International Telecommunication Union   ITU
 
 
Site Map Contact us Print Version
 Thursday, July 19, 2007

The Internet Society of New Zealand (InternetNZ) released the ISP Spam Code of Practice in May 2007 for public consultation, and it had been open to comments until 18 June 2007. The Code was developed by the InternetNZ / Telecommunication Carriers' Forum (TCF) / The Marketing Association (MA) Working Party which has representation from a cross section of service providers and other interested parties.

The ISP Spam Code of Practice was created in keeping with the requirements of the Unsolicited Electronic Messages Act 2007 of the New Zealand government. It had also been developed with regard to the MA’s Code of Practice for Direct Marketing and the TCF’s SMS Anti-Spam Code, which both deal with Spam related issues, as well as to the TCF’s Customer Complaints Code.

Both consumers and service providers are expected to benefit from the adoption of this Code. The Code aims to establish practices that will lead to the minimization of Spam in New Zealand. It also aims to provide information to end users about both preventative and curative steps against Spam. Anticipated benefits to the service providers include the generation of higher levels of customer satisfaction and improved operational efficiency due to the reduced volumes of spam.

Public submissions on the Code can be found here.

Visit the Internet Society of New Zealand website for further details.

Thursday, July 19, 2007 10:43:58 AM (W. Europe Standard Time, UTC+01:00)  #     | 

With the rise of innovative use of information and communication technologies (ICTs), the United Nations Conference on Trade and Development (UNCTAD) cites the "challenges and threats" that go with ICT development and gives emphasis on the importance of information security and risk management in chapter 5 of its Information Economy Report (IER) 2005.

The chapter elaborately presents an appreciation of the following policy points:

  • Information Security (IS) needs to be conducted from a Risk Management process perspective; managing IS from a technological, problem-response, reactive perspective is sub-optimal for firms and public institutions.
  • Information Security threats mainly come in the form of "social engineering", thus purely technology based defenses are misguided - i.e. they are the Maginot Line of cybersecurity.
  • Information Security threats regularly and easily transcend national boundaries, and thus the need for international cooperation and coordination, both at a technical and a policy level, is unambiguous.
  • Information Security policy should be a component of the national e-policy and should be appropriately incentivized to adopt a Risk Management framework through regulation.

An overview of international policy discussions on information security concludes this chapter together with a discussion of policy recommendations for Governments and some insights to future developments and relevance for intergovernmental processes and the international community.

Read the full chapter of the IER 2005 here.

Thursday, July 19, 2007 9:32:03 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Wednesday, July 18, 2007

CRITIS'07 together with IFIP WG 11.10 on Critical Infrastructures Protection, IEEE Computer Society Task Force on Information Assurance, and Joint Research Center Ispra of the European Commission will be holding the 2nd International Workshop on Critical Information Infrastructures Security on October 3-5, 2007 at Benalmadena-Costa (Malaga), Spain. This event aims to bring together researchers and professionals from universities, private companies and Public Administrations interested or involved in all security-related heterogeneous aspects of Critical Information Infrastructures.

Speakers that will grace the event include Jacques Bus of the European Commission, INFSO Unit "Security", Adrian Gheorghe of Old Dominion University, US, and Paulo Veríssimo of Universidade de Lisboa, Portugal. A panel discussion on Resilient Critical Information Infrastructures: a myth or a realistic target? will be held as well.

Visit the CRITIS'07 site for more information.

Wednesday, July 18, 2007 3:21:34 PM (W. Europe Standard Time, UTC+01:00)  #     | 

The new manual on Prosecuting Computer Crimes has been relesed by the Computer Crime & Intellectual Property Section of the United States Department of Justice in March 2007. This 53-page document discusses different cyber crimes and the corresponding penalties that are seen befit for the offenses. Definitions, background information as well as related statutes can also be found in the manual. Offenses discussed include obtaining national security information, compromising confidentiality, trespassing in a government computer, accessing to defraud and obtain value, damaging a computer or information, trafficking in passwords, and threatening to damage a computer. A legislative history on this subject has also been made available.

Wednesday, July 18, 2007 10:27:19 AM (W. Europe Standard Time, UTC+01:00)  #     | 

"When you've got a full-blown security breach on your hands, what do you do? If you've been smart, you'll already have a computer security incident response team -- and a plan -- in place. But many companies are too resource-strapped to have a full-blown, fully-tested incident response strategy." DarkReading proposes six steps on what to do when your security is breached.

1. Assemble an incident response team.

Experts believe that a computer security incident response team (CSIRT) must already be set up even before an event occurs. If a team is not yet in place, the company must create one quickly, and make sure all the stakeholders are there.

2. Assess the initial damage and the risk for more.

"According to BackGrounD Software, a Canadian forensics firm that does security breach damage assessment, the costs of a breach should include not only the technical costs associated with finding and fixing the breach, but also loss of productivity and loss of business. You'll need a plan that not only outlines your strategy for recovering your systems, but that includes steps for recovering customers."

3. Develop a notification plan.

An important decision to be made is who to notify when. Law enforcement, for instance, are contacted first when there is a potential crime involved. Other parties to be notified are customers that might have been affected by the incident and consultants, such as security experts or a computer forensics firm, who must be called in as early as possible.

4. Begin remediating the problem.

It is very important to fully understand the problem and its potential impact before any remediation is done. Otherwise, evidences might be damaged or the problem might aggravate. BackGrounD Software suggests, "disconnect your server(s) from the network, and if there is a potentially malicious code running, disconnect media devices as quickly as possible (i.e. disks, SAN, NAS). You never know how far the intruder has managed to get, so the faster you disconnect the equipment, the more of a chance you have to save your data." The next steps in remediating the problem then depend on the resources and skills available within the team or the company.

5. Document everything.

Experts also stress the importance of documentation as it is often overlooked. Documentation aids in recovering the affected system and in strategizing against future incidents.

6. Develop a strategy for stopping the next attack.

As DarkReading puts it, "if one attacker finds a vulnerability, there's a good chance that he may have accomplices -- or that another attacker might find the same vulnerability." Thus, it is necessary to develop a strategy to block possible holes still existing in the system.

To read the full article, access it here.

Wednesday, July 18, 2007 9:13:22 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Tuesday, July 17, 2007

Gangs of hackers, who are presumed to be based in Eastern Europe, initiated various website assaults now known as "The Italian job." More than 10,000 web pages of popular web sites have been penetrated and infected by this attack, and it is believed to have started in the middle of last month. Most of the infected sites are Italian websites, but the expanse of the attacks has reached Spain and the US as well.

A "tool kit" worth $815 which is sold online in Russia was used by the hackers to embed "keylogger" codes on the computers of those who visited the sites. These codes enable the hackers to access the infected machines and track valuable user information such as bank details and passwords. The gravity of this attack has been evidently tremendous as it was aimed at established websites to steal banking identities.

David Perry, director of Trend Micro, says: "This is a paradigm shift. We can expect to see this kind of thing being replicated now for the next five or six months." He explained that the Italian job has become very effective because the bug has been particularly programmed to adapt to various types of weaknesses in computer security systems. "It looks for a wide spectrum of vulnerabilities in a computer, acting like a sort of Swiss Army knife with many different ways to pierce through the protection."

Access the full article at theage.com.au.

Tuesday, July 17, 2007 3:55:02 PM (W. Europe Standard Time, UTC+01:00)  #     | 

Symantec recently reported that it has detected phishing sites hosted on government servers. In the last month, it has found phony sites hosted on government servers in Thailand, Indonesia, Hungary, Bangladesh, Argentina, Sri Lanka, Ukraine, China, Brazil, Bosnia-Herzegovina, Columbia and Malaysia. This new disturbing trend compromises the credibilty of government-hosted sites and jeopardizes the security within government online transactions.

Basically, these phishing sites managed by data thieves are used to mimic authentic business or government sites in order to gather valuable information from users such as credit card details or account passwords. These information are in demand in the underground market, and these could easily result to identity theft or account fraud.

Government servers that are involved in low-risk jobs are often the target of this sort of scams. However, despite these servers being relatively low-risk, this still poses a problem. "Under the Federal Information Security Management Act, information technology security in the federal government is based on a philosophy of risk management. It does not aim for absolute security — which is impossible anyway — but for the proper level of security. Administrators do a risk-based assessment of their IT systems, prioritizing them by their vulnerabilities, their role in the agency’s mission and the criticality of that mission." Nonetheless, the impact and dangers of these phishing sites that are faced by the citizens should very well be considered in the process of risk-assessment as well.

Read the full article here.

Tuesday, July 17, 2007 2:46:50 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Monday, July 16, 2007

The Computer Science and Telecommunications Board (CSTB) released on 26th June 2007 Toward a Safer and More Secure Cyberspace, "a broad research agenda that includes traditional, problem-specific studies as well as unconventional ideas necessary to combat current and future cybersecurity threats. The report examines the vulnerabilities of the Internet and offers a strategy for future research aimed at countering cyber attacks. The report also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated."

To purchase or skim through the publication online, go to the National Academies Press.

Monday, July 16, 2007 1:03:49 PM (W. Europe Standard Time, UTC+01:00)  #     | 

OECD recently released their Communications Outlook Report, a discussion and an analysis of market structures and recent policy developments. Among the topics discussed was the chapter on main trends in pricing in telecommunication services. It has been noted that with the dramatic increase in Broadband speeds, subscription costs have either remained constant or have been reduced. Based on monthly subscriptions, Sweden has the cheapest broadband plan with $10.47 a month, and US ranks fourth with $15.93 a month. With regard to the newest broadband technology: Fiber, Japan NTT residential connection (100 Mbps down/up) costs $49 a month, and in the US, Verizon FiOS (30 megabits down/5 megabits up) costs $191.20.

More on the OECD Communications Outlook Report here.

Related article may also be accessed at GigaOM.

Monday, July 16, 2007 8:56:01 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Wednesday, July 11, 2007

The Ugandan Government is finalising new cyber laws aimed at protecting computer users from cyber crime, including personal intrusion, national security, fraud and con activities.

"Liberalised information can lead to unwanted uses and usage leading to cyber crime. It is necessary to have legal infrastructure within which the technologies can be used. There are three bills which have been drafted, the Electronics Transactions Bill, Digital Signatures Bill and the Computer Misuse Bill," the information and communications technology minister, Ham Mulira, explained.

Read the full article at allAfrica.com.

For more information on ICT policy developments in Africa, please see the Balancing Act website.

Wednesday, July 11, 2007 9:56:40 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Tuesday, June 26, 2007

An ITU commissioned study on a Generic National Framework for Critical Information Infrastructure Protection is now available.

The objective was to outline a possible simple framework that could be of potential interest to developing countries who wished to establish a national Critical Information Infrastructure Protection (CIIP) programme. The framework is modeled after the Swiss Reporting and Analysis Center for Information Assurance (MELANI). The author, Manuel Suter, is from the Crisis and Risk Network (CRN), Center for Security Studies (CSS), ETH Zurich, Switzerland, who produce the International CIIP Handbook: An Inventory and Analysis of National Protection Policies.

The Center for Security Studies previously produced a study for ITU entitled A Comparative Analysis of Cybersecurity Initiatives Worldwide.

This paper has been submitted to ITU-D Study Group Question 22/1: Securing information and communication networks: best practices for developing a culture of cybersecurity for their consideration.

The views expressed in the study are those of the author and do not necessarily reflect the opinions of the ITU or of its membership.

Tuesday, June 26, 2007 8:14:42 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, June 21, 2007

A new paper: Terrorism in Cyberspace - Myth or reality? has been posted by cybercrime expert Judge Stein Schjolberg on his website cybercrimelaw.net.

Thursday, June 21, 2007 10:17:39 PM (W. Europe Standard Time, UTC+01:00)  #     | 

28-31 Aug 2007 The ITU, in collaboration with the Viet Nam Ministry of Posts and Telematics and with support from the government of Australia, will be hosting a workshop 28-31 August 2007 entitled Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection in Hanoi, Viet Nam.

The description of the event, draft agenda, invitation letter, and practical information for meeting participants is available on the event website. Further information is available from cybmail@itu.int.

Thursday, June 21, 2007 8:33:04 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, June 07, 2007

ITU has developed an online tool to keep track of crucial ICT security standards work through a single access point. The guide called the ICT Security Standards Roadmap brings together information about existing standards and work in progress by the world's key standards developers. It is a collaborative effort between ITU, the European Network and Security Information Agency (ENISA) and the Network and Information Security Steering Group (NISSG).

Thursday, June 07, 2007 9:45:14 AM (W. Europe Standard Time, UTC+01:00)  #     | 

The ICT Applications and Cybersecurity Division Internet Multilingualization website is now available.

Thursday, June 07, 2007 6:06:00 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Wednesday, May 30, 2007

An electronic version of the 2007 Cybersecurity Guide for Developing Countries is available in English. Non-finalized versions are also available in Arabic, Chinese, French, Russian and Spanish. NB: A printed copy of this publication is available on request.

The 2006 version of the guide is available in English and French.

Wednesday, May 30, 2007 9:45:28 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Monday, May 28, 2007
A North American corporation focused on acquiring versatile and profitable companies in the IT sector "...has received an order for a turnkey DICOM archive solution [...] to be deployed within Saskatchewan's Provincial health care region. The order is significant and unprecedented as it represents the first of its kind in Canada. The [...] Image Manager is a secure, open-system software solution for transporting, storing, tracking and retrieval of digital images across an entire DICOM network.

To view the full article by On The Go Technologies Group as published by GRIDtoday on 28 May 2007, click here.

Monday, May 28, 2007 4:48:16 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Monday, May 21, 2007

The ITU will be hosting a workshop on 17th Sepember 2007 entitled ITU Workshop on Frameworks for National Action: Cybersecurity and Critical Information Infrastructure Protection:

At the start of the 21st century, modern societies have a growing dependency on information and communication technologies (ICTs) which are globally interconnected. However, with these growing dependencies, new threats to network and information security have emerged. There is a growing misuse of electronic networks for criminal purposes or for objectives that can adversely affect the integrity of critical infrastructures within States. To address these threats and to protect these infrastructures, a coordinated national framework is required - combined with regional and international cooperation. This workshop will review several related ITU initiatives and present two case studies by expert speakers from the United States of America and the European Union on their respective approaches. Attendance at the workshop is open to all interested participants within available space. Further information is available from cybmail@itu.int.

Monday, May 21, 2007 12:02:12 PM (W. Europe Standard Time, UTC+01:00)  #     | 

This is the newly unveiled newslog for the ITU's Bureau for Telecommunication Development ICT Applications and Cybersecurity Division. More will be posted here soon.

CYB
Monday, May 21, 2007 11:22:47 AM (W. Europe Standard Time, UTC+01:00)  #     | 
 Friday, May 04, 2007

Although the European Commission decided against imposing new legislative restrcitions on radio frequency identification (RFID) tags for now (opting for "soft legislation" instead) , a top official warned on Monday that regulations are likely if future uses of the technology don't protect fundamental privacy rights, reports ZDNet. Gerald Santucci, head of the European Commission unit whose domain includes RFID issues, said he feared that rushing to place restrictions on industries hoping to use the technology would choke its potentially valuable application in health care, business, transportation and other realms. But if regulators deem that widespread RFID use is insufficiently safe, secure and privacy-preserving, then "Mrs. Reding [European Commissioner for Information Society and Media] will have no other option but to trigger legislation," Santucci told participants at a luncheon discussion in Washington DC. By the end of 2008, the commission plans to reevaluate whether legislation is necessary. It's unclear how restrictive any potential rules would be.

Read the full story here (ZDNet). More on the European Commission Policy on RFID can be found here.

RFID, along with sensors and nanotechnology, was one of the key techological developments explored in the 2005 ITU Internet Report on The Internet of Things. An ITU New Initiatives Workshop on Ubiquitous Networks Societies was also held in the same here. Network aspects of identification systems are being studied in the context of standardization by the ITU's JCA-NID.

Friday, May 04, 2007 4:11:04 PM (W. Europe Standard Time, UTC+01:00)  #     | 

A United States House of Representatives subcommittee approved a bill on spyware this week, which recommends up to five years in prison for convicted distributors of malicious spyware.

Past versions of the Internet Spyware Prevention Act have failed to pass a vote in the United States Senate. Observers have pointed out, however, that the increasing militancy among users fed up with unwanted software intrusion may make this latest attempt more successful. And there is a lot at stake. Creating trust in the internet will ensure its future development. More on this story is available here.

The ITU is taking a leading role in cybersecurity initiatives, particularly in light of calls for global action made at the World Summit on the Information Society. More information on ITU's work in this area is available here.

Friday, May 04, 2007 3:01:37 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Tuesday, May 01, 2007

According to a recent Press Realease by The Infocomm Development Authority of Singapore (IDA), Singapore is already looking into a new five-year infocomm security roadmap (2008-2012) as it embarks on the final year of the current three-year Infocomm Security Masterplan (2005-2008). The Infocomm Security Masterplan was launched on 22 February 2005 as a strategic roadmap to chart Singapore's national efforts in developing capabilities to prevent cyber-security incidents and protect the critical infrastructure from cyber-threats. According to Dr. Vivian Balakrishnan, Second Minister for Information, Communications and the Arts, Singapore "cannot afford to be complacent, especially with new and dangerous threats evolving and growing at such an alarming rate. Instead of simply taking one step forward, we need to be many steps ahead in our efforts to combat cyber threats."

Providing a glimpse of the new five-year Masterplan to be launched in 2008, Dr. Balakrishnan shared that the new infocomm security roadmap will build on Singapore's existing efforts to focus on more international collaborations to improve Singapore's ability to combat cyber threats. The collaborations will look into knowledge exchanges and regular communication between governments on cyber threat trends and protection of critical infrastructure. When launched in 2008, the new security roadmap will also secure Singapore's ultra high-speed and pervasive Next Generation National Infocomm Infrastructure (NGNII) to provide a secure and trusted environment for the creation of new value-added services such as location-based marketing, goods tracking and localised information services and the pervasive adoption of online services such as those in the area of banking, healthcare and education.

Under the current Masterplan, the government has developed various security initiatives to equip public officers with more timely information and knowledge to assess and improve on their cyber defence. This allows them to better protect, detect and respond to cyber threats. An example is the Cyber-WatchCentre which monitors cyber threats real-time and round-the-clock. By mid 2008, the centre will ensure end-to-end security for all public officers, allowing government agencies to better anticipate cyber attacks and respond to them speedily.

For more information on these inititiatives, view the IDA Press Release.

Tuesday, May 01, 2007 3:19:40 PM (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, March 08, 2007

The first steps towards a globally harmonized approach to identity management (IdM) have been taken during a meeting of the ITU Focus Group on Identity Management (FG IdM) bringing together, for the first time, the world’s key players in the IdM space.

IdM promises to reduce the need for multiple user names and passwords for each service used, while maintaining privacy of personal information. A global IdM solution will help diminish identity theft and fraud. Further, IdM is one of the key enablers for a simplified and secure interaction between customers and services such as e-commerce. Experts at the meeting concurred that interoperability between existing IdM solutions will provide significant benefits such as increased trust by users of on-line services as well as cybersecurity, reduction of spam and seamless "nomadic” roaming between services worldwide. Abbie Barbir, chairman of the Focus Group on Identity Management: "Our main focus is on how to achieve the common goals of the telecommunication and IdM communities. Nobody can go it alone in this space, an IdM system must have global acceptance. There was a very positive feeling at the meeting that we can achieve this and crucially we saw a great level of participation from all key players."

The meeting of the FG IdM brought together developers, software vendors, standards forums, manufacturers, telcos, solutions providers and academia from around the world to share their knowledge and coordinate their IdM efforts. Interoperability among solutions so far has been minimal. One conclusion of attendees is that cooperation is crucial and that players cannot exist in isolation.

The spirit of the meeting was that everyone will gain by providing an open mechanism that will allow different IdM solutions to communicate even as each IdM solution continues to evolve. Such a "trust metric" does not exist today experts say. Work will continue online and during Focus Group meetings in April, May, and July 2007. An analysis of what IdM is used for will be followed by a gap analysis between existing IdM frameworks now being developed by industry fora and consortiums. These gaps should be addressed before the interworking and interoperability between the various solutions can be achieved. The aim is to provide the basis for a framework which can then be conveyed to the relevant standard bodies including ITU-T Study Groups. The document will include details on the requirements for the additional functionality needed within next generation networks. ITU has a long history of innovation in this field, with key work on trusted, interoperable identity framework standards including Recommendation X.509 that today serves as the primary "public key" technical mechanism for communications security across all telecom and internet infrastructures.

See more information on the Focus Group on Identity Management (FG IdM) website.

Thursday, March 08, 2007 10:42:50 AM (W. Europe Standard Time, UTC+01:00)  #     |