no victim has filed a complaint."

Read the full article here.

Yesterday, Microsoft announced to launch HealthVault, an online platform to securely store personal health-related information online. The business model relies on performing vertical internet search tailored for health queries. Several organizations signed up to participate in the project including hospitals, disease prevention organizations, and health care companies.

For more information, see articles online of the New York Times, the Economist, discussions in several blogs and the company's press information.

Heise Online recently reported "on a ruling, dated March 27, 2007, which has only now been published and is likely to have legal ramifications, the local court of the Berlin district of Mitte has barred the Federal Ministry of Justice from retaining personal data acquired via its website beyond the periods associated with the specific instances of use of the site... The local court also opposed the view espoused by operators and some data privacy watchdogs that security reasons justify a recording regime that over short periods of time maps the behavior of all Net users and allows individual users to be picked out." Slashdot adds that "German privacy activists have started a campaign Wir speichern nicht, ("we don't log your data!") which provides manuals how to turn off the IP logging on your server."

In response to this ruling, Patrick Breyer of the German Working Group on Data Retention, who was the plaintiff in the relevant case, has called on all public authorities, departments and agencies of the German Federal State and of the federal states comprising the Federal Republic to abandon their "illegal data retention policies" by the end of this year at the very latest or have additional lawsuits filed. Breyer has made a model complaint available on his website.

Read the complete news report here.

OECD has recently released its September 2007 issue of its newsletter. "OECD Information and Communication Policy News was launched in June 2006. Every quarter, it brings the latest news, statistics and best practice recommendations from the OECD on Information and Communication Policy, including policy for communication infrastructures and services, the information economy, security and privacy, and consumer protection." For more information, visit the OECD website.

The Washington Post reports on Google's call for new international standards on the collection and use of consumer data. "Peter Fleischer, global privacy counsel for Google, told a U.N. audience in Strasbourg, France, that fragmentary international privacy laws burden companies and don't protect consumers. He argued for an international body such as the United Nations to create standards that individual countries could then adopt and adapt to fit their needs. 'The ultimate goal should be to create minimum standards of privacy protection that meet the expectations and demands of consumers, businesses and governments,' Fleischer said, according to a transcript of the speech provided by Google."

Investigations over Google's privacy practices are currently conducted by the European Union. There have been controversy and criticisms on Google's privacy policies and its planned $3.1 billion merger with DoubleClick, an online advertising broker that sells banner and video ads. Critics argue that the merger which would enable the company to collect information on which sites users visit, would hurt competition in online advertising, and that it would aggregate too much consumer data in the hands of one company. According to Marc Rotenberg, executive director of the Electronic Privacy Information Center and a critic of the DoubleClick merger, "Google, under investigation for violating global privacy standards, is calling for international privacy standards... It's somewhat like someone being caught for speeding saying there should be a public policy to regulate speeding."

Fleischer proposes the privacy framework developed by the Asia-Pacific Economic Cooperation forum, which he refers to as a balance between information privacy, and business needs and commercial interests. However, critics say that the APEC standards are too lenient. Rotenberg adds further that the APEC rules put the burden on consumers, who must demonstrate that a company's privacy policy has harmed them. Guidelines developed in 1980 by the Organization for Economic Cooperation and Development which influenced the European Union's privacy laws and are usually preferred by privacy advocates, generally focus on the violation of privacy as a right rather than a demonstration of harm caused by the violation.

To read the full article, click here.
Read more about Peter Fleischer's views on privacy on his blog.

The Wall Street Journal Online reports on the five-year sentence given to Irving Escobar, a ring leader in a TJX Cos. linked credit-card fraud. He "was sentenced to five years in prison and has been ordered to pay nearly $600,000 in restitution for damages resulting from stolen financial information, Florida officials said. The sentencing follows a guilty plea by Mr. Escobar, 19 years old, of Miami, to charges that he participated in a 10-person operation that used counterfeit cards bearing the stolen credit-card data of hundreds of TJX customers to purchase approximately $3 million in goods and gift cards."

Read more on this news article here.

Interpol proposed on Wednesday the creation of global and regional anti-crime centres to fight criminal activity online and respond quickly to emergency cybercrime alerts. During an international cybercrimes conference in New Delhi, Interpol Secretary-General Ronald K. Noble said that the Internet should not be allowed to become a place where criminals have the upper hand and can escape punishment. Officials from 37 countries discussed identity theft, online bank fraud, Internet gaming and the risks of online terrorist activity during the two-day conference organized by Interpol.

To read the full article, click here.

A Swedish security researcher, Dan Egerstad, has recently revealed how he collected 100 passwords from embassies and governments worldwide by sniffing Tor exit routers. Egerstad explains on his blog how he did it, and calls attention to and re-iterates the lack of appreciation for cybersecurity among organizations worldwide.

Read related article on Ars Technica here.

Computerworld reports on a worm targeting Windows PCs that is spreading through Skype's instant messenger, making the Voice over IP (VoIP)'s chat software the next target. Dubbed Ramex.a by Skype spokesman Villu Arak, but pegged Pykspa.d by Symantec, the worm takes a typical instant messenger (IM) line of attack: After hijacking contacts from an infected machine's Skype software, it sends messages to those people that include a live link. Recipients who blithely click on the URL, which poses as a JPG image but is actually a download to a file with the .scr extension, wind up infected. Arak also listed instructions for removing the worm from infected PCs, but they included changes to the Windows registry, a chore most users are hesitant to try. Ramex.a/Pykspa.d injects code into the Explorer.exe process to force it to run the actual malware, a file named wndrivsd32.exe, periodically. The worm also plugs in bogus entries in the Windows hosts file so that installed security software won't be able to retrieve updates.

Skype is only the latest IM client to fall victim to hackers. Both Yahoo Messenger and Microsoft Corp.'s MSN/Live Messenger have been targeted this summer. Exploit code designed to hijack Windows PCs running Yahoo Messenger appeared as early as June, and Yahoo has been forced to patch the IM client several times since. Microsoft, meanwhile, has scheduled fixes for its MSN Messenger and Windows Live Messenger software for tomorrow, presumably to quash a webcam bug that was disclosed late last month.

Read more of this article here.

Peter Gutmann of the Department of Computer Science, University of Auckland presents how "malware has come a long way since it consisted mostly of small-scale (if prolific) nuisances perpetrated by script kiddies. Today, it's increasingly being created by professional programmers and managed by international criminal organisations. The Commercial Malware Industry looks at the methods and technology employed by the professional malware idustry, which is turning out "product" that matches (and in some cases even exceeds) the sophistication of standard commercial software, but with far more sinister applications."

The presentation discusses extensively how the malware industry has evolved from The Numbers Racket to organized crimes and even further now into the Spam, Carding, Phishing and Botnet businesses, among others. Provided in the presentation as well are case studies and examples, statistics, and technical mechanisms of these growing internet crimes as services.

Read more on Peter Gutmann's work here.

Researchers say the growing botnet has enough distributed power to launch a damaging attack against major businesses or even countries. The Storm worm botnet has grown so massive and far-reaching that it easily overpowers the world's top supercomputers. That's the latest word from security researchers who are tracking the burgeoning network of machines that have been compromised by the virulent Storm worm, which has pounded the Internet non-stop for the past three months. Despite the wide ranging estimates as to the size of the botnet, researchers tend to agree that it's one of the largest zombie grids they've ever seen. According to Matt Sergeant, chief anti-spam technologist with MessageLabs, "in terms of power, [the botnet] utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." Sergeant adds that researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he estimates the botnet generally is operating at about 10% of capacity. Adam Swidler, a senior manager with security company Postini, told InformationWeek that while he thinks the botnet is in the 1 million to 2 million range, he still thinks it can easily overpower a major supercomputer.

Cyber criminals who control the botnet have a tremendous amount of destructive power. Early this summer, the Baltic nation of Estonia was pounded in a cyberwar that saw distributed denial-of-service attack primarily targeting the Estonian government, banking, media, and police sites.

Last month, Ren-Isac, a collaboration of higher-education security researchers, sent out a warning that the Storm worm authors had another trick up their sleeves. The botnet actually is attacking computers that are trying to weed it out. It's set up to launch a distributed denial-of-service attack against any computer that is scanning a network for vulnerabilities or malware. The warning noted that researchers have seen "numerous" Storm-related DoS attacks recently. MessageLabs' Sergeant said the botnet also has been launching DoS attacks against anti-spam organizations and even individual researchers who have been investigating it. "If a researcher is repeatedly trying to pull down the malware to examine it the botnet knows you're a researcher and launches an attack against you," he said.

Lawrence Baldwin, chief forensic officer of MyNetWatchman.com, said he doesn't have a handle on how big the overall botnet has become but he's calculated that 5,000 to 6,000 computers are being used just to host the malicious Web sites that the Storm worm spam e-mails are linking users to. And he added that while the now-well-known e-cards and fake news spam is being used to build up the already massive botnet, the authors are using pump-and-dump scams to make money. Swidler said that since mid-July, Postini researchers have recorded 1.2 billion e-mails that have been spit out by the botnet. A record was set on Aug. 22 when 57 million virus-infected messages -- 99% of them from the Storm worm -- were tracked crossing the Internet. According to researchers at SecureWorks, the botnet sent out 6,927 e-mails in June to the company's 1,800 customers. In July, that number ballooned to 20,193,134. Since Aug. 8, they've counted 10,218,196.

Read full article at InformationWeek.

APCAUCE's 2007 meeting was held on 02 September 2007 in conjunction with the 24th APNIC Open Policy Meeting and SANOG 10, in New Delhi, India. The meeting agenda and presentations are now available and may be accessed here. An Overview of the ITU Development Sector Activities on Cybersecurity was presented by Robert Shaw, Head, ICT Applications and Cybersecurity Division, ITU Telecommunication Development Sector is available on the meeting site.

Security firm Sunbelt recently discovered that the Bank of India's hacked website was serving dangerous malware, and the infamous Russian Business Network, an ISP linked to child pornography and phishing, is behind the attack. The service provider in question has developed a notorious reputation. According to VeriSign threat intelligence analyst Kimberly Zenz, the Russian Business Network (RBN) is different to other service providers because "unlike many ISPs that host predominately legitimate items, RBN is entirely illegal. A scan of RBN and affiliated ISPs' net space conducted by VeriSign iDefense analysts failed to locate any legitimate activity. Instead, [our] research identified phishing, malicious code, botnet command-and-control, denial-of-service attacks and child pornography on every single server owned and operated by RBN."

Patrik Runald, senior security specialist at F-Secure, said: "No one knows who the RBN is. They are a secret group based out of St Petersburg that appears to have political connections. The company doesn't legitimately exist. It's not registered and provides hosting for everything that's bad. Their network infrastructure is behind a lot of the bad stuff we're seeing and it has connections to the MPack Group [a well-known group of cybercriminals which used MPack software to steal confidential data]." Runald said that, in the case of the Bank of India's hacked website, RBN used an Iframe to launch another window which then pushed victims to a webpage containing malicious code. The Trojans used in this case were designed to steal passwords from PCs and upload Trojan proxies in aide of developing a botnet.

Read the full article on ZDNet.co.uk.

BBC News reports that easy to use tools that automate attacks on computers are being produced by malicious hackers, according to security experts, ranging from individual viruses to comprehensive kits that let budding cyber thieves craft their own attacks. The top hacking tools may cost up to £500, with some providing 12 months of technical support. Tim Eades from security company Sana said that malicious hackers had evolved over the last few years and were now selling the tools they used to use to the growing numbers of cyber thieves. Individual malicious programs cost up to £17 (25 euros), he said. At the top end of the scale, said Mr Eades, were tools like the notorious MPack which costs up to £500. The regular updates for the software ensure it uses the latest vulnerabilities to help criminals hijack PCs via booby-trapped webpages. It also includes a statistical package that lets owners know how successful their attack has been and where victims are based. MPack has been very popular among criminally minded groups and in late June 2007 managed to subvert more than 10,000 websites in one attack that drew on the tool.

Paul Henry, vice president of Secure Computing, said there were more than 68,000 downloadable hacking tools in circulation. The majority were free to use and took some skill to operate but a growing number were offered for sale to those without the technical knowledge to run their own attacks such as Mpack, Shark 2, Nuclear, WebAttacker, and IcePack. Mr Henry said the tools were proving useful because so many vulnerabilities were being discovered and were taking so long to be patched. Many hacking groups were attracted to selling the kits because it meant they took little risk themselves if the malicious software was used to commit crimes. "The only thing you are going to find is a disclaimer that this was distributed for educational purposes and the user accepts any responsibility for any misuse," he said.

To read full article, click here.

The United States District Court of Washington ruled in favor of Kaspersky Lab, a leading developer of secure content management solutions, granting immunity from liability in the case brought by online media company Zango. According to Zango's lawsuit, Kaspersky Lab should reclassify Zango’s programs as nonthreatening and Kaspersky Labs’s security software should stop blocking Zango’s potentially undesirable programs. "Judge Coughenour of the Western District of Washington threw out Zango’s lawsuit on the grounds that Kaspersky was immune from liability under the Communications Decency Act. The ruling protects consumer choice to determine what information and software is allowed on each computing system, and enables anti-malware vendors with the right to identify and label software programs that may be potentially unwanted and harmful to a user’s computer as they see fit."

Read full article here.

Pakistan's Minister for Information Technology Awais Ahmad Khan Leghari said on Thursday that the adoption of cyber crime bill by the federal cabinet was a major step towards ensuring a secure business environment and promotion of e-commerce. He said the e-crime bill which will be tabled in the parliament very soon, would help draw more business and improve Pakistan's e-readiness ranking as reflected in indices maintained by various agencies and business journals of the world.

The Federal Investigation Agency (FIA) has been given the mandate to probe cases falling under the preview of the e-crime law. He said the e-crime law would require the internet companies maintain their traffic data for at least six months to enable the agencies to investigate cases involving data stored by them. He also added that the government would create special IT tribunals in Islamabad as well as provincial headquarters to investigate and check growing incidents of crimes which remained unpunished for a lack of specific law.

The Prevention of Electronic Crimes Bill 2007 poses penalties ranging from six months to 10 years of punishment for 17 types of cyber crimes, including cyber terrorism, hacking of websites and criminal access to secure data. Thirteen of the crimes listed under the law are bailable.

Read full article here.

ITU, in collaboration with the Secretaría de Comunicaciones, Argentina, will be hosting a workshop 16-18 October 2007 entitled Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection. The workshop will be held in Buenos Aires, Argentina.

The description of the event, draft agenda, invitation letter, and practical information for meeting participants will be made available on the event website.

Contact cybmail@itu.int with any general queries you may have related to the workshop.

Researchers are warning universities that they're at risk of being hit with massive distributed denial-of-service attacks when they scan their own networks. According to Doug Pearson, technical director of Ren-Isac, the Storm botnet, a massive botnet that the hackers have been amassing over the last several months, has developed a counter-attack to computers that are trying to weed it out. The botnet is set up to launch a distributed denial-of-service (DDoS) attack against any computer that is scanning a network for vulnerabilities or malware.

Ren-Isac, which is supported largely through Indiana University, recently issued a warning to about 200 member educational institutions and then put out a much broader alert, warning colleges and universities that their networks could come under heavy attack. According to the alert, this new Storm botnet tactic presents more danger to schools than it is to corporate enterprises simply because of the placement of the scanners. Pearson explains that universities and colleges often have their scanners on a public network making it visible to the Internet at large. If it was protected on a private network, the way it's done with most enterprises, the botnet would not be able to find it so there wouldn't be an IP route to send the DDoS packets.

Don Jackson of SecureWorks said in an interview that slowly but surely IT managers and consumers are getting better at blocking or at least ignoring the e-mail attacks, so the Storm worm authors are setting up a secondary attack venue.

Read the full article at InformationWeek.

The New York Times reported on 14 August 2007 that Google and Microsoft are separately developing a system of online health records, which would allow individuals to store, retrieve and provide personal health data to doctors, hospitals, insurers, laboratories, etc. as desired.

Data would been directly uploaded onto these records by health service providers, but access to the information (through PCs, mobile telephones and other digital devices) would be controlled by the patient. The health data stored on the personal online record would also lead their owners to locating relevant health-related information on the web (including advertisements that would likely fund the system).

Other companies specialized in digital health records and search engines are working on similar systems. To eventually reach end-users significant security and privacy issues will have to be resolved in fine-tuning these services

To read more, click here.

On an article by InformationWeek, researchers are blaming the virulent Storm worm for a widespread denial-of-service attack that hit Canadian Web sites over the weekend, saying the attack could have been a test of the might of a botnet more than 1.7 million zombies strong.

Johannes Ullrich of the SANS Institute and the Internet Storm Center, said in an interview that "the DoS part was basically an unintentional side effect. It was a whole lot of spam -- enough to make the servers slow down. Once [that much spam] is set loose, it's hard to tell what's going to happen."

The Storm worm has been bombarding the Internet with massive amount of spam e-mails in the form of phony electronic greeting cards for the past several months. This emails lure unsuspecting users to malicious Web sites where their machines are infected with malware that turns them into bots, which adds them up to the massive botnet that the Storm worm authors have been putting together. However, the latest attack used e-mails with limited amount of text instead of the e-card ruse though, which confirms the attack was a test-run, according to Ullrich.

In the first half of this year, it has been reported that the Storm authors had a botnet about 2,815 strong according to the researchers at SecureWorks. That number had skyrocketed to 1.7 million by the end of July. Researchers at both SecureWorks and Postini said they think the Storm worm authors are cultivating such an enormous botnet to do more than send out increasing amounts of spam. All of the bots are set up to launch DoS attacks and that's exactly what they're anticipating.

Read the full article here.

On Sydney Morning Herald's Veto for Parents on Web Content, it was announced that ISPs in Australia will be obligated to filter web content at the request of parents. This is part of the $189 million Federal Government crackdown on online bad language, pornography and child sex predators. According to the Prime Minister, John Howard, the Government would increase funding for the federal police online child sex exploitation team by $40 million to aid investigators to track those who prey on children through chat rooms and sites such as MySpace and Facebook. The Government is also expected to pay $90 million to provide every concerned household with software to filter internet content.

According to the article, the more efficient compulsory filtering of internet service providers (ISPs) was proposed in March last year by the then Labor leader, Kim Beazley, which the Communications Minister, Helen Coonan, and ISPs criticised as expensive then. Three months later Senator Coonan announced the Government's Net Alert policy, promising free filtering software for every home that was interested. She also announced an ISP filtering trial to be conducted in Tasmania, but that trial was scrapped.

The ISP filtering measure, according to Mr. Howard is a world first by any Government, and is expected to offer funding to help cover the cost. An ISP filter option will be made available to parents when they sign up with an ISP. This service will be compulsory to all ISPs. The measures are expected to be implemented by the end of this month.

US authorities have reported last month that more than 29,000 convicted sex offenders had profiles on MySpace. In Australia, about 26 per cent of Australia's 3.8 million MySpace users are under 18. To protect the users, MySpace has written to all state and territory governments, and the Commonwealth, asking them to create a national child-sex offender database that requires email addresses to enable them to track sex offenders and remove their profiles on the system.

Read the full article here.

A Report entitled Personal Internet Security from the House of Lords Science and Technology Committee has been made available on Friday discussing primarily the issues pertaining to individual experiences of the Internet. In the report, the U.K., ISPs and others, has been said to unfairly hold Internet users responsible for online safety. According to the panel, this "laissez-faire" attitude toward personal security is what weakens user confidence. The report proposes that ISPs should be held responsible and avoid them from ignoring spam and malware notices, and that information technology vendors be held liable for not making products secure.

Network security, appliances and applications, how businesses and individuals use the Internet and policing of the online world were studied and dealt with in the Lords inquiry. It also noted that the U.K. government is at fault for not showing leadership in assembling available information and interpreting it for the public. "The Government are not themselves in a position directly to gather the necessary data, but they do have a responsibility to show leadership in pulling together the data that are available, interpreting them for the public and setting them in context, balancing risks and benefits. Instead of doing this, the Government have not even agreed definitions of key concepts such as 'e-crime'." The report recommends the establishment of a cross-departmental group in the Government, "bringing in experts from industry and academia, to develop a more co-ordinated approach to data collection in future. This should include a classification scheme for recording the incidence of all forms of e-crime. Such a scheme should cover not just Internetspecific crimes, such as Distributed Denial of Service attacks, but also e-enabled crimes - that is to say, traditional crimes committed by electronic means or where there is a significant electronic aspect to their commission."

The committee points out the need for more support for research from the industry as well. "The development of one or more major multidisciplinary research centres, following the model of CITRIS, is necessary to attract private funding and bring together experts from different academic departments and industry in a more integrated, multi-disciplinary research effort."

End-users are still predominantly viewed as unable to protect their own security according to the report. And private companies are driven by strong incentives to either promote security for profit or to oppose it as imposing costs on them according to lawmakers. The committee, thus, proposes that ISPs, being the link between the users and the network, could take more control over the network traffic by blocking or filtering traffic containing malicious code. "We do not advocate immediate legislation or heavy- handed intervention by the regulator," says the lawmakers, adding that the market must be nudged to provide better security.

Further recommendations of the committee include criminalizing trade in botnet services, no matter what their use, creating a unified, Web-based reporting scheme for e-crime, more action on creating a central e-crime police unit, fast ratification of the Council of Europe CyberCrime Convention, and educating courts on Internet crime.

Read the full article on Factiva Content Watch.
To access the report, click here.

On ZDNet Australia's article, "Knowledge is greatest threat to critical infrastructure," researchers and security experts agree that Australia's critical infrastructure still proves to be vulnerable due to insufficiency and lack of educational resources. The article discusses the problem with the security of Supervisory Control and Data Acquisition (SCADA) systems, "the central nervous system for sensors, alarms and switches that provide automated control and monitoring functions for utilities such as water, gas and electricity, as well as large manufacturers."

Jill Slay of the University of South Australia's Defence and Systems Institute, said at the inaugural International Federation for Information Processing (IFIP) Critical Infrastructure Protection conference that Australia needed more stringent audits of SCADA network access, better training and stricter controls over contractors. She believes Federal Government initiatives such as the Trusted Information Sharing Network are good but, at present, are insufficent to keep the SCADA operators aware and updated of current threats and response strategies.

The article also points out that due to the threat of terrorism, there has been increased security concerns on essential services as SCADA systems have increasingly been accessible over TCP/IP protocol corporate networks to improve process automation and visibility of data. According to the article, "the Federal Government's approach to SCADA security has been to garner industry support through cooperative initiatives such as its Trusted Information Sharing Network, a community of practice networks dedicated to fostering knowledge-sharing and training between government, industry and academia," however "the amount of information available on SCADA systems online provides such a large amount of information out there for those who want to find network vulnerabilities in critical infrastructure."

To read the full article, proceed here.

Secure Science Corporation, in their GPCode Evolution Report, describes the more obscure, previously undocumented traits belonging to the most recent Ransom-based Trojan (known as Glamour). "The code is a modified version of the Prg/Ntos family which was detailed in depth during their Encrypted Malware Analysis in November 2006. While a majority of the functionality has not changed since then, this recent variant is distinctive enough to warrant additional research. In particular, the trojan is now equipped with the ability to encrypt a victim's files on disk. The motive for adding this feature is clearly monetary, as the victim is advised that the files will remain encrypted unless $300 is turned over to the authors, in exchange for a decryption utility." According to their report, in the past 8 months, 152,000 victims have been infected, and over 14.5 million records were discovered to be logged by the trojan.

Read more about this report on the Secure Science Blog. Access the GPCode Evolution Report here. Secure Science Corporation has also provided the source code for the decrytor and is available here.

A growing, sophisticated technique of propagating cyber-crime, dubbed as fast-flux service networks, has increasingly been elevating the threats we face today on the Internet. "Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations." Despite the awareness of researchers and ISPs of fast-flux for over a year now, all of the current researches on fast-flux is new.

According to the Honeynet Project & Research Alliance, criminal organizations behind two infamous malware families, Warezov/Stration and Storm, have recently adopted this so-called fast-flux service networks into their infrastructures. "The purpose of this technique is to render the IP-based block list, a popular tool for identifying malicious systems, useless for preventing attacks," says Adam O'Donnell, director of emerging technologies at security vendor Cloudmark.

To fight against fast-flux, "ISPs and users should probe suspicious nodes and use intrusion detection systems; block TCP port 80 and UDP port 53; block access to mother ship and other controller machines when detected; 'blackhole' DNS and BGP route-injection; and monitor DNS."

Access the full article at the Dark Reading website.

Read more about fast flux service networks on the the Honeynet Project & Research Alliance's new report on the emerging networks and techniques.

The OECD Committee for Information, Computer and Communications Policy (ICCP), through its Working Party on Information Security and Privacy (WPISP) has developed the Recommendation on Electronic Authentication and the Guidance for Electronic Authentication. The project was made possible with the participation of Jane Hamilton from Industry Canada and with the support of delegates from Australia, France, Hungary, Korea, Norway, the United States, the OECD Secretariat and the Business and Industry Advisory Committee (BIAC) to the OECD. On 12 June 2007, the OECD Council adopted the Recommendation, and the Guidance for Electronic Authentication, was adopted by the ICCP Committee in April and declassified on 12 June 2007 by the OECD Council.

The Recommendation encourages efforts by OECD member countries to establish compatible, technology-neutral approaches for effective domestic and cross-border electronic authentication of persons and entities. It also reaffirms the important role of electronic authentication in fostering trust online and the continued development of the digital economy.

The OECD Guidance on Electronic Authentication aims to assist OECD member countries and non-member economies in establishing or amend their approaches to electronic authentication with a view to facilitate cross-border authentication. The Guidance sets out the context and importance of electronic authentication for electronic commerce, electronic government and many other social interactions. It provides a number of foundation and operational principles that constitute a common denominator for cross-jurisdictional interoperability.

Both the Recommendation and the Guidance conclude a work stream initiated in response to the "Declaration on Authentication for Electronic Commerce" adopted by Ministers at the Ottawa Ministerial Conference held on 7-9 October 1998 and serve as a bridge to future OECD work on identity management.

The ITU Telecommunication Standardization Sector with its Focus Group on Identity Management (FG IdM) works to facilitate the development of a generic Identity Management framework, by fostering participation of all telecommunications and ICT experts on Identity Management. To read more about the ITU-T FG IdM activities, go here.

Read the full article on the OECD Recommendation on Electronic Authentication and the Guidance for Electronic Authentication here.

Gangs of hackers, who are presumed to be based in Eastern Europe, initiated various website assaults now known as "The Italian job." More than 10,000 web pages of popular web sites have been penetrated and infected by this attack, and it is believed to have started in the middle of last month. Most of the infected sites are Italian websites, but the expanse of the attacks has reached Spain and the US as well.

A "tool kit" worth $815 which is sold online in Russia was used by the hackers to embed "keylogger" codes on the computers of those who visited the sites. These codes enable the hackers to access the infected machines and track valuable user information such as bank details and passwords. The gravity of this attack has been evidently tremendous as it was aimed at established websites to steal banking identities.

David Perry, director of Trend Micro, says: "This is a paradigm shift. We can expect to see this kind of thing being replicated now for the next five or six months." He explained that the Italian job has become very effective because the bug has been particularly programmed to adapt to various types of weaknesses in computer security systems. "It looks for a wide spectrum of vulnerabilities in a computer, acting like a sort of Swiss Army knife with many different ways to pierce through the protection."

Access the full article at theage.com.au.

The Ugandan Government is finalising new cyber laws aimed at protecting computer users from cyber crime, including personal intrusion, national security, fraud and con activities.

"Liberalised information can lead to unwanted uses and usage leading to cyber crime. It is necessary to have legal infrastructure within which the technologies can be used. There are three bills which have been drafted, the Electronics Transactions Bill, Digital Signatures Bill and the Computer Misuse Bill," the information and communications technology minister, Ham Mulira, explained.

Read the full article at allAfrica.com.

For more information on ICT policy developments in Africa, please see the Balancing Act website.

28-31 Aug 2007 The ITU, in collaboration with the Viet Nam Ministry of Posts and Telematics and with support from the government of Australia, will be hosting a workshop 28-31 August 2007 entitled Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection in Hanoi, Viet Nam.

The description of the event, draft agenda, invitation letter, and practical information for meeting participants is available on the event website. Further information is available from cybmail@itu.int.

Although the European Commission decided against imposing new legislative restrcitions on radio frequency identification (RFID) tags for now (opting for "soft legislation" instead) , a top official warned on Monday that regulations are likely if future uses of the technology don't protect fundamental privacy rights, reports ZDNet. Gerald Santucci, head of the European Commission unit whose domain includes RFID issues, said he feared that rushing to place restrictions on industries hoping to use the technology would choke its potentially valuable application in health care, business, transportation and other realms. But if regulators deem that widespread RFID use is insufficiently safe, secure and privacy-preserving, then "Mrs. Reding [European Commissioner for Information Society and Media] will have no other option but to trigger legislation," Santucci told participants at a luncheon discussion in Washington DC. By the end of 2008, the commission plans to reevaluate whether legislation is necessary. It's unclear how restrictive any potential rules would be.

Read the full story here (ZDNet). More on the European Commission Policy on RFID can be found here.

RFID, along with sensors and nanotechnology, was one of the key techological developments explored in the 2005 ITU Internet Report on The Internet of Things. An ITU New Initiatives Workshop on Ubiquitous Networks Societies was also held in the same here. Network aspects of identification systems are being studied in the context of standardization by the ITU's JCA-NID.

The first steps towards a globally harmonized approach to identity management (IdM) have been taken during a meeting of the ITU Focus Group on Identity Management (FG IdM) bringing together, for the first time, the world’s key players in the IdM space.

IdM promises to reduce the need for multiple user names and passwords for each service used, while maintaining privacy of personal information. A global IdM solution will help diminish identity theft and fraud. Further, IdM is one of the key enablers for a simplified and secure interaction between customers and services such as e-commerce. Experts at the meeting concurred that interoperability between existing IdM solutions will provide significant benefits such as increased trust by users of on-line services as well as cybersecurity, reduction of spam and seamless "nomadic” roaming between services worldwide. Abbie Barbir, chairman of the Focus Group on Identity Management: "Our main focus is on how to achieve the common goals of the telecommunication and IdM communities. Nobody can go it alone in this space, an IdM system must have global acceptance. There was a very positive feeling at the meeting that we can achieve this and crucially we saw a great level of participation from all key players."

The meeting of the FG IdM brought together developers, software vendors, standards forums, manufacturers, telcos, solutions providers and academia from around the world to share their knowledge and coordinate their IdM efforts. Interoperability among solutions so far has been minimal. One conclusion of attendees is that cooperation is crucial and that players cannot exist in isolation.

The spirit of the meeting was that everyone will gain by providing an open mechanism that will allow different IdM solutions to communicate even as each IdM solution continues to evolve. Such a "trust metric" does not exist today experts say. Work will continue online and during Focus Group meetings in April, May, and July 2007. An analysis of what IdM is used for will be followed by a gap analysis between existing IdM frameworks now being developed by industry fora and consortiums. These gaps should be addressed before the interworking and interoperability between the various solutions can be achieved. The aim is to provide the basis for a framework which can then be conveyed to the relevant standard bodies including ITU-T Study Groups. The document will include details on the requirements for the additional functionality needed within next generation networks. ITU has a long history of innovation in this field, with key work on trusted, interoperable identity framework standards including Recommendation X.509 that today serves as the primary "public key" technical mechanism for communications security across all telecom and internet infrastructures.

See more information on the Focus Group on Identity Management (FG IdM) website.

Kaspersky Lab, a developer of secure content management solutions, recently announced its annual report on malware and spam evolution. The report, authored by Kaspersky Lab analysts, surveys the trends of 2006 and looks at what 2007 may bring.

Malware Evolution: 2006. The report provides an overview of the most important incidents in the malware world, highlights the main trends, and examines how the situation will evolve. Particular stress is laid on the continuing increase in the number of Trojan programs, particularly those designed to steal online gaming account data; the first viruses and worms for MacOS; and Trojans for J2ME, which are designed to steal funds from mobile user accounts. The number of new malicious programs was up 41% on 2005. As for the future evolution of malicious programs, Kaspersky Lab virus analysts believe that virus writers and spammers will work ever more closely together; the number of Trojans will continue to increase; and that virus writers will be on the lookout for exploitable vulnerabilities in Vista.

Spam Evolution: 2006. Data provided by the Kaspersky Spam Lab shows that in 2006, between 70% and 80% of mail traffic on the Russian Internet was spam. The majority of spam sent to Russian users originates in Russia, the U.S.A. and China. Spammers actively used graphics in order to evade spam filters. They are also continued to send spam masquerading as personal correspondence in order to get the recipient to read the whole message and then act as the spammers intended, whether by calling a designated number or clicking on a link. The report on spam evolution also highlights how mass mailings differ from each other according to language: most Russian language spam offers education and training, and a wide range of goods ranging from busts of the Russian president to a device which will 'translate' a dog's bark. English language spam, on the other hand, tends to focus on advertising for stocks and shares, viagra and cheap software. The report also notes that spam became increasingly criminalized in 2006, with spammers actively using SMS to spread spam.

The company's analysts believe that technologies currently in use will continue to evolve in 2007, together with further development of graphical spam, and increased criminalization of mass mailings.

Read the executive summaries here: Malware Evolution: 2006 and Spam Evolution: 2006.
The full annual report can be found here.  

This news item was accessed through Russia Newswire.

The New York Times has published an article on the early moves by European governments to implement the European Union Data Retention Directive.  The initial programs proposed by the governments of Germany and the Netherlands are more stringent than the directive requires.  The New York Times has noted that some of the people involved in this issue are concerned that these programs may represent a policy shift within Europe, which has traditionally followed a policy of protecting individuals' privacy rights.

More information can be found here.

The New York Times article can be found here.

This summary provides a general discussion of the amended Information Network and Privacy Protection Act (“INPPA”) of Korea. INPPA sets out the minimum procedural requirements for lawful online transmissions in Korea whereby transmissions of advertised materials against recipients’ refusal to accept are strictly prohibited. Although these rules are applicable to unsolicited commercial e-mails via the internet, they were intended to apply to all modes of telecommunication such as cellular phones, facsimiles, etc.

The Korean government has made continuing efforts since 1999 to curb the increase in spam mail and has since been monitoring the effectiveness of the implementation of additional provisions. The new law targets senders of spam mail that are commercial in nature. Consistent with its effort to protect minors from being exposed to obscene and violent materials online, the Korean government has also included a provision in the INPPA that requires senders to label those materials as such.

More information can be found here. 

Almost 40 countries will participate in the fourth edition of Safer Internet Day (SID) which this year takes place on 6 February.

The event is organised by European Schoolnet, coordinator of Insafe, the European safer internet network. Viviane Reding, EU Commissioner for the Information Society and Media is once again patron of Safer Internet Day, as in the past two years.

The highlight of the day will once again be a worldwide blogathon, which will reach Australia on 6th February and progress westward through the day to finish up in the USA and Canada. Following the huge success encountered in 2006, this year’s blogathon goes one step further to include the voices of hundreds of youngsters.

In the framework of a competition launched in October 2006, more than 200 schools in 25 countries across the globe have been working in pairs, using technology to cross geographical borders, to create internet safety awareness material on one of three themes: e-privacy, netiquette, and power of image. On Safer Internet Day, all of the projects they have produced will be uploaded to the blogathon. The 4 prize-winning teams in the competition will be announced on 6 February when the blogathon opens to well over 100 organisations waiting on the starting block to add their postings on this year’s theme, Crossing borders.

To find out more about young people’s use of the internet and mobile phones, Insafe has been collecting data over the past two months through an online survey. Preliminary results will be made available on Safer Internet Day along with a wealth of other information tailored to the needs of not only media but also parents, teachers and youngsters in an online media room specially set up at www.saferinternet.org to mark the event.

On Safer Internet Day in the Netherlands, HRH Princess Maxima will be the special guest at an event featuring theatre, music and stories. In Slovenia, young people will showcase art projects and Slovenian national television will broadcast internet safety clips.

Across the globe, hundreds of other events will highlight the growing importance of internet safety in the lives of us all.
For further information see the following links:

Insafe
National nodes of Insafe
Safer Internet Day Blogathon
Safer Internet Programme
eTwinning (partner in the Safer Internet Day competition for schools)

In today's interconnected world of networks, threats can now originate anywhere − our collective cybersecurity depends on the security practices of every connected country, business, and citizen. The International Telecommunication Union (ITU), a specialized agency within the United Nations system, would like to draw Safer Internet Day participants' interest to a number of information resources dedicated to cybersecurity and spam.

The ITU Cybersecurity Gateway is an easy-to-use online information resource on national and international cybersecurity related initiatives worldwide. A vast number of resources and links are available and organizations are invited to join in partnership with the ITU and other stakeholders to build confidence and security in the use of information and communication technologies (ICTs).

The StopSpamAlliance is a joint initiative to gather information and resources on combating spam. This initiative was undertaken by Asia-Pacific Economic Cooperation (APEC), the EU's Contact Network of Spam Authorities (CNSA), International Telecommunication Union (ITU), the London Action Plan, Organisation for Economic Co-operation and Development (OECD) and the Seoul-Melbourne Anti-Spam group. The StopSpamAlliance.org website contains an overview about each of these organization’s activities in countering spam and related threats.

The outcome documents from the two phases of the World Summit on the Information Society (WSIS) emphasize that building confidence and security in the use of information and communication technologies (ICTs) is a necessary pillar for building a global information society. ITU has been asked to play the main facilitator role for to assist stakeholders in building confidence and security in the use of ICTs. To stress the importance of the multi-stakeholder implementation of this task, ITU has named this the Partnerships for Global Cybersecurity (PGC) initiative.

In commenting on the Safer Internet initiative, newly elected ITU Secretary-General Hamadoun Toure stressed the need for greater cooperation between regulators, government, security firms, communication service providers, and end users in dealing with the challenges to building a safe and secure information society.

The International Telecommunication Union wishes you all a very successful Safer Internet Day 2007!

Enquiries related to ITU activities in the area of cybersecurity can be directed to cybersecurity@itu.int.

About ITU

The International Telecommunication Union (ITU) is an international organization (specialized agency) within the United Nations System where governments and the private sector coordinate global telecommunication networks and services. Through its standards, development, and policy research activities, ITU has a long-standing track record in security for information and communication systems. There are currently more than seventy ITU recommendations focusing on security.

According to a recent article in The Register, two young Dutch hackers who built a large botnet were sentenced to prison earlier this week. The main suspect, now 20, was handed a two-year sentence and a €9,000 f($11,800) fine, while his 28-year-old partner was given 18 months and ordered to pay €4,000 0 ($5,200).

As stated by the article, the men, part of a larger hacking ring, and one other suspect, were arrested in 2005 for extorting a US company, stealing identities to purchase cameras and games consoles, and distribute spyware. The operation netted an estimated €60,000 over a period of six months.

Read the full The Register article here.

The European Parliament held an STOA Workshop on "RFID in the everyday life of Europeans: A citizen's perspective on ambient intelligence" on 24 January 2007. The workshop was organized as part of the project "RFID and identity management: Case Studies from the frontline of the development towards ambient intelligence" commissioned by the Scientific Technology Options Assessment (STOA) Panel of the European Parliament, and carried out by the European Technology Assessment Group.

ITU's Lara Srivastava delivered a presentation on the topic "Is our enviroment getting smarter? Are we". Her presentation is available here. 

ITU-T Focus Group on Security Baseline for Network Operators has issued a survey which seeks to assess the security preparedness of network operators. The results from the survey will be used in preparation of a new ITU-T Recommendation: "Security Baseline for Network Operators". Participants are asked about their level of preparedness for various security threats.

Once approved the ITU-T Recommendation will show the readiness and ability of operators to collaborate and coordinate counteraction against security threats arising from interconnected networks. The Security Baseline will allow network operators to assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied. It will also identify security Recommendations and standards to support evaluation of operators’ network security and information security.

Commencement of the first draft of the Recommendation will begin towards the end of 2006.
See the online survey which is aimed at network and service providers.

A deadline of 24 November 2006 has been set for survey responses.

Computer World reports of a new kind of spam called "targeted spam or spear phising". This type of spam, currently on the rise, is particularly hard to catch for spam filters because the spammer is able to "spoof" the sending e-mail address to make it look like it's coming from within the organization of the recipient. Unlike traditional spam, spammers send just a few of these messages at the same time, making antispam technology’s job even harder.

These attacks affect essentially large organizations or very well-known brands. Once the company has been alerted, blocking it is pretty easy. But detecting such well-crafted messages is becoming harder as the sophistication level of spam increases.

For more information, read the full Computer World article.

"In a sweeping set of measures, the German Federal Network Agency has ordered more than 80 network operators and service providers not to bill or collect for any phone numbers used illegally. A large number of consumers had complained to the German Federal Network Agency about so-called ping calls and other forms of telephone spamming."

"A ping call is where a call is made to a telephone number and broken off after just one ring. The subscriber’s display shows a “missed call” with an expensive premium-rate number or an 0137 number. In addition to these ping calls, another form of telephone spamming promises prizes where the person called hears a prerecorded message saying that they have won a large amount of money that can be collected by calling an expensive premium-rate number."

"The Federal Network Agency’s stringent measures are a continuation of the intense battle against telephone spam. Since May 2006 alone, the Federal Network Agency has disconnected 237 call numbers on account of ping calls and prize promises. In addition, a ban has been imposed on billing and collecting for 78 call numbers. These bans protect consumers that have called a spam number back, and prevents them from having to pay any charges. The spammer does not receive any payment for the calls initiated."

See the Federal Network Agency's press release here.

"Authentication processes can contribute to the protection of privacy by reducing the risk of unauthorized disclosures, but only if they are appropriately designed given the sensitivity of the information and the risks associated with the information. Overly rigorous authentication process, or requiring individuals to authenticate themselves unnecessarily, can be privacy intrusive."

The Office of the Privacy Commissioner of Canada's recently released new Guidelines for Identification and Authentication. The Guidelines are intended to help organizations develop appropriate identification and authentication processes in ways that respect the fair information practices in the Personal Information Protection and Electronic Documents Act (PIPEDA) and ensure compliance with its security provisions by providing the strongest protection for customers’ personal information. The scope of the document is limited to identification and authentication techniques between organizations and individuals.

These guidelines were released by the Canadian Privacy Comissioner, is a good document discussing both privacy risks and security threats:

See also a more detailed document published by Industry Canada in 2004 named "Principles for Electronic Authentication".

This article was accessed through Schneier's blog: Schneier on Security.

On 16 October 2006, Mauritius officially launched their Anti-Spam Awareness Campaign. On this occasion the Minister of IT and Telecommunications also presented a dedicated Anti-Spam Website with resource aimed at raising awareness and sharing information on spam, malwares, etc.

In Mauritius, the spamming problem is gaining in magnitude and there is a need to have a concerted approach to address this issue. Without remedial action to address the problem of spam in Mauritius, the country runs the risk of being seen as a safe haven for spammers and there is the risk that legitimate email traffic from Mauritius to other countries which have anti-spam legislation, could be blocked. In this context, the National Computer Board has set up a National Anti Spam Committee to co-ordinate activities at the national level with regards to combating spam.

The Anti-Spam Co-ordination Committee consists of representatives from the following national organisations: National Computer Board; IT Security Unit, Ministry of IT and Telecommunications; Ministry of Education and Human Resources; Ministry of Industry, Commerce, Small and Medium Enterprises and Cooperatives; Ministry of Foreign Affairs, International Trade and Cooperation Joint Economic Council; Mauritius Chamber of Commerce and Industry (MCCI); State Law Office; ICT Authority; Mauritius IT Industry Association; Internet Society; University of Mauritius (UOM); University of Technology; Telecom Plus/Mauritius Telecom ACT.

For further information see the newly launched Anti-Spam Website and Mauritius' Anti-Spam Action Plan.

The Journal du Net states in a recent article that organized cybercrimes represent a growing risk for internet users. Hackers use new techniques to hide and make their attacks more efficient. Their main goal is not to destroy computers. With the rapid development of e-commerce, hackers want to take over personal data and make as much profit as they can with it.

To achieve this, they use different forms of worms or trojans send from servers hosted in countries where the legislation is less strict. To protect their economic interests, businesses need to include employees in their security policies so they do not become the weak link in the security chain.

See Journal du Net for the full article in French.

The first meeting of the Internet Governance Forum (IGF) will be held in Athens, Greece from 30 October - 2 November 2006.

The current programme is available here.

A couple of related websites have been unveiled:

• Australian academic Jeremy Malcolm has established IGFWatch at igfwatch.org.
  
• Jeremy Malcolm and also joined with UK journalist Kieren McCarthy to establish the IGF Community Site at www.igf2006.info for interaction before, during and after the event.

CircleID has a related article asking What Will Be the Outcome of the Internet Governance Forum Meeting in Athens?

Business Week Online shows in a recent article entitled "Needed: A National Cyber Security Law'" that more and more people have their personal information lost, stolen or compromised. Security breaches are eroding their trust in the capability of the Internet to deal with their private personal information. This growing confidence-deficit represents a serious threat to the economic growth of each country, according to the article. Therefore, it is time for officials to act by passing strong data-security laws. These national laws must aim to both prevent further data breaches and address leaks once they occur.

"To accomplish these goals, lawmakers should establish reasonable security measures, create a consistent and recognizable notification standard, encourage best practices such as encryption, and include effective enforcement capabilities".

See Business Week Online for the full article.

Computer World released an article entitled “Ten security trends worth watching”, based on Bruce Schneier’s speech at last month’s Hack in the Box Security Conference in Kuala Lumpur, Malaysia.

Mr. Schneier identified 10 trends affecting information security today:

1. Information is more valuable than ever.
2. Networks are critical infrastructure. "If the Net goes down, or part of the Net goes down, it really affects the economy".
3. Users do not necessarily control information about themselves. For example, Internet service providers have control over records the Web sites that users visit and email messages they send and receive.
4. Hacking is increasingly a criminal profession. More and more, attacks are organized and led by criminals who are driven by a profit motive.
5. Complexity is your enemy. "As systems get more complex they get less secure". Mr. Schneier mentioned that the Internet is "the most complex machine ever built".
6. Attacks are faster than patches. New vulnerabilities and exploits are being discovered faster than vendors can patch them.
7. Worms are more sophisticated than ever. 
8. The endpoint is the weakest link. "It doesn't matter how good your authentication schemes are if the remote computer isn't trustworthy".
9. End users are seen as threats.
10. Regulations will drive security audits.

See Computer World for the full article.

"The existing identity infrastructure of the Internet is no longer sustainable. The level of fraudulent activity online has grown exponentially over the years and is now threatening to cripple e-commerce. Something must be done now before consumer confidence and trust in online activities are so diminished as to lead to its demise." A recently released paper by the Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, tries to address this: 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age. 

See more information on the 7 Laws in the related news release and brochure.

The European Commission held its final conference on Radio Frequency Identification (RFID) on 16 October 2006 in Brussels, to close the series of consultations initiatives announced by Commissioner Viviane Reding at CeBit in March 2006. The conference (RFID: Heading for the Future) was opened by the Commissioner and featured Commission officials, members of the European Parliament, and relevant stakeholders from industry, government and civil society who have been involved in the ongoing European debate about RFID. ITU's Lara Srivastava spoke at the conference on the topic "RFID: from identification to identity" and her presentation is available here.

More information about the EU's RFID consultation is available here.

As a result of a British documentary, India is now under pressure to strengthen its laws combating data theft and other electronic crimes in the country. Amendments to India’s IT Act of 2000 have been proposed and should be enacted by the national parliament in its upcoming winter.

Read the full Information Week article here.

See also Department of Information Technology, Ministry of Communication and Information Technologies for more information.

An Open Event on "Security and Identity Management in a Federated World" was held on 2 October 2006, hosted by the Ecole Polytechnique Federale de Lausanne (EPFL) in collaboration with Sun Microsystems. Speakers included Sun Microsystems' John Gage and Liberty Alliance's Hellmuth Broda. ITU's Lara Srivastava participated in the event and spoke on "the problem of identity in networked spaces". Her presentation is available here.

The subject of digital identity will be examined more closely in the forthcoming 2006 ITU Internet Report entitled "digital.life", to be released at ITU Telecom World 2006, 4-8 December 2006 (Hong Kong, China).

Wired News in an article brings attention to the insecurity of some of the new technologies online. “VOIP and Ajax -- are dangerously insecure, and likely to only get worse as they become more prevalent, according to security researchers presenting their findings at the ToorCon security conference.”

"Voice over internet protocol is going mainstream, available to consumers and increasingly replacing the private phone systems in businesses of all sizes. Like the traditional phone, a VOIP call is broken into two parts, or channels. The first is signaling, which negotiates things like when to start and stop a call, what to do if another call comes in, and what to do if something about the call changes. The second part is media, the bit where we talk. In most VOIP systems neither of these channels is actually encrypted."

"According to Dustin Trammell, VOIP security researcher at Tipping Point, this leaves most VOIP calls vulnerable. Calls can be hijacked without either party's knowledge anywhere along the route over the net that connects the call, and nearly all VOIP systems can fall victim to signal-channel attacks that can fake caller ID, degrade call quality, end calls suddenly, and crash the end device -- either your VOIP phone or computer. Internet telephony can even fall victim to denial-of-service attacks that flood a phone with fake requests to start a call, rendering it useless."

Read the full Wired News article on VOIP and AJAX security issues.

The ITU and the EU's Daidalos Project plan a workshop on "Digital Identity for NGN" Dec. 5 in Geneva, officials said Mon. The Daidalos Project and VeriSign are advancing global standardization of digital identity management at the ITU, officials said. Proposals have been floated at ITU on handling the issue, but consensus is still forming. The aim of the workshop is to understand better providers' need to offer digital identity across layers of communication systems, administrative domains and other boundaries, documents said. Key challenges for developing a more consistent approach are to tackle the conflicting requirements of privacy, identification and security, documents said. The NGN-GSI Event will focus on identity management as a key theme during its meeting Oct. 23-Nov. 3, said an official involved in the work. The past year or 2, several research institutes in Japan, S. Korea and Switzerland have been interested in sensor network identifiers, he added. There's supposed to be an identity management piece in the October 23-24 Grid Workshop as well, the official said: "There's a whole burgeoning world of communicating sensor devices, and [they] will need some kind of identity to communicate whatever kind of sensing information they have."

Source: Warren's Washington Internet Daily

The United States National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, aims to educate the public about core security protections this October, during the national cyber security awareness month, with its campaign on 'Cyber Security: Make It A Habit'.

U.S. National Cyber Security Awareness Month is a national campaign designed to increase the public’s awareness of cyber security and crimes issues, so that users can take precautions to avoid these threats on the Internet. The month will feature public relations activities, educational programs, events and initiatives throughout October that targets Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online.

In a press release, Gartner, Inc. advises businesses to plan for five increasingly prevalent cyberthreats that have the potential to inflict significant damage on organisations during the next two years. These threats are:

• Targeted threats (Targeted threats are cyber attacks with a financial motivation that are aimed at one company or one industry);
• Identity theft (Identity theft refers to the theft of an individual's personal or financial information for the purpose of stealing money or committing other types of crimes);
• Spyware (Spyware is malicious software that can probe systems, reporting user behaviour to an advertiser or other party without the user’s knowledge);
• Social engineering (Social engineering is the practice of obtaining confidential information by manipulating legitimate users);
• Viruses (Viruses are malicious programmes that use a propagation method to enable widespread distribution.)

According to Amrit Williams, research director at Gartner, "We are seeing an increasingly hostile environment fuelled by financially motivated and targeted cyber attacks. By 2008 we expect that 40 percent of organisations will be targeted by financially motivated cybercrime."

"Cyber attacks are not new, but what is changing is the motivation behind them. They are no longer just executed by hackers for hobby or cybervandilism, but by professionals with a targeted aim at one person, one company or one industry," said Williams.

"For example, we have recently seen several companies hiring private investigators to spy on their competitors. Private investigators used Trojans to install targeted spyware on competitors’ computers to gather confidential information about such things as upcoming bids and customers."

Gartner said that social engineering and viruses will remain an everyday nuisance for chief information security officers through 2009. It warned that in the next two years, at least 50 percent of organisations will experience a social engineering or a virus attack."

Access the full report and Gartner news release here.

The Vietnamese Ministry of Trade is drafting a circular governing advertising activities by electronic means, including emails, pop-ups and mobile phone messages.

"Local Internet users have been bombarded with spam mails but most of them are from overseas. Now such a circular is necessary as local spamming activities are on the rise.

The circular has basic requirements for users to fight spams such as opt-out options, genuine sender addresses, sender telephone numbers and obvious headings. But it seems that the draft circular is too lenient towards spammers when it provides them five working days before they have to stop their spams in case recipients choose to opt out. It also allows for the collection of personal data including email addresses and telephone numbers. Even though the circular requires collecting parties to ask for permission first and to keep those data confidential, this provision can be abused and can cause disputes later on.

This is all the more possible because the circular provides two scenarios: A complete ban of sales of email addresses and telephone numbers to advertisers; or allowing such an activity. Unsolicited short mobile messages are now possible because some carriers are selling subscribers’ numbers to various advertising companies. Users are especially frustrated when senders use some automatic message generation device so that they might receive an advertising message in the middle of the night.

The fines provided in the draft circular are from VND5 million to VND20 million, which many say are not heavy enough to prevent harmful violations of personal information."

[via APCAUCE and Viet Nam News]

The International Herald Tribune has an article about the growing problem of "cyberviolence" in South Korea, which has one of the world's most developed Internet communities:

'Complaints filed with the government's Korea Internet Safety Commission more than doubled to 42,643 last year from 18,031 in 2003. Women have reported sexual harassment. A 16-year- old schoolgirl accused of informing on an abusive teacher ran away after her photos and insults were splashed on her school Web site. A singer struggled with rumors that she was a man. Twist Kim, a singer and comedian, had a nervous breakdown after pornographic Web sites proliferated under his name, as if he had created them, causing television stations to spurn him.

In most countries, Internet users oppose government attempts to censor the Internet. In South Korea, however, in both government-funded and private surveys, a majority of people support official intervention to check unbridled freedom of speech on the Internet.

A poll taken in November showed that nearly one of 10 South Koreans from 13 to 65 said they had experienced cyberviolence.

The problem in South Korea may presage what will happen in other countries, according to the authorities, who have begun cracking down on the problem.

"In the past few years, the Internet has grown in South Korea explosively," said Kim Sung Ho, secretary general at Kinternet, a lobby of domestic portals. "The Internet community has developed faster and stronger in South Korea than elsewhere. So we are struggling with its side effects earlier than other nations."

Since last year, dozens of people have been indicted on charges of criminal contempt or slander for writing or spreading malicious online insults about victims like Kim Myong Jae. They face fines of as much as 2 million won, or $2,067.

This month, the National Assembly will debate a bill that would require the nation's 30 major Internet portals and newspaper Web sites to confirm the identities of visitors before allowing them to use bulletin boards, the main channel of cyberviolence.

"The idea is to make people feel more responsible for what they are posting on the Net," said Oh Sang Kyoon, a director at the Ministry of Information and Communications. "Victims cannot live a normal life. They quit jobs and run away from society. They even flee the country. It's like lynching victims in a 'people's court on the Web.'"

Some critics question whether such a law would solve the problem. Cyberviolence, they say, has been increasing even though most of the country's major Web sites are already applying the policy.

"This is violating privacy in the name of protecting it," said Oh Byoung Il, director general at jinbo.net, a civic group. "It discourages anonymous whistle- blowers. It impedes the free flow of communication, the soul of the Internet."

Official interference will also discriminate in favor of foreign portals like Google, said Kim of Kinternet. For instance, when users search for "sex" in a South Korean portal, they must first prove they are adults by supplying personal data - a requirement that does not apply to the Korean-language Google, which operates with an overseas server.

But Kim Myong Jae condemned the portals as willing accomplices in online mob attacks. While painfully slow to respond to victims' complaints, Kim said, the portals - the largest of which, naver.com, attracts 15 million users a day - highlight real-time lists of the most- clicked-on news, thus helping spread sensational, and often libelous, items.

Kim said he had filed suit against the nation's top four portals: Naver, Daum, Yahoo! Korea and Nate.

And portals say they are now screening their contents more vigorously. "Rather than being an arena for sound debate, the Web bulletin boards have to some extent become a place for verbal defecation," said Choi Soo Yeon, a naver.com spokeswoman. "We have 300 monitors who work round the clock to delete abusive and defamatory language." But ultimately, the portals say, the users who post on the Web should be responsible for content.

South Korea saw an explosion of Internet users as the country emerged from decades of military rule, and citizens jumped on the new technology as a way of expressing long-suppressed views. About 33 million South Koreans - out of a population of 48 million - use the Internet, most of them with broadband connections. And many of them are not shy about their feelings.

News articles on portals or newspaper Web sites often are accompanied by feedback sections, where readers comments. Some news articles attract thousands of entries, ranging from thoughtful comments to raving obscenities. When suspicions first emerged last year that the cloning expert Hwang Woo Suk had faked his groundbreaking work, few dared to speak in public against the man lionized as a hero. Scientists, who unveiled evidence of fabrication through anonymous postings, brought about Hwang's downfall.

One of the most famous victims of online mob rule was the so-called "dog-poop girl." A cellphone photograph of a girl who failed to clean up after her dog in a subway car was posted on the Internet. For weeks, people pursued her relentlessly; the girl reportedly dropped out of school as a result.

To Kim Myong Jae, it was familiar. "Two months after I became the target, I visited a plaza near my old company. I dressed differently. Still a person reported my appearance on the Web, how I looked and how that person felt sick to see me," Kim said. "It's a handicap I may have to carry for a long time."'

"As cell phones and PDAs become more technologically advanced, attackers are finding new ways to target victims. By using text messaging or email, an attacker could lure you to a malicious site or convince you to install malicious code on your portable device."

The U.S. CERT (Computer Emergence Readiness Team) recently published a list of tips for users on how they can protect themselves against these increasing threats.

What unique risks do cell phones and PDAs present?

Most current cell phones have the ability to send and receive text messages. Some cell phones and PDAs also offer the ability to connect to the internet. Although these are features that you might find useful and convenient, attackers may try to take advantage of them. As a result, an attacker may be able to accomplish the following:

• Abuse your service;
• Lure you to a malicious web site;
• Use your cell phone or PDA in an attack;
• Gain access to account information.

What can you do to protect yourself?

• Follow general guidelines for protecting portable devices;
• Be careful about posting your cell phone number and email address;
• Do not follow links sent in email or text messages;
• Be wary of downloadable software;
• Evaluate your security settings.

Read the full article on the U.S. CERT website.

The top three antivirus programs -- from Symantec, McAfee, and Trend Micro -- are less likely to detect new viruses and worms than less popular programs, because virus writers specifically test their work against those programs:

"On Wednesday, the general manager of Australia's Computer Emergency Response Team (AusCERT), Graham Ingram, described how the threat landscape has changed -- along with the skill of malware authors.

"We are getting code of a quality that is probably worthy of software engineers. Not application developers but software engineers," said Ingram.

However, the actual reason why the top selling antivirus applications don't work is because malware authors are specifically testing their Trojans and viruses to make sure they can bypass these applications before releasing them in the wild.

It's interesting to watch the landscape change, as malware becomes less the province of hackers and more the province of criminals. This is one move in a continuous arms race between attacker and defender."

[via Schneier on Security]

In separate reporting on the Black Hat USA conference, experts say that the spyware problem has "gotten so bad that it is unlikely it can ever be solved on a technical level. Instead, the solution will have to come from regulators and law enforcement agencies" .

"It's not technically feasible to stop spyware. You will not be able to stop this technically "This problem lives at the legal-technical boundary. We can't go around arresting people," said Dan Kaminsky, senior security researcher and founder of Seattle-based Doxpara Research, speaking on a spyware panel at the recent Black Hat USA 2006 event. "We need to create standards that clearly delineate legitimate code from illegitimate code where you throw people in jail."

"To protect Internet users from online fraudsters and defend the Internet against scammers commandeering network resources, the two most influential global trade associations combating Internet crime have jointly released an explicit new set of Best Practices to combat “phishing,” a major cause of online identify theft and fraud. The recommendations will help Internet Service Providers (ISPs) and mailbox providers better police their own infrastructures and filter traffic traversing their networks."

The Anti-Phishing Working Group (APWG) and the Messaging Anti-Abuse Group (MAAWG) jointly developed the recommendations outlined in "Anti-Phishing Best Practices for ISPs and Mailbox Providers." The paper provides technical and business practices to help ISPs and mailbox providers thwart phishing attacks and other malevolent network abuses and also includes practices to respond constructively when these attacks occur. “Phishing” employs deceptive technology such as spoofing and social engineering to steal consumers' personal identity and financial account data, and has become a major concern."

To download the full recommendations, click here.

The Secretary-General of the United Nations has announced the convening of the Internet Governance Forum, to be held in Athens on 30 October - 2 November 2006.

The Secretary-General's message is available in all UN languages: [English] [Français] [中文] [عربي] [Русский] [Español]. The message in English reads:

"The second phase of the World Summit on the Information Society (WSIS), held in Tunis on 13-15 November 2005, invited me to convene a new forum for multi-stakeholder policy dialogue -- called the Internet Governance Forum (IGF). The Summit asked me to convene the Forum by the second quarter of 2006 and to implement this mandate in an open and inclusive process.

The Government of Greece made the generous offer to host the first meeting of the IGF and proposed that it take place in Athens on 30 October - 2 November 2006.

I have asked my Special Adviser for Internet Governance, Mr. Nitin Desai, to assist me in the task of convening the IGF and I have also set up a small secretariat in Geneva to support this process. Two rounds of consultations open to all stakeholders held in Geneva on 16-17 February and 19 May have contributed towards a common understanding with regard to the format and content of the first IGF meeting. I have also appointed an Advisory Group with the task of assisting me in preparing the IGF meeting.

The Advisory Group held a meeting in Geneva on 22 and 23 May 2006 and made recommendations for the agenda and the programme, as well as the structure and format of the first meeting of the IGF in Athens.

As the IGF is about the Internet, it is appropriate to make use of electronic means of communication to convene its inaugural meeting. The document adopted by WSIS -- the Tunis Agenda for the Information Society -- calls on me "to extend invitations to all stakeholders and relevant parties to participate at the inaugural meeting of the IGF". Therefore, it is my pleasure to make use of the World Wide Web to invite all stakeholders -- governments, the private sector and civil society, including the academic and technical communities, to attend the first meeting of the IGF in Athens. The overall theme of the meeting will be "Internet Governance for Development". The agenda will be structured along the following broad themes.

• Openness - Freedom of expression, free flow of information, ideas and knowledge
• Security - Creating trust and confidence through collaboration
• Diversity - Promoting multilingualism and local content
• Access - Internet Connectivity: Policy and Cost

Capacity-building will be a cross-cutting priority.

The meeting will be open for all WSIS accredited entities. Other institutions and persons with proven expertise and experience in matters related to Internet governance may also apply to attend.

In its short life, the Internet has become an agent of dramatic, even revolutionary change and maybe one of today's greatest instruments of progress. It is a marvelous tool to promote and defend freedom and to give access to information and knowledge. WSIS saw the beginning of a dialogue between two different cultures: the non-governmental Internet community, with its traditions of informal, bottom-up decision-making; and the more formal, structured world of governments and intergovernmental organizations. It is my hope that the IGF will deepen this dialogue and contribute to a better understanding of how we can make full use of the potential the Internet has to offer for all people in the world.

(Signed) Kofi A. Annan" 

[via the Internet Governance Forum]

In a new scam, called vishing, identity thieves use bogus phone numbers instead of Web sites, reports PC World in a recent article featuring phishing scams on VoIP phones.

< show to starting increasingly is users, telephone or internet trick numbers Protocol) Internet over (voice VoIP easy-to-obtain using thieves with scam, theft identity of kind new A>"Related to phishing scams, the new scheme uses cheaply obtained VoIP numbers as bogus credit card or financial services telephone numbers", the article continues.  "With Internet users being warned about clicking on hyperlinks in unsolicited e-mail, the new scam includes a phone number instead". "It's a natural elevation of the art to move it to the telephone. People are getting nervous about clicking on links", the article states.

< show to starting increasingly is users, telephone or internet trick numbers Protocol) Internet over (voice VoIP easy-to-obtain using thieves with scam, theft identity of kind new A>

The articles gives examples of how these new scams take place: "In one vishing case, scammers targeted PayPal users by including a telephone number in a spam e-mail. In the other case, the criminals configured an automatic telephone dialer to dial phone numbers, and when the phone was answered, played an automated recording saying their credit card has had fraudulent activity. The recording asked the telephone customer to call a number with a spoofed caller ID related to the credit card issuer. Once users call, they are asked for personal account information."

VoIP numbers are easy to obtain anonymously, but an industry expert interviewed for the story did not fault VoIP providers for vishing scams. "A larger problem is the ease of obtaining credit online or over the telephone. Consumers are comfortable with obtaining credit online or by dialing automated telephone services to get credit, but if credit-granting businesses required physical contact, phishing and vishing scams would be almost eliminated. In today's environment, it's absurd," the industry stated.

Read the full article on the PC World news website.

The ITU held an international workshop under its New Initiatives Programme on the topic "The Regulatory Environment for Future Mobile Multimedia Services" in Mainz (Germany) from 21-23 June 2006. The final report [PDF]  of the chairman has now been published.

Workshop presentations can be found here. Background documents, including country case studies and thematic papers are also available on the workshop homepage.

United Kingdom's Ofcom is currently working on a publication examining various national and international approaches to protecting consumers on the internet.

Coincidening with this publication, the regulator will hold a seminar will that allow stakeholders to examine the results of Ofcom's survey, hear the views of Internet industry stakeholders and discuss what can be done in the future to better protect consumers on the Internet. Ofcom organising such an event is a measure of the challenge posed to both regulator and consumer by the growth of net services and the collision of the highly regulated world of broadcasting with the virtually unregulated world of the internet.

This news item was accessed through Roger Darlington's CommsWatch blog.

According to a recently released article by CircleID, the United Kingdom today is one of the main attack targets by phishing organized crime groups, globally. Worldwide it is estimated (CircleID) that phishing damages will amount to about two billions USD in 2006 -- not counting risk management measures such as preventative measures, counter-measures, incident response and PR damages.

In most cases, phishing is caused by the fault of the users, either by entering the wrong web page, not keeping their computers secure or falling for cheap scams. Often this is due to lack of awareness or ability in the realm of Internet use rather than incompetence by the users.

For more information see CircleID article on Phishing: Competing on Security. 

The ITU has just published an Issues Paper on the Regulatory Environment for Future Mobile Multimedia Services, available for download here (.pdf format).

The paper was prepared by Lara Srivastava, of the Strategy and Policy Unit (ITU), and Ingrid Silver & Rod Kirwan of the law practice of Denton Wilde Sapte.

Together with case studies (on Germany, China, Hong Kong SAR) and a thematic paper on spectrum flexibility, these background papers will form part of the input material for an international ITU New Initiatives Workshop on The Regulatory Environment for Future Mobile Multimedia Services, to be held in Mainz (Germany) from 21-23 June 2006, and jointly hosted by Germany's Federal Network Agency.

The Advance Programme for the workshop is now on-line, and will be regularly updated.

More information about the ITU New Initiatives Programme can be found here.
More information about the international workshop on the topic can be found here.  

The 5th Annual Mobility Roundtable was held in Helsinki from 1-2 June 2006, hosted by the Helsinki School of Economics. Since 2002, mobility roundtables have been held in Tokyo (Japan), Stockholm (Sweden), Austin (United States), and Hong Kong, China. The main objectives of the roundtables are:

1. to build and support a sustainable international network of research and industry best practices for the mobile communication and computing business, market and industry;
2. to exchange research and knowledge about best practices for different mobile modes of business; and
3. to facilitate communication and collaboration among global researchers, practitioners and policy makers.

The 2006 programme, and all final papers can be found here. There were four keynote speakers at the event: Jarkko Sairanen (Vice President and Head of Corporate Strategy, Nokia), Dr. Elizabeth Keating (University of Texas at Austin), Ari Tolonen (CEO, InfoBuild), and Lara Srivastava (ITU).   Lara Srivastava is a member of the international advisory committee for the mobility roundtables. Her keynote address was entitled "Mobiles for a Smaller World" and is available here.

The 6th roundtable will be held in Los Angeles (California) in June 2007, hosted by the University of Southern California.

Do not panic if your data is hidden by virus writers demanding a ransom. A woman from Greater Manchester has become a victim of an internet scam in which hackers hijack computer files and blackmail owners to get them back.

More information can be found here.

The German government is preparing a law that would allow the use of mobile phone jammers during major events and in prisons. The blocking of mobile phone use by criminals is seen as an important measure in the war against crime and terrorism.

By transmitting on the same radio frequencies as the mobile phone, a phone jammer can effortlessly stifle annoying chatter in movie theatres, at funerals or in hospitals. However, in many countries, including Germany, the technology is officially illegal. Phone jammers not only disrupt licensed services operated by the mobile carriers, but might also disrupt other services operating in adjacent bands.

Read the full article from The Register here.

Take Back the Net is an initiative of The Institute for Spam and Internet Public Policy (ISIPP). ISIPP is committed to helping to rid the Internet of spam and other illegal activities, and to helping people to secure their computers. Thanks to Suresh Ramasubramanian for the pointer.

Bruce Schneier's Schneier on Security points to an article explaining the steps that someone has taken to deal with identity theft.

In a press release today, ITU announced a global opinion survey to assess trust of online transactions and awareness of cybersecurity measures. The survey was conducted by ITU in conjunction with World Telecommunication Day, celebrated on 17 May to commemorate the founding of ITU in 1865. The theme chosen this year — Promoting Global Cybersecurity — aims to highlight the serious challenges of ensuring the safety and security of networked information and communication systems.

The announcement of the results of the survey coincides with the launch of an ITU Cybersecurity Gateway portal. The portal is a global online reference source of national cybersecurity initiatives and websites around the world and provides an integrated platform for sharing cybersecurity related information and resources. Presenting information tailored to four specific audiences: citizens, businesses, governments, and international organizations, the portal also provides information resources on topical cybersecurity concerns such as spam, spyware, phishing, scams and frauds, worms and viruses, denial of service attacks, etc.

With thousands of links to relevant materials, ITU intends to constantly update the portal with information on cybersecurity initiatives and resources gathered from contributors around the globe. For example, a number of countries are now ramping up national critical information infrastructure protection (CIIP) programmes and sharing information on these initiatives through the portal can assist both developed and developing economies in promoting global cybersecurity.

These efforts highlight work being carried out as follow-up to the World Summit on the Information Society (WSIS) Action line C5 dealing with "Building confidence and security in the use of ICT", for which ITU is the facilitator/moderator.

Update: UN Secretary-General Kofi Annan has made the following statement in conjunction with World Telecommunication Day giving his perspectives on promoting global cybersecurity.

The Filipino telecoms watchdog, the National Telecommunications Commission (NTC), says it will revoke the mobile licence of any operator found guilty of breaking its guidelines on unsolicited broadcast messaging via SMS. The amended rules and regulations also require content providers – alleged to have sent out spam promos to subscribers – to register with the NTC.

This will serve as the basis of an application with the Department of Trade and Industry that grants permits to allow companies to advertise promos. Mobile phone operators and content providers risk being blacklisted if found guilty of violating the agency’s rules.

More information can be found here.

The Draft Amendement to the Rules and Regulations on Broadcast Messaging Service is available here.

The European Commission has launched a public consultation on RFID, with a view to developing a coherent RFID Policy for Europe. In order to prepare for the consultation, the Commission is organizing a series of workshops (5) between March and June 2006, in which experts and stakeholders from all over Europe and the world come together to debate the key issues.

ITU's Lara Srivastava spoke at the first workshop (6-7 March 2006), and also at the third workshop in the series held 16-17 May 2006 on "RFID Security, Data Protection & Privacy, Health and Safety Issues" (see the presentation here). The Policy Framework Paper written by the Commission in advance of the meeting highlighted the vision of the ITU's 2006 Internet Report on "The Internet of Things" released in November 2005.

Two more workshops are planned in early June, after which the Commission will open up the debate for a wider on-line public consultation, resulting in a Communication on RFID to be issued later this year.

For more information, including webcasts, see the European Commission RFID Consultation Website.

17 May 2006 A global opinion survey to assess trust of online transactions and awareness of cybersecurity measures was conducted by ITU in conjunction with World Telecommunication Day, celebrated on 17 May to commemorate the founding of ITU in 1865. The theme chosen this year - Promoting Global Cybersecurity - aims to highlight the serious challenges of ensuring the safety and security of networked information and communication systems.

The announcement of the results of the survey coincides with the launch of an ITU Cybersecurity Gateway portal. These efforts also highlight work being carried out as follow-up to the World Summit on the Information Society (WSIS) Action line C5 dealing with "Building confidence and security in the use of ICT", for which ITU is the facilitator/moderator.

The Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML) authored by OASIS (Organization for the Advancement of Structured Information Standards) have been consented as internationally recognised ITU-T Recommendations. The announcement is the first result of the formal relationship between the standardization sector of ITU and OASIS.

The standards (ITU-T Recommendations X.1141 (SAML) and X.1142 (XACML)) address the concern of how to allow safe single sign-on, a system that enables a user to authenticate once and gain access to the resources of multiple software systems. While solutions existed in this space, all were proprietary, and therefore not addressing the problem on a global level.

SAML and XACML are designed to control access to devices and applications on a network. The need for standards in this area has become more of an issue as business networks increasingly use the public Internet.

SAML addresses authentication and provides a mechanism for transferring authentication and authorization decisions between cooperating entities, XACML leverages this information to determine access to resources by focusing on the mechanism for arriving at those authorization decisions.

An additional feature of SAML is that it allows organizations to communicate information without any change to their own internal security architectures.

The Secretariat of the Internet Governance Forum (IGF) has released a summary of the discussions and contributions for the substantive agenda of the first meeting of the IGF, to be held in Greece later this year.

Singapore’s mobile users – 99.8% of Singapore’s population, according to the Infocomm Development Authority’s (IDA) February 2006 stats – will have more protection against mobile spam in the future. IDA has put its foot down on this issue, warning of “swift enforcement” of penalties should mobile operators continue to fail to resolve mobile spam issues satisfactorily.

A strong warning letter was sent to SingTel, StarHub and M1, the three mobile operators in Singapore. In addition, IDA decided to make an example of errant content operator mTouche in the highly publicized mTouche spam case. Between 30th January to 5th February this year, 300,000 mobile end users were billed S$1 for unsolicited SMSes sent by mTouche through the three telcos.

More information can be found here.

China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law. The new email licensing clause is just a small part of a new anti-spam law formulated by China's Ministry of Information Industry (MII).

The impact on corporate email servers, which are commonly used by companies with more than a handful of employees, appears to have gone unnoticed until now. However, Singapore-based technology consultant, James Seng, who first drew attention to the new email licence requirement, believes the inclusion of the prohibition on mail servers is no accident.

More information can be found here.

The "Survey on Industry Measures taken to comply with National Measures implementing Provisions of the Regulatory Framework for Electronic Communications relating to the Security of Services" conducted by the Technical Department of ENISA, Section Security Policies is available here.

The US Federal Communications Commission today adopted a Second Report and Order and Memorandum Opinion and Order (Order) that addresses several issues regarding implementation of the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994. Among other things, the Order affirms that the CALEA compliance deadline for facilities-based broadband Internet access and interconnected VoIP services will be May 14, 2007, as established by the First Report and Order in this proceeding. The Order concludes that this deadline gives providers of these services sufficient time to develop compliance solutions, and notes that standards developments for these services are already well underway. Further details and background are available in the FCC news release and statement by individual FCC commissioners:

• News Release: Word | Acrobat
• Martin Statement: Word | Acrobat
• Copps Statement: Word | Acrobat
• Adelstein Statement: Word | Acrobat
• Tate Statement: Word | Acrobat

A new wave of spam could be on the way that tricks recipients by looking like it’s a message sent from their friends' e-mail address. This sort of spam would bypass even those filters that currently weed out 99% of the bad stuff, says John Aycock, an assistant professor of computer science at the University of Calgary.

Aycock and student Nathan Friess conducted research and wrote a paper dubbed "Spam Zombies from Outer Space" to show that generating such customized spam -- such as in the form of e-mail replies -- would not be too difficult, as has been assumed in the past. Spammers have leaned toward bulk e-mail generation that is less customized.

More information can be found here.

In a press release, the European Commission has indicated its views on follow-up to the international policy commitments made at WSIS:

To keep up the momentum of the successful World Summit on Information Society (Tunis, 16-18 November 2005), the European Commission has set out today its priorities for implementing the international policy commitments made at the Summit. These priorities include safeguarding and strengthening human rights, in particular the freedom to receive and access information. Information and communication technologies (ICTs) should be used to contribute to open democratic societies and to economic and social progress worldwide. The Commission calls for continuing international talks to improve Internet governance through the two new processes created by the Summit: the multi-stakeholder Internet Governance Forum and the mechanism of enhanced cooperation that will involve all governments on an equal footing.

The EC has also issued a FAQ on Internet Governance.

Looking back, 2005 saw a rise in profit-driven attacks. These were reflected by phishing, which now represents as much as one percent of the global e-mail traffic and is far more effective than spamming.

Viruses, worms, and malicious software are becoming part and parcel of information and communications technology. According to Trend Micro's report, called Virus and Spam Roundup 2005 and Predictions for 2006, this year will see more spy phishing and spear phishing on the Internet.

More information can be found here.

Though the United States is making progress in the war on unsolicited commercial e-mail, or spam, it still generates more than any other nation in the world, according to recent statistics from Sophos, a provider of anti-malware solutions.

Sophos ranked spam outputs of the top 12 countries and top six continents based on messages it received in its “global network of spam traps” between January and March, according to the group’s release.

More information can be found here.

The Federal Trade Commission (FTC) joined 29 other countries in calling for increased cooperation between nations in combating spam. The FTC signed off on a set of anti-spam recommendations by the Organization for Economic Cooperation and Development (OECD), a coalition of 30 countries organized to promote economic growth and trade.

More information about OECD activities on  countering spam can be found here.

Please clik here to read the article.

The ITU has released the Results of its 2006-2007 Questionnaire on Future Topics  for workshops under the ITU New Initiatives Programme.

The top three winners are as follows:

1. Pushing the Boundaries - Wireless Networking

2. The Future of Voice

3. Privacy and Data Protection in Telecommunications

More information about the ITU New Initiatives Programme can be found here.

The Federal Trade Commission and members of the International Consumer Protection and Enforcement Network (ICPEN) are meeting in Jeju, Korea, on March 26-28, to discuss the progress of international efforts to combat cross-border fraud and explore new international initiatives to protect consumers around the world.

The FTC’s participation in ICPEN is one part of the agency’s ongoing effort to combat a rising number of cross-border fraud complaints from American consumers. ICPEN members discussed the results of a recent Internet surf for Web sites that are “hidden traps online.”

Over 30 countries participated in the international surf. In the United States, the focus was on Web sites with fraudulent claims advertising “miracle cures” for diabetes, with the FTC, FDA, and several states Attorneys General offices participating.

The FTC and its partners reviewed over 1,000 Web sites and identified over 150 with potentially misleading diabetes claims. The FTC will follow-up, sending warning letters to Web sites that appear to have deceptive or false claims.

More information can be found here.

World Telecommunication Day (WTD) commemorates the founding of ITU on 17 May 1865. This year, WTD could carry added significance as 17 May has been identified by the Tunis phase of the World Summit on the Information Society as “World Information Society Day”.

While World Information Society Day is yet to be proclaimed, ITU, as the leading ICT agency of the UN system, upholds the idea and looks forward to its members to raise awareness of the role of ICT in achieving the development goals of all people.

For WTD 2006, the ITU Council chose the theme of Promoting Global Cybersecurity to highlight the serious challenges we face in ensuring the safety and security of networked information and communication systems.

In today’s interconnected and increasingly networked world, societies are vulnerable to a wide variety of threats, including deliberate attacks on critical information infrastructures with debilitating effects on our economies and on our societies. In order to safeguard our systems and infrastructure and in order to instill confidence in online trade, commerce, banking, telemedicine, e-government and a host of other applications, we need to strengthen the security practices of each and every networked country, business, and citizen, and develop a global culture of cybersecurity.

The urgency of promoting cybersecurity has been called for by the ITU Plenipotentiary Conference in 2002, the World Telecommunication Standardization Assembly (WTSA-2004) as well as the United Nations General Assembly (resolutions 58/199, 2004, and 57/239, 2002).

Invitations to organize national programmes in the context of promoting the theme Promoting Global Cybersecurity for WTD 2006 were sent to all ITU Member States and ITU Sector Members. Sector Members represent over 647 public and private companies and organizations with an interest in telecommunications. Also in conjunction with WTD 2006, the ITU is conducting a survey of cybersecurity trust and awareness. A list of links to the related materials includes:

• Message from the ITU Secretary-General, Yoshio Utsumi
• Circular Letter sent to ITU Member States
• Circular Letter sent to ITU Sector Members
• Cybersecurity Trust and Awareness Survey

Internet service providers could face huge fines if they do not provide spam filtering or impose email sending limits under new rules set down by a communications watchdog. The Australian Communications and Media Authority (ACMA) today registered the world's first legislative code of practice for internet and email service providers.

More information can be found here.

At a technology forum in Brussels hosted by EuroISPA - the European Internet Services Providers Association, and co-sponsored by Interpol, Neil Holloway, president, Microsoft (Europe, Middle East and Africa), inaugurated a global law enforcement campaign targeted at cybercriminals responsible for phishing attacks.

This is part of Microsoft's larger program dubbed - the Global Phishing Enforcement Initiative (GPEI), that aims at co-ordinating and expanding the company's anti-phishing efforts globally.

More information can be found here.

On 23-24 March 2006 at ITU headquarters, the ITU Strategy and Policy Unit hosted a high-level experts workshop entitled What Rules for IP-enabled NGNs? focused on the policy and regulatory challenges related to the deployment of IP-enabled NGNs. The following materials are now available:

• The original workshop concept document providing details on the objectives of the workshop
• Final Agenda
• Background papers:
  • Ruling the New and Emerging Markets in the Telecommunication Sector by Christian Wey, Pio Baake and Sven Heitzler 
  • Interconnection in an IP-enabled NGN Environment by Scott Marcus
  • Universal Service in an IP-enabled NGN Environment by Patrick Xavier
• All presentations and contributions
• Webcast archives

A public talk was given on 22 March 2006 at Michigan State University's Quello Center for Telecommunication Management and Law on "The Changing Face of Cyberspace" (Lara Srivastava, ITU). 

Communications points to an interesting presentation on reverse engineering Skype given by Philippe BIONDI & Fabrice DESCLAUX at the Blackhat Europe conference in Amsterdam, March 2nd & 3rd. Warning: 115 highly technical slides including this conclusion:

The OECD hosted a workshop entitled The Future of the Internet in Paris on 8 March 2006. Presentations given at the event will serve at "food for thought" for future OECD work.

The Economist has a related article entitled Reinventing the Internet.

Including data from some of the world's largest Internet Service Providers, MAAWG (Messaging Anti-Abuse Working Group) has developed its first metrics report outlining the scope of the problem and validating that approximately 85 percent of Internet traffic today is abusive email.

The report, "MAAWG Email Metrics Program: The Network Operators' Perspective," provides data for the fourth quarter of 2005 and will continue to be updated on a quarterly basis as an objective tool for tracking the industry's efforts at controlling abusive email.

For more information, please click here.

Efforts by governments to counter internet spam by tracking down and prosecuting spammers have had limited impact and require far more resources than most countries can muster, the United Nations telecoms agency (ITU) warned on Tuesday.

It says in a report that while all countries need anti-spam legislation so that spammers have nowhere to hide, a more effective approach would be to require the establishment of enforceable codes of conduct by internet service providers (ISPs).

For more information about the article, please click here.

For more information about the report "Stemming the International Tide of Spam", please click here.

According to a press release from the UN, the UN Secretary-General has decided to establish a small Secretariat in Geneva to assist in the convening of the Internet Governance Forum (IGF).  The Secretary-General was asked by the World Summit on the Information Society, held in Tunis in November, to convene such a Forum for multi-stakeholder policy dialogue.

Nitin Desai, the Secretary-General’s Special Adviser for the Summit, held open consultations on 16 and 17 February in Geneva aimed at reaching a common understanding on how the Forum should function.  Those discussions produced a consensus that the IGF should have a strong development orientation.  It was also felt that the Forum should be open and inclusive, and allow for the participation of all interested stakeholders with proven expertise and experience in Internet-related matters.

The Secretariat will be headed by Markus Kummer, who has been the Executive Coordinator of the Secretariat of the Working Group on Internet Governance, which was established by the Secretary-General at the request of the first phase of the Summit, in Geneva in 2003.  The first meeting of the Forum is expected to take place later this year in Athens, Greece from October 30 - November 2 2006.

On a separate issue, the Secretary-General has also decided to ask Mr. Desai to consult informally on how to start a process aimed at enhancing cooperation on international public policy issues related to the Internet.  The Summit had requested the Secretary-General to start such a process in paragraphs 69-71 of the WSIS Tunis Agenda for the Information Society.

This publication, with a foreword by Nitin Desai, provides an overview of the key debates on Internet governance. It presents the work of the Open Regional Dialogue on Internet Governance, an Asia-Pacific Development Information Programme (APDIP) initiative that has collected perspectives from regional experts and end users.

In line with paragraph 108 and the Annex of the Tunis Agenda for the Information Society, a consultation is being held on 15-16 May 2006, at ITU Headquarters in Geneva, on WSIS Action Line C5: Building Confidence and Security in the use of ICTs. The purpose of the meeting is to discuss the WSIS multi-stakeholder implementation process for Action Line C5.

The meeting is open to all WSIS stakeholders that are interested and involved in the implementation process in the field of building confidence and security in the use of ICTs.

A draft agenda for the consultation on WSIS Action Line C5 Facilitation and the invitation letter to the meeting from ITU Secretary-General Yoshio Utsumi can be viewed on the WSIS C5 Implementation website.

More information on the activities related to WSIS implementation and follow-up can be viewed here.

China's Ministry of Information Industry launched its anti-spam center, www.anti-spam.cn, today as part of their net safety efforts. There are ongoing efforts to also enhance its email management sometime between March and April 2006.

Additionally, the Chinese government issued a regulation on the management of emails, which will take effect on 30 March 2006. Sending advertisement emails without the receiver's permission is banned, according to this new regulation.

For more information, click here

Circle ID has an interesting piece entitled Internet Governance: An Antispam Perspective by Meng Wong, who is known for his work on the email authentication mechanism SPF*:

I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.

FCC Examines Need For Tougher Privacy Rules.

• News Release: Word | Acrobat
• Martin Statement: Word | Acrobat
• Copps Statement: Word | Acrobat
• Adelstein Statement: Word | Acrobat
• Tate Statement: Word | Acrobat

"In a Notice of Proposed Rulemaking (NPRM) adopted today, the Commission seeks comment on a variety of issues related to customer privacy, including what security measures carriers currently have in place, what inadequacies exist in those measures, and what kind of security measures may be warranted to better protect consumers’ privacy. The Notice grants a petition for rulemaking filed by the Electronic Privacy Information Center (EPIC) expressing concerns about whether carriers are adequately protecting customer call records and other customer proprietary network information, or CPNI. EPIC claims that some data brokers have taken advantage of inadequate security standards to gain access to the information under false pretenses, such as by posing as the customer, and then offering the records for sale on the Internet. The practice is known as "pretexting.""

The ITU is hosting a workshop on Radio-Frequency Identification (RFID) from 14-15 February 2006, bringing the spotlight on the emergence of a so-called "Internet of Things", enabling ubiquitous network connectivity, anytime and anywhere. The agenda and an accompanying press release are available.

Update: The workshop is being audiocast live and archived.

The Financial Times has an article entitled Privacy Under Pressure in Europe

A European directive is in preparation that will require the providers of publicly available communications services to retain details of fixed-line, mobile phone and e-mail communications for at least six months, and possibly up to two years. It is a requirement that even the US has not imposed in its war on terror.

Bruce Schneier's blog Schneier on Security points to the final version of a paper by Daniel J. Solove and Chris Hoofnagle titled "A Model Regime of Privacy Protection." 

Abstract: A series of major security breaches at companies with sensitive personal information has sparked significant attention to the problems with privacy protection in the United States. Currently, the privacy protections in the United States are riddled with gaps and weak spots. Although most industrialized nations have comprehensive data protection laws, the United States has maintained a sectoral approach where certain industries are covered and others are not. In particular, emerging companies known as "commercial data brokers" have frequently slipped through the cracks of U.S. privacy law. In this article, the authors propose a Model Privacy Regime to address the problems in the privacy protection in the United States, with a particular focus on commercial data brokers. Since the United States is unlikely to shift radically from its sectoral approach to a comprehensive data protection regime, the Model Regime aims to patch up the holes in existing privacy regulation and improve and extend it. In other words, the goal of the Model Regime is to build upon the existing foundation of U.S. privacy law, not to propose an alternative foundation. The authors believe that the sectoral approach in the United States can be improved by applying the Fair Information Practices -- principles that require the entities that collect personal data to extend certain rights to data subjects. The Fair Information Practices are very general principles, and they are often spoken about in a rather abstract manner. In contrast, the Model Regime demonstrates specific ways that they can be incorporated into privacy regulation in the United States.

The December 2005 edition of the Internet Protocol Journal has two articles on countering spam:

• Challenges in Anti-Spam Efforts by Dave Crocker
  
• Taking Another Look at the Spam Problem by John Klensin
  

The official website of the 1st Meeting of the Internet Governance Forum (IGF), to be convened later this year in Greece has been launched.

Another take on marketing the Internet of Things (via IP). The source can be found here.

Two recent articles on the growing influence of national governments over the internet.

1. Legal Affairs has just published Digital Borders By Jack Goldsmith and Timothy Wu. The article is an excerpt from the book Who Controls the Internet?: Illusions of a Borderless World

In this provocative new book, Jack Goldsmith and Tim Wu tell the fascinating story of the Internet's challenge to governmental rule in the 1990s, and the ensuing battles with governments around the world. It's a book about the fate of one idea--that the Internet might liberate us forever from government, borders, and even our physical selves. We learn of Google's struggles with the French government and Yahoo's capitulation to the Chinese regime; of how the European Union sets privacy standards on the Net for the entire world; and of eBay's struggles with fraud and how it slowly learned to trust the FBI. In a decade of events the original vision is uprooted, as governments time and time again assert their power to direct the future of the Internet. The destiny of the Internet over the next decades, argue Goldsmith and Wu, will reflect the interests of powerful nations and the conflicts within and between them.

While acknowledging the many attractions of the earliest visions of the Internet, the authors describe the new order, and speaking to both its surprising virtues and unavoidable vices. Far from destroying the Internet, the experience of the last decade has lead to a quiet rediscovery of some of the oldest functions and justifications for territorial government. While territorial governments have unavoidable problems, it has proven hard to replace what legitimacy governments have, and harder yet to replace the system of rule of law that controls the unchecked evils of anarchy. While the Net will change some of the ways that territorial states govern, it will not diminish the oldest and most fundamental roles of government and challenges of governance.

2. First Monday has published The filtering matrix: Integrated mechanisms of information control and the demarcation of borders in cyberspace by Nart Villeneuve.

Increasingly, states are adopting practices aimed at regulating and controlling the Internet as it passes through their borders. Seeking to assert information sovereignty over their cyber–territory, governments are implementing Internet content filtering technology at the national level. The implementation of national filtering is most often conducted in secrecy and lacks openness, transparency, and accountability. Policy–makers are seemingly unaware of significant unintended consequences, such as the locking of content that was never intended to be blocked. Once a national filtering system is in place, governments may be tempted to use it as a tool of political censorship or as a technological "quick fix" to problems that stem from larger social and political issues. As non–transparent filtering practices meld into forms of censorship the effect on democratic practices and the open character of the Internet are discernible. States are increasingly using Internet filtering to control the environment of political speech in fundamental opposition to civil liberties, freedom of speech, and free expression. The consequences of political filtering directly impact democratic practices and can be considered a violation of human rights.

The internet as we know it is set to transform radically, according to a new ITU Internet Report entitled The Internet of Things, specially prepared to coincide with the World Summit on the Information Society (WSIS) in Tunis in November 2005. From an academic network for the chosen few created in the late 1960s, the internet is now a mass-market, consumer-oriented network being accessed by over 900 million people worldwide, through personal computers, mobile phones and other wireless devices. But this is only the beginning. According to ITU’s report, we are standing on the brink of a new ubiquitous computing and communication era, one that will radically transform the Internet, and with it, our corporate, community, and personal spheres. The new ITU report looks at key enabling technologies for ubiquity (e.g. RFID, sensors and sensor networks, telematics, robotics, nanotechnology) and how they might impact the future human and technological landscape.

At WSIS, the report was launched at a Press Conference and Panel Debate moderated by Kenn Cukier of The Economist. The lively debate included the following speakers and panelists: Nicholas Negroponte - MIT Media Lab, Olivier Baujard - CTO of Alcatel, Hitomi Murakami - VP General Manager of KDDI (Japan), Jonathan Murray - VP and CTO, Microsoft EMEA, Walid Moneimne, Senior VP and Head of EMEA Networks - Nokia, John Gage, Chief Researcher and Director of the Science Office - Sun Microsystems, and from the ITU, Lara Srivastava, lead author of the report.

"Computer security isn't a technological problem -- it's an economic one." That is the message Bruce Schneier, Counterpane Internet Security, emphasized in his presentation at an infoSecurity Conference according to an article in InternetNews.com.

"The future of security is getting harder to predict". Industry professionals "must start paying attention to the economics of security if they hoped for technology to keep pace." "To understand the difference it's necessary to understand the basic economic incentives of companies and how businesses are affected by liabilities" Mr. Schneier pointed out in his presentation. "The problem is that most of the costs of insecure software fall on the users." In economics, this is known as an externality: an effect of a decision not borne by the decision maker", according to Schneier. "When a company leaks data they are not the victim -- you as a user are."

"Depending on where you put liability, security improves or it doesn't," Mr. Schneier added. "Put the liability on the responsible party than we can do something," he said. That liability usually comes through legislation or lawsuits, according to Schneier. Mr. Schneier also pointed out that "Security is a process, it is not a product," he said.

Access the full article here.

The WSIS Stocktaking Report has been officially launched during the World Summit on the Infrmation Society in Tunis. The report has been prepared on the basis of activities entered to the WSIS Stocktaking Database that by November 2005 contained more then 2500 entries. 

For the launch presentation see Stocktaking.pdf (1.47 MB).

For the WSIS Stocktaking Database see here. 

The final documents submitted to the second phase of WSIS being held 16-18 November 2005 in Tunis have been posted. They are:

• Tunis Agenda for the Information Society
• The Tunis Commitment

In The Tunis Agenda for the Information Society, paragraphs 3-28 related to Financial Mechanisms for Meeting the Challenges of ICTs for Development, paragraphs 29-82 relate to Internet Governance, and paragraphs 83-122 relate to Implementation and Follow-up.

The latest edition of ITU News has a commentary from Yoshio Utsumi, ITU Secretary-General on the expectations beyond the upcoming Tunis phase of the World Summit on the Information Society.

We started on the long journey to Tunis in 1998, when the government of Tunisia proposed to the ITU’s Plenipotentiary Conference in Minneapolis to hold a World Summit on the Information Society (WSIS). We have accomplished much during this journey. At the first phase of WSIS in Geneva in December 2003, we developed a common vision of the information society. In particular, we declared our common desire and commitment to build a people-centred, inclusive and development-oriented society where the potential of information and communication technologies (ICT) is used to promote sustainable development and improve the quality of life. It is a society where everyone, anywhere should have an opportunity to participate and no one should be excluded from the benefits the information society offers.

At the second phase of the Summit in Tunis on 16-18 November 2005, we will be closing one chapter, but we will be opening a new and much bigger chapter on the implementation of that vision. In this endeavour, we should really recognize the true value of ICT as a central theme in national development policies. ICT is changing our society in ways which are as fundamental as the changes wrought by steam engines in the 19th century or motor cars in the 20th century. As those machines did, ICTs help us to be more productive and efficient than ever before to fulfil our natural desire for a better life....

Nowhere are the challenges to the conventional sovereign State greater than in the realm of cyberspace. And Internet governance has dominated our discussions since the conclusion of the Geneva phase.

The traditional principles of “national sovereignty” that have been applied to telecommunications —namely that each State regulates its telecommunication sector as it sees fit — are not working for the Internet. The Internet, which started in one country, has rapidly penetrated everywhere. Now that the Internet has become a basic element of infrastructure for every nation, it is natural that nations wish to claim sovereignty over the Internet as they do over traditional telecommunication infrastructure.

However, the value of the Internet lies in the value of information created and consumed by users rather than in the infrastructure itself. So, Internet governance requires a multi-stakeholder approach in which users and consumers of information alike agree, at a global level, to cooperate on a basic set of guidelines on such issues as security, privacy protection and efficient operation.

That is why our discussion of Internet governance has been so difficult: because the existing models do not work well. We need to embrace a new model, which I will call “new communication sovereignty.” In this model, we must fight to defend the “right to communicate” rather than the “right to govern.”

Communication is a basic human need and the foundation of all social organization. What matters is whether you have guaranteed access to information or the means to communicate with others, rather than the ability to control the means of communication. The “right to communicate” is a fundamental human right in the information society.

As the Secretary-General for the World Summit on the Information Society, I feel truly honoured to have been given the opportunity to serve the international community at this key moment of change in its history. As the wheel of change continues to turn, we must work together to create a more just and equitable information society.

Schneier on Security is reporting that Microsoft has released a document outlining a series of steps it would like to see the US Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information. According to their press release:

[Microsoft's senior vice president and general counsel Brad] Smith described four core principles that Microsoft believes should be the foundation of any federal legislation on data privacy:

• Create a baseline standard across all organizations and industries for offline and online data collection and storage. This federal standard should pre-empt state laws and, as much as possible, be consistent with privacy laws around the world.
• Increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and features that permit individuals to access and manage their personal information collected online.
• Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals' consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice.
• Ensure a minimum level of security for personal information in storage and transit. A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information.

For the upcoming Global Symposium for Regulators (GSR) to be held in Hammamet, Tunisia, 14-15 November 2005, just before the second phase of the World Summit on the Information Society (WSIS), the ITU has released a paper by Tracy Cohen, Olli Mattila and Russel Southwood, entitled VoIP and Regulation, which will be presented at the GSR:

Voice over Internet Protocol (VoIP) is generally viewed as a “disruptive technology”. All the current market indications show that IP networks and services like Voice over Internet Protocol (VoIP) will replace traditional PSTN networks and services. ITU estimates that by 2008, at least 50 percent of international minutes will be carried on IP networks and that many carriers will have all-IP networks. Recent trends are certainly headed in this direction. For example, in the United States, residential VoIP subscriber numbers have increased from 150,000 at the end of 2003 to over 2 million in March 2005. It is predicted that subscribers in the US will exceed 4.1 million by 2006, generating over USD 1 billion in gross revenues for the year. In March 2005, the Chilean broadband operator VTR launched the first telecommunication network for residential services based on IP technology. The operator expects to expand its platform and reach 2 million customers in five years. There are approximately 35,000 residential telephones that use IP technology in Chile, either through Chilean operators or through Vonage...

This paper examines how VoIP services will affect future regulation. Due to the starkly contrasting global perceptions of VoIP however, it is difficult to present a unified approach to regulatory treatment of VoIP and this paper aims to reflect regulatory experiences from a wide range of countries that are grappling with the transition to VoIP. The three sections of this paper are structured to answer both the broad and specific questions raised by VoIP services, including the overall approach to regulating VoIP as a mainstream service; how VoIP has changed voice business models and the various ways of classifying the services it has created; and finally, other related issues frequently raised in connection with VoIP, such as quality of service; network integrity; emergency calling, numbering, communication security and lawful interception.

For the upcoming Global Symposium for Regulators (GSR) to be held in Hammamet, Tunisia, 14-15 November 2005, just before the second phase of the World Summit on the Information Society (WSIS), the ITU has released a paper by John Palfrey entitled Stemming the International Tide of Spam: a Draft Model Law, which will be presented at the GSR:

This discussion paper primarily takes up the question of what – beyond coordinating with technologists and other countries’ enforcement teams and educating consumers – legislators and regulators might consider by way of legal mechanisms. First, the paper takes up the elements that might be included in an anti-spam law. Second, the paper explores one alternative legal mechanism which might be built into an anti-spam strategy, the establishment of enforceable codes of conduct for Internet Service Providers (ISPs). Third, this paper also examines a variant of the legal approach where ISPs are formally encouraged by regulators to develop their own code of conduct. ISPs should be encouraged to establish and enforce narrowly-drawn codes of conduct that prohibit their users from using that ISP as a source for spamming and related bad acts, such as spoofing and phishing, and not to enter into peering arrangements with ISPs that do not uphold similar codes of conduct. Rather than continue to rely upon chasing individual spammers, regulators in the most resource-constrained countries in particular would be more likely to succeed by working with and through the ISPs that are closer to the source of the problem, to their customers, and to the technology in question. The regulator’s job would be to ensure that ISPs within their jurisdiction adopt adequate codes of conduct as a condition of their operating license and then to enforce adherence to those codes of conduct. The regulator can also play a role in sharing best practices among ISPs and making consumers aware of the good works of the best ISPs. While effectively just shifting the burden of some of the anti-spam enforcement to ISPs is not without clear drawbacks, and cannot alone succeed in stemming the tide of spam, such a policy has a far higher likelihood of success in the developing countries context than the anti-spam enforcement tactics employed to date.

The ITU Strategy and Policy Unit, in collaboration with the Italian Ministry of Communications, the Ugo Bordoni Foundation and the Aosta Valley regional authority, organized a Workshop on “Tomorrow’s Network Today” on 7-8 October 2005.

The workshop considered five broad themes:

• International Visions of Ubiquitous Networks and Next Generation Networks
• National Visions of Ubiquitous Networks and Next Generation Networks
• Creating an Enabling Environment
• The Italian Path Towards Ubiquitous Networks
• An example of Italian best practice: "Being Digital in the Aosta Valley"

Now available on the workshop website  are the agenda, with links to presentations as they were delivered and the two Case Studies on Italy – “Bridging the Gap: Taking Tomorrow’s Network Today” presented by Marco Obiso and “Ubiquitous Networks Societies: The Case of Italy” presented by Cristina Bueti - as well as background papers and voluntary contributions produced for the workshop.

During the event, Tim Kelly, Head of the Strategy and Policy Unit (ITU) presented “Tomorrow’s Network and the Internet of Things”, showing some of the outcomes of the forthcoming ITU Internet Reports publication that this year will be dedicated to the theme of the “Internet of Things “.

A final report of the workshop will be available in the next few weeks at the workshop website.

Links to documents from WSIS Prepcom-3 (19-30 September 2005) Sub-Committee A, which dealt with the topic of Internet Governance, can be found on the WSIS website. The key documents from Prepcom-3 include:

• Report of the Work of Sub-Committee A [WSIS-II/PC-3/DOC/11 (Rev. 1)]
• Chair's "Food for Thought" (Section Five) [WSIS-II/PC-3/DT/15]
• Internet Governance proposals [WSIS-II/PC-3/DT/17] to [WSIS-II/PC-3/DT/25]
• Chair's paper (after fourth reading): Chapter three [WSIS-II/PC-3/DT/10(Rev.4)]
• Report from the WGIG [WSIS-II/PC-3/DOC/5]
• Compilation of comments [WSIS-II/PC-3/DT/14(Rev.2)]
• All Chair's Papers
• Contributions

According to the Report of the Work of Sub-Committee A, in order to complete the work in time for the Summit, document DT/10 Rev. 4 is offered as basis for further negotiations. The following documents elaborated during PrepCom-3 are offered as a further input to future negotiations:

• DT/15 containing a food for thought paper from the chairman;
• DT/17 (African common position, submitted by Ghana
• DT/18 (Argentina)
• DT/19 (Brazil)
• DT/20 (Canada)
• DT/21 (European Union position, submitted by United Kingdom)
• DT/22 (Islamic Republic of Iran)
• DT/23 (Japan)
• DT/24 (Russian Federation/Azerbaijan/Belarus/Moldova)
• DT/25 (position of Arab Group, submitted by Saudi Arabia).

Highlights from the discussions at WSIS Prepcom-3 19-21 September 2005 can be found here.

From TPRC 2005: DNSSEC and Hardening Security in the Internet Infrastructure: The Public Policy Questions by Amy Friedlander, Stephen Crocker, Allison Mankin, W. Douglas Maughan, Douglas Montgomery, Shinkuro Inc.

This is a paper from the practitioner community. We are engaged in an effort to strengthen security in the Internet infrastructure. Our immediate task is to deploy a new Internet protocol, DNS Security Extensions (DNSSEC), which promises to harden features of the Domain Name System (DNS), a key element in the infrastructure of the Internet. In our work, we find ourselves at the intersection of the following questions:

How do we stimulate innovation in infrastructure services when those services are provided in a competitive, largely private commercial environment and the returns are likely to occur in the long term and will also be shared?

What is the appropriate role of government in fostering infrastructure development when we are committed to largely privately-owned and operated infrastructure facilities and services?

What is the balance among national and homeland security interests and global Internet management - or governance?

EC Press Release: The European Commission has adopted today a proposal for a Directive on the retention of communications traffic data. The proposal provides for an EU-wide harmonisation of the obligations on providers of publicly available electronic communications, or a public telecommunications network, to retain data related to mobile and fixed telephony for a period of one year, and internet communication data, for six month. The proposed Directive would not be applicable to the actual content of the communications. It also includes a provision ensuring that the service or network providers will be reimbursed for the demonstrated additional costs they will have. For its adoption, the proposal requires the approval both of the European Parliament and the Council. The Council is currently discussing an alternative text, a Framework Decision which would allow for data retention of up to 3 years and could be adopted by the Council alone. A related memo with additional information is available.

The third meeting of the Preparatory Committee (PrepCom-3 of the Tunis phase) for the upcoming World Summit on the Information Society (WSIS). The meeting takes place at the United Nations in Geneva from 19-30 September. The primary topics of discussion are finalizing texts for the WSIS and Internet Governance and the event is being webcast. Some quick links to related materials:

• Documents and contributions
• Webcast
• Newsroom
• Speeches at the Opening Ceremony
• Reports to PrepCom-3 on Regional and Thematic Meetings
• Information for Participants
• List of Participants
• Announced list of participants
• List of participants (present)
• Participants finder
• List of accredited NGOs, civil society and business sector entities
• Invitation letters
• Internet Governance
• The Golden Book: Stakeholders Commitments
• Information session for governments on the drawing of lots to establish the list of speakers of the Summit
• Parallel and Side Events
• Registration
• Media accreditation and registration

SwissInfo is reporting that data-protection commissioners from 40 countries have called on the United Nations to prepare a binding legal instrument to enhance data protection.

A related press release and the final Montreux Declaration are available.