Nation not secure

By Dan Goodin

Posted in Security, 17th September 2008 23:26 GMT

More evidence that the intertubes are fundamentally broken has been served up by Wired.com in an article laying out a technique to surreptitiously hijack huge chunks of the internet and monitor or even modify unencrypted traffic before it reaches its intended destination.

The exploit of the routing protocol known as BGP, short for Border Gateway Protocol, is akin to the poor man's traffic intercept employed by intelligence agencies throughout the world. Like the recently discovered domain name system cache poisoning bug, the exploit is notable because it highlights weaknesses in some of the net's core underpinnings.

Read Full Story

Anyone who has a blog has probably seen blog spam; comments to the blog that simply try to entice people to go to some other site. Most of the time the site being advertised is simply trying to boost its search engine rankings to generate more ad revenue.

The more links there are to a site, the more popular the search engines figure it is, and the higher up in the search results it ends up. Blog spam, therefore, is frequently thought to be a good way to boost the search engine rankings. In some cases this turns malicious. Some sites engage in wholesale intellectual property theft to boost their rankings.

A few of weeks ago, however, I started noticing something far more insidious. I moderate all comments to my blog. This is something I started years ago to keep the blog somewhat family friendly, and to avoid propagating malicious content. Recently I also completely disabled trackbacks to avoid boosting the search engine rankings for sites that steal my work. This means I see every comment that comes into my blog. The other day I noticed one that contained nothing more than a link to a fake Google site: google-images.google-us.info/index.html.

Read Full Story

The websites of two of the net's most critical oversight organizations were hijacked by Turkish hackers who sent visitors to rogue pages that challenged the overseers' authority.

Some of the official domains for the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned Numbers Authority (IANA) were temporarily under the control of a group that calls itself NetDevilz, according to zone-h, which tracks hijackings of individual websites. Specific domains that were hijacked included "icann.com," "icann.net," "iana.com" and "iana-servers.com."

People who tried to visit the sites were greeted with a message that read: "You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"

This may have come as something of a shock to the principals of IANA and ICANN, which have authority over some of the most the net's most critical functions. IP address allocation, management of the domain name system's root zone servers and oversight over the way domain names are registered and maintained are just a few of them.

Read Full Story Here

A new type of identity fraud, which sees hackers tapping into voice-over IP telephony accounts, has been highlighted by a VoIP equipment maker.

Usernames and passwords from voice-over IP (VoIP) phone accounts are selling online for more than stolen credit cards, Newport Networks has found.

The information allows someone to use the telephone service for free.

Net telephony fraud is still in its infancy, with eavesdropping on calls being the most common security flaw.

Capturing accounts

But the move into stealing usernames and passwords which are routinely sent across the network when a call is made, is a worrying new trend thinks Dave Gladwin, vice president of products at Newport Networks.

"It is still at an embryonic stage but as voice adoption increases it becomes more of a problem and needs addressing," said Mr Gladwin.

The details are not sent as plain text but are encoded in such a way as to be "easily captured and unobscured", said Mr Gladwin.

Credit card details have been traded fairly openly online for some time and can be bought for around $12 (£6) each. VoIP account details fetch a slightly higher price, at $17 (£9), according to Mr Gladwin.

Read Full Story

At the Global IPv6 Summit in Beijing this week, executives from the Internet industry have come together to share bleak predictions about the future of the Internet. According to Tony Hain from router vendor Cisco, within three years, we'll be flat out of the addresses used in the current version 4 of the Internet Protocol. After that, "changes will come suddenly."

Read Full Story...

The Cooperative Association for Internet Data Analysis (CAIDA) and the American Registry for Internet Numbers (ARIN) presented the results [PDF] of a recent IPv6 survey at the ARIN XXI Public Policy Meeting in Denver on April 7th. The survey involved over 200 respondents from a blend of Government, commercial organizations (including ISPs and end users), educational institutions, associations, and other profit and non-profit entities. The purpose of the survey, conducted between March 10th and 24th, was to capture IPv6 penetration data in the ARIN region.

Read Full Story...

U.S. federal government officials are confident they will meet a June 30 deadline to support IPv6 on their backbone networks, but they see challenges ahead in transitioning their production networks to this long-anticipated upgrade to the Internet’s main communications protocol.

Read Full Story...

Does this mean the Net cannot further develop?

Is it really happening? Are we really going to run out of IP addresses? The answer is yes, but the outlook isn’t as bleak as it appears.

Read the full story and watch the video...

Foreign firms and the feds are seeing better performance and security -- plus a range of mobile and collaboration apps beginning to emerge.

There are just 100 days left for federal agencies to change over from IPv4 — the version 4 of the Internet Protocol that everyone uses — to the IPv6 version. In the fast-approaching future where everything from PCs to cars, from alarms to toasters, from phones to cereal packages has an IP address and is connected to the Web, IPv6 promises to make many more IP addresses available — enough addresses for every conceivable use. Oh, and IPv6 will make Internet communications more secure through better identity verification

Read Full Story... 

AT&T Inc. has announced that, according to the results of a survey from the Economist Intelligence Unit (EIU) conducted for AT&T, global Internet Protocol (IP) networks are integral to promoting successful collaborative relationships and are a key to doing business globally.

Read Full Story...

Cisco and the Bulgarian State Agency for Information Technologies and Communications (DAITS) announced the opening of what they claim is Southeast Europe's first lab for training and research related to Internet Protocol version 6 (IPv6). Cisco is donating lab’s networking and communication equipment.

Read Full Story...

PHILADELPHIA - (Business Wire) The 71^st Internet Engineering Task Force (IETF) meeting is now underway in Philadelphia, in what some are describing as a weeklong “IPv6 experience.”

The IETF is the premiere Internet standards development body, responsible for creating the technologies at the heart of the Internet's infrastructure, including the standards for email, chat, Internet telephony, and of course the Internet address protocols IPv4 and IPv6

Read Full Story...

Video recordings of Google’s IPv6 conference held on January 29, 2008 have been posted on YouTube. The conference was part of Google Tech Talks and includes a panel discussion called “What will the IPv6 Internet look like?”

Read Full Story and watch videos...

Indeed 2007 was a big year for IPv6. The five regional Internet registries (RIR) -- tasked by the Internet Assigned Numbers Authority to govern IP address allocations -- made a total of 379 IPv6 allocations last year. That is about 70% growth from 2006 and close to the 2002 peak, a dramatic jump from what was a 5-year pattern of decline. Clearly there is interest and movement towards IPv6.

Read Full Story...

There are many uncertainties surrounding the depletion of the IPv4 address space and the move to IPv6. Currently, five Regional Internet Registries give out address space to anyone who can show a reasonable need for it and pays some administration costs. If nothing changes, that practice will end around 2012 when we run out of unused IPv4 addresses. One possible solution is creating an IP address space market, allowing people who need IPv4 addresses can buy them from those who have a surplus, so that IPv4 address space remains available for a few more years.

Read Full Story...

Internet policymakers are considering sweeping changes to the way they distribute IP addresses that could allow network operators to make money by transferring unused blocks of IPv4 address space to others in need. One result could be lessened incentive to move to IPv6 any time soon

Read Full Story...

Network managers aren’t worried enough to migrate to IPv6, survey finds

Only 16% of IT professionals consider IPv4 address depletion a huge concern that has or will soon force us to migrate to IPv6,’’ according to a BT INS survey of 310 IT professionals that was conducted in December 2007. 

Read Full Story...

The first big steps on the road to overhauling the net's core addressing system have been taken.

On Monday the master address books for the net are being updated to include records prepared in a new format known as IP version 6.

Read full story...

President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems.

The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies -- including ones they have not previously monitored.

Read full story

Web 2.0 technologies form the basis of the next generation of web-based applications. They allow web applications to be developed that are more functionally rich and responsive than the typically static pages of traditional web technologies. They also enable content to be generated and shared in real time, with end-users commonly able to add content to applications themselves.

This means that Web 2.0 technologies promote open communications and give users the freedom to share ideas and opinions. Companies are using Web 2.0 technologies to communicate with customers, business partners and potential employees, allowing them to achieve the goal of true real-time collaboration among these parties.

This can increase productivity and provides companies with a way to more easily promote their products. In particular, the creation of online communities and blogs or wikis to initiate conversations and share knowledge is proving to be particularly interesting to companies. But new technologies often bring new security challenges—and Web 2.0 technologies are no exception.

On the one hand, the underlying technologies used actually raise the risk of web-based attacks whilst, on the other, the way that users interact with Web 2.0 applications increases the risk that sensitive information will be misappropriated. This means that the security challenges of Web 2.0 applications are both technical and commercial in nature.

Read full story

Free has announced that it is one of the first operators in the world to deploy IPv6. The standard is compatible with versions 4 and 5 of the Freebox. This new generation of IP protocol, set to spread in all devices in the coming years, optimises services development provided to customers. IPv6 is supported without requiring specific updates in the last version of the Windows Vista, Mac OS X and Linux operating systems

Read Full Story...

At the height of cold war tensions, someone seems to have asked the mathematician and philosopher Sir Bertrand Russell who championed global peace and denuclearisation, about the possibility of a third world war taking place.

Russell replied characteristically- “I am not so sure about the third world war but I can assure you that the fourth one would be fought with stones and arrows.” Russell could not live to see the computer revolution otherwise he would have said that the third world war would be fought in cyberspace.

The threat of a global cyberwarfare is looming large. Today among 120 countries working on cyberwarfare, China, aiming to become a superpower, has emerged as a leader. India is nowhere in picture and even the website of National Defense Academy was hacked by amateurs.

More information can be found here.

The House of Lords Science and Technology Committee have highlighted the threat to the future of the Internet posed by e-crime, and have argued that the Government must do more to protect individual Internet users.

The full report can be viewed here

The UK-based online identity firm Garlik released in early September a study prepared by the British based criminology firm 1871 Ltd. which was focused on quantifying cybercrime in the UK.

The report concluded that there were an estimated 1.9 million incidents of cybercrime committed in the UK in 2006, or about one every 10 seconds. These incidents were defined as "offences against the person including abusive or threatening emails, false or offensive accusations posted on websites and blackmail perpetrated over the internet."

The report concludes that “Although measuring cybercrime is difficult, it is clear that in many instances it is outstripping ‘traditional’ crime. This is a result of the unparalleled opportunities that the internet gives both for making familiar crimes easier and for enabling ‘pure’ cybercrimes that could not exist without the Internet.”

The U.S. Senate has passed a bill that would allow victims of online identity theft schemes to seek restitution from criminals and expands the definition of cyberextortion.

The Senate passed the Identity Theft Enforcement and Restitution Act by unanimous consent last week. The bill, introduced a month ago by Senator Patrick Leahy, a Vermont Democrat, allows victims of identity theft to seek restitution for the time they spend to fix the problems. The bill would allow prosecutors to go after criminals who threaten to take or release information from computers with cyberextortion, and it would allow prosecutors to charge cybercriminals with conspiracy to commit a cybercrime.

More information can be found here.

VoIP is dead, over and “out!” IP interactive communications (IC) or unified communications (UC) is “in!” IC or UC is much more than voice. Even the acronyms suggest so - “I see” and “You see.”  It’s more than just video. It’s insight gained from the availability of your family’s, friend’s or colleague’s presence information and the ability to collaborate for business, learning or pleasure with the simultaneous use of data applications. Sounds like network nirvana! 

But how will this really work? IC and UC services and applications will only become valuable when we can use them to reach anyone, anywhere, anytime. To paraphrase Metcalfe’s Law: the usefulness, or utility, of interactive communication equals the square of the number of users. Consequently, IC/UC must span multiple IP networks – business, residential and mobile; wireline, wireless and cable. Today’s consumers and businesses will be satisfied with—and pay money for—nothing less. 

Read Full Story...

Telecom New Zealand International (TNZI) has signed an IP network interconnection agreement with Hong Kong-based PCCW Global, strengthening Asian IP network coverage for both firms. The deal will allow the two providers to interconnect their respective telecoms networks to supply services to each other. Anthony Briscoe, general manager at TNZI, said: ‘This agreement marks a significant milestone for the Telecom New Zealand Group to expand our IP network footprint to support mission-critical applications globally

Source: TeleGeography 

In May, ARIN, the organization giving out IP address in North America, told us it's time to start adopting IPv6. Five months and another 76 million IPv4 addresses later, ARIN's European counterpart, Réseaux IP Européens (RIPE) adopted a resolution in much the same vein during its fall meeting last week.

The RIPE Network Coordination Centre (NCC) is responsible for the actual distribution of IP addresses, while RIPE is the community part of the RIPE NCC

Read Full Story...

According to the U.S. Patent & Trademark Office, the invention relates to an "Internet protocol (IP) network communication device which allows facsimile communication conforming to instrumentation table unit (ITU)-T recommendation V.34 in the network conforming to ITU-T recommendation T.38

Read Full Story...

Gordon Cook interviewed on October 23rd with John Curran, Board Chair of ARIN the North American Regional Internet Routing Registry for the last decade.

Read Full Story...