The Ministry of Information and Communication of the Government of Kenya is considering introducing a cyber law including e-transactions that could serve as a model for other East African Community (EAC) countries - such as Tanzania, Uganda, Rwanda and Burundi (which have yet to enact such kind of legislation).

The Government of Kenya is interested in creating a dynamic environment for business outsourcing and call centers to compete with India, Philippines and China. Creating an enabling legal environment is a vital first step in this direction, with some funding from USAID towards the development of such legislation. The current Kenya Communication Amendment (KCA) Bill 2007 could be adapted to include e-transactions. By including e-Transactions in the converged Bill, the Ministry will also recognise the technological convergence occurring in the digital world.

For more information, please see the article in the East African Standard.

Nigeria recently held its annual Finance and Information Technology Summit (FITS) on 26 July in Lagos, as an annual forum where ICT stakeholders and professionals from the banking and financial sector can interface. The theme for this year's seminar and exhibition was "seamless ICT integration in a Post-Consolidation Era".

The Director-General of the Nigeria IT Development Agency (NITDA), Professor Cleopas Angaye, made a presentation to the Summit where he stated that the success of e-payment solutions within Nigeria depends on the provision of adequate infrastructure, reliable helpdesk services and an enlightened population. He noted that, in the absence of trust, it will be difficult to convince potential buyers and sellers to migrate from the traditional platforms to more high-tech e-payment and e-commerce. Mr. Ekeigwe, President of Information Systems Audit and Control Association (ISACA Lagos) argued that "IT governance" has not got the attention it deserves as IT needs more technical insight and has traditionally been viewed as separate from business processes.

For more information, please see here.

This year's edition of the World Information Society Report 2007 notes that growth in the global Information Society is not without risks and the Report examines the potential pitfalls of growth in the rise of online fraud, other risks and threats to cybersecurity. The expansion of the Internet is opening up many new opportunities for criminals to exploit online vulnerabilities and commit criminal acts or attack countries' critical infrastructures.

Threats in cyberspace are evolving rapidly and deserve greater attention for several reasons. The evolution of telecommunication networks towards Next-Generation Networks (NGN) with decentralized intelligence at the edges of the network could raise new security issues. The capacity and speed of networks are increasing, accelerating the transmission of malicious software alongside other Internet traffic. Transmission and encryption protocols are also constantly being updated. Meanwhile, convergence offers new opportunities for 'cross-infection', with the problems of one access device feeding into other ICTs.

Viruses, spyware, phishing, identity theft, denial-of-service attacks and zombie botnets are endangering cyberspace and jeopardising the very future of the Internet. According to one source, spam and other exploitation now account for up to 90 per cent of all email traffic over the Internet. Spam has now mutated from a general annoyance to a broader cybersecurity threat, acting as a platform for many other types of scams (see Figure).

Chapter five, "Challenges to building a safe and secure Information Society" of the World Information Society Report 2007 examines these issues.

According to a survey of United States federal government agencies released last week by Cisco, an overwhelming majority of respondents believe that coordination of a mobile or remote workforce will be improved through unified communications - the integration of voice, video and data, delivered across a secure Internet Protocol (IP) infrastructure.

The survey of 200 federal information technology decision-makers and IT executives showed that wireless laptops, mobile devices and video-conferencing systems are widely used across different agencies of federal government. Nearly 50 percent of federal organizations now use instant messaging. More than 75% of all respondents report that perceptions and concerns over security pose a challenge to an enterprise-wide implementation of an integrated system, with security and reliability cited as the two greatest overall concerns.

More than two-thirds of respondents plan to have the capabilities to provide real-time notification and identification of employees and instant messaging or live chats in their agencies within the next 18 to 24 months.

The survey was commissioned by Cisco and carried out by Market Connections and can be read here.

The International Telecommunication Union (ITU) and the European Broadcasting Union (EBU) are jointly holding a meeting of high-level experts to identify key trends and to address the new technological and policy challenges in the digital content delivery environment.

To view the ITU/EBU conference via webcam, click here.

More information about this meeting can be found here.

A recent article in ComputerWorld Australia reports that a common e-crime reporting format to electronically report fraudulent activities will be fully operational in Australia by July, 2007.

In an interview with with Anti-Phishing Working Group (APWG) Secretary-General, the need for a structured data model to improve incident reporting, share information and allow forensic searches and investigations was highlighted. Secreatry-General Cassidy said that "the first base specification was submitted in June 2005 and the Incident Object Description Exchange Format (IODEF) XML Schema with e-crime relevant extensions will be a recognized IETF standard in about six weeks." This will futhermore be automated with greater ease using a standard schema. He also gave an example to show how it is planned to work:  an Asian country CERT (Computer Emergency Response Team) reporting an incident can send it to a European bank, which then can treat the specific request . 

The Anti-Phishing Working Group (APWG) is currently talking to ISPs to increase phishing data from the field. Cassidy continues, "Reporting is improving. The average time live for a phishing site is now four days: we should be able to reduce this to a single day. We want to make it harder for organized crime by frustrating them and pulling down the sites as quickly as possible. "We don't want it to be easy for them to make a profit so they have to return to old standbys like extortion and drugs."

Cassidy estimates there are upwards of 50 full-time phishing gangs operating worldwide at any given time. While four days may seem a long time the average was well over a week when the working group was first established. He said it can depend on reaching the right person within an organization. "We have ISPs that can bring down sites in minutes but there are some organizations that have an approval process that has to be cleared by three levels of management; even after 20 faxes and two weeks later nothing is done". "Some organizations just aren't interested".

Access the full ComputerWorld article here.

Wired News in an article reports on the recent Anti-Phishing Working Group's Counter e-Crime Operations Summit which took place in San Francisco, United States. The meeting gathered internet-crime fighters from security companies, law enforcement agencies, banks and e-commerce sites to confer on new tactics in the war on cybercrime. "And while nearly everyone agreed the internet has become an infected and dangerous breeding ground for malware and scams, no one could quite agree on what do."

Proposed solutions included:

• the online fraud problem had become so bad due to the neglect of ISPs, users and private corporations alike that the only recourse was to build government-funded free clinics for infected computers;
• the botnet threat requires some top-down authority to fix the problem, the current remediation model which mostly involves running from one computer to another installing patches cannot keep up with attackers that are now better organized and better funded than the security community;
• the increased use of ingress filtering that prevents one computer from successfully spoofing the internet IP address of another (to be widely adopted by ISPs and router manufacturers);
• etc. see the Anti-Phishing Working Group's Counter e-Crime Operations Summit for further information.

Service providers and everyday users were singled out by meeting panelists and audience members for not taking enough responsibility. Attendees slammed ISPs for not searching for rogue computers on their network or shutting off internet access to compromised PCs reported to them by security companies, charging that ISPs were endangering the internet to avoid support calls from cut off customers.

Is was stated that users don't care about security because the rogue zombie software often only uses minimal computing power, making the background spam-spouting code not their problem. A few audience members argued seriously that computer users should have to take a test to get an internet license, maintain botnet insurance and have their machines inspected for information-super highway worthiness. Others countered that individuals shouldn't have to know how to secure their own computers, the machines should simply be more inherently secure.

In the article a senior researcher for security company RSA, told Wired News that "none of those solutions would work, because new technical specifications for a security score would take years, and the other proposals wouldn't have the international reach needed to make a dent in the global internet infosphere." "The solution? Money. Governments need to provide rewards to ISPs for taking down botnets, the researcher explains."Governments are the only body with money and the incentive to take down botnets. If you are looking at either a carrot or stick approach, I would go carrot. If you are paying ISPs to get rid of the botnets, then it's international. Everyone wants to make money."

Read the full Wired News article here.

MSNBC news reports in a recent article that a new mutation of the old phishing scam surfaced. Like thousands of previous phishing e-mails, this bogus bank notice asks for your personal information. But in a strange and novel twist, it tries to turn your own phone against you.

In an e-mail message from a bank you see text like: "During our regular update and verification we could not verify your current phone number". You are told to confirm your phone number right away or your account will be suspended indefinitely.Then you’re instructed to forward your phone to the number provided. It’s supposedly the phone number for the bank’s security department. "The bank will verify your phone number and will disable call forward within 20 minutes," the e-mail says. However, this e-mail is not from the bank, and the number does not go to their security department. It’s a Skype number that goes straight to the identity thieves who can be anywhere in the world.

If this new approach works, we are likely to see similar messages pretending to be from other financial institutions asking people to forward their phone number. "After an identity thief steals your credit card number, he needs a way to make money with it. He can charge things or sell the number for others to use. In either case, once the charges start piling up on your account, the bank’s computers are likely to flag these abnormal or out of profile transactions and alert the fraud department."

The Anti-Phishing Working Group, a consortium of hundreds of banks, e-tailers, technology companies and government agencies, warns that a growing number of phishing attacks are being designed to steal your personal information by downloading crime-ware onto your computer. They do that when you click the link that’s embedded in the phisher’s e-mail message, the one that’s supposed to take you to the financial institution’s Web site.

For tips on how to protect yourself, and for more information on this new scam, read the full MSNBC article.

The European Association for the Co-ordination of Consumer Representation in Standardisation (ANEC) held its General Assembly on 1 June 2007 in Brussels. For the first time, the group considered issues relating to RFID and digital identity, and in particular the impact that these technologies may have on consumer interests. ITU's Lara Srivastava spoke at the assembly, emphasizing the need for a better understanding of the wide-reaching implications of RFID and the development of global solutions to the digital identity problem. Her presentation is available here.

Robert Alan Soloway, 27, was indicted this week by a US federal grand jury on 35 counts that include mail fraud, wire fraud, fraud in connection with electronic mail, aggravated identity theft and money laundering. Accused of being one of the Internet's most notorious spammers, he is currently being held without bail.

Soloway is the first spammer in the nation to be charged with aggravated identity theft under the CAN-SPAM Act of 2003.

See the Reuters story here.  

The Internet Engineering Task Force (IETF) recently gave its preliminary approval to a powerful technology designed to detect and block fake e-mail messages. It's called DomainKeys Identified Mail (DKIM), and it promises to give Internet users to identify and stop the seemingly endless flow of fraudulent junk e-mail by providing a method for validating an identity that is associated with a message, during the time it is transferred over the Internet. That identity then can then be held accountable for the message.

The draft standard that the Internet Engineering Task Force adopted is a promising solution because it harnesses the power of cryptographically secure digital signatures to thwart online miscreants.

Read the full article on CNET News.

The Internet Society of New Zealand (InternetNZ) has recently released the ISP Spam Code of Practice for public consultation. The Code is posted on the InternetNZ website. Four weeks have been allowed for comment to be received, with a deadline of 18 June 2007.

The Code has been prepared by a working group comprising representatives of the Telecommunications Carriers’ Forum, the Marketing Association, and InternetNZ. According to the website, InternetNZ executive director Keith Davidson says the preparation of the Code is an excellent example of how the industry is working together to fight a common enemy. "Spam is clogging up our inboxes, soaking up our bandwidth, and providing vectors for scams and malware." "The ISP Spam Code of Practice recognises that Service Providers can assist in the minimisation of Spam through their technical approach, by being a first port of call for information and complaints from internet users, and by working with law enforcement agencies."

The ISP Spam Code of Practice is complementary to the New Zealand government’s Unsolicited Electronic Messages Act in that it outlines the responsibilities of ISPs under a self-regulatory model. This was anticipated in the passing of the Act. It is planned that the Code will go live on the same date as the Act of 5 September 2007. It is also complementary to the Marketing Association’s Code of Practice for Direct Marketing, the TCF’s SMS Ant-Spam Code and the TCF’s Customer Complaints Code.

See the Internet Society of New Zealand website for further details.

As part of its mandate given by the World Summit on the Information Society to build confidence in the use of ICT, ITU announces an ambitious two-year plan to curb cybercrime. The announcement was made by ITU Secretary-General Dr Hamadoun Touré at a ceremony to present the 2007 ITU World Information Society Award.

Cybercrime takes several forms, from breaching network security, financial fraud, invasion of privacy and identity theft to virus attacks, spam or online child pornography. With schools, hospitals, and government organizations increasingly dependant on online services, the vulnerability of the system and everyone connected to it becomes frighteningly apparent. As we are only as secure as the weakest link, a global concerted response is needed to ensure there are no safe havens for cybercriminals.

Against this background, ITU Secretary-General Dr Hamadoun Touré set out a comprehensive Global Cybersecurity Agenda to tackle the issue within a framework of international cooperation. "With more than one billion Internet users in the world today, not only is the number of crimes committed in cyberspace increasing at an alarming rate, but the sophistication in the way these crimes are committed keeps evolving," Dr Touré said.

The goal of the Agenda is to foster a common understanding of the importance of cybersecurity and bring together all relevant stakeholders (governments, intergovernmental organizations, the private sector, and civil society) to work on concrete solutions to deal with cybercrime. This is all the more important as criminals use weaknesses wherever they can be found and leverage them internationally. While there are a number of existing frameworks, they are enforceable only within geographical boundaries, either national or regional, thus leaving room for criminals to use loopholes to their advantage and in almost total impunity as they shift their operations to countries where appropriate and enforceable laws are not yet in place. It is vital to work on bringing together these initiatives within a framework of international cooperation and focus on solutions that leverage the broad range of existing expertise and initiatives in order to avoid duplication and make real progress in building confidence and security in the use of ICT.

"Today, the loss is estimated to run into several billion dollars, both from fraud on the Internet and from costs related to fixing networks that have suffered cyberattacks. But with children, students, and senior citizens communicating by Internet or mobile phone, tomorrow’s losses can be devastating. Just one word change on a patient’s medical file in a hospital could kill that patient, and hackers who can thwart sophisticated banking systems have no trouble breaking into a hospital’s network," said Dr Hamadoun Touré, ITU Secretary-General. This is becoming a major concern for public authorities.

The Global Cybersecurity Agenda, which will have a two-year timetable, rests on five pillars:

Finding technical solutions for every environment;

Developing interoperable legislative frameworks;

Building capacity in all the relevant areas;

Establishing appropriate organizational structures;

Adopting effective international cooperation mechanisms.

See the full ITU Press Release here.

The 2nd WSIS Action Line C5 Facilitation Meeting, dedicated to building confidence and security in the use of ICTs, was held 14-15 May 2007 at ITU Headquarters in Geneva, Switzerland. The meeting was open to all stakeholders and held in conjunction with a cluster of events 14-25 May surrounding World Telecommunication and Information Society Day (May 17th).

Full documentation for the meeting, including the final agenda, all presentations, meeting contributions, audio archives, is available on the event website.

Enquiries related to the event or generally with regards to ITU cybersecurity activities can be directed to cybersecurity@itu.int.

ITU and UNCTAD are delighted to announce the publication of the World Information Society Report 2007, published on 16 May 2007. The Report seeks to benchmark progress in meeting the WSIS targets, to be achieved by 2015 at the latest, and evaluates the evolution of the digital divide. It presents 200 pages of analysis of the latest trends in ICTs, exploring whether consumers are 'cutting the cord', the death of dial-up and growth in broadband and 3G. It evaluates the digital divide using a variety of techniques and finds that the strong growth of mobile telephony offers the greatest potential to bridge the digital divide.

Using the methodologies endorsed by the World Summit on the Information Society, it finds strong growth in digital opportunity around the world. Asian and European countries continue to lead in digital opportunity, but there are shining examples of strong progress in the take-up of ICTs in Africa - five of the ten top gainers in digital opportunity are African economies. Last year's World Information Society Report benchmarked the gender divide and regional divides. This year's Report uses the Digital Opportunity Index to benchmark gaps in access and use of ICTs by different age groups in the age divide in Singapore.

Growth of the Information Society is not without risks, however, and online security threats remain a cause for concern, however. Building confidence and security in the use of ICTs was a key aim of WSIS, and the report examines the evolution in cyberthreats, including spam, spyware, botnets, identity theft, breaches of privacy and other risks associated with online transactions.

The Report also examines national strategies that various countries have adopted to promote growth in ICT development, illustrating these with reference to a wealth of country case studies. It presents examples of successful projects promoting WSIS implementation around the world. The Report combines theory with authoritative analysis from the ITU and UNCTAD and country examples from around the world. It is due to be presented to the UN Commission on Science and Technology for Development, holding its Tenth Panel Meeting in Geneva next week to discuss progress in WSIS implementation.

For more information, please see here. Articles will follow all next week, to highlight different aspects of the Report.

A United States House of Representatives subcommittee approved a bill on spyware this week, which recommends up to five years in prison for convicted distributors of malicious spyware.

Past versions of the Internet Spyware Prevention Act have failed to pass a vote in the United States Senate. Observers have pointed out, however, that the increasing militancy among users fed up with unwanted software intrusion may make this latest attempt more successful. And there is a lot at stake. Creating trust in the internet will ensure its future development. More on this story is available here.

The ITU is taking a leading role in cybersecurity initiatives, particularly in light of calls for global action made at the World Summit on the Information Society. More information on ITU's work in this area is available here.

According to a recent article in the United Kingdom's The Register, distributed denial of service (DDoS) attacks are falling out of favour with black hat hackers because using compromised machines to send spam is a more lucrative, and less risky, way of making money illicitly.

"Networks of compromised PCs can be used for purposes including relaying junk mail or flooding targeted websites with spurious traffic. Security firm Symantec reckons the noticeable fall in denial of service attacks it witnessed in the second half of 2006 is down to the growing difficulty in launching such attacks, and getting victims to pay up even if these assaults are successful. Stealthier misuse of compromised PCs, such as sending spam", poses far less risk, the security firm argues."

"Symantec recorded an average of 5,213 denial of service (DoS) attacks per day in the second half of 2006, down from 6,110 in the first half of last year. The United States was the target of most DoS attacks accounting for 52 per cent of the worldwide total."

"DoS attacks are loud and risky. Whenever a bot-network owner carries out a denial of service attack they run the risk of losing some of their bots. This could happen either because an attacking computer is identified and disinfected, or if it is simply blocked by its ISP from accessing the network," a Symantec researcher notes in a posting to Symantec's Security Response Weblog.

Furthermore was mentioned that "up-front costs in setting up a botnet before any hope of payment, as well as the possible loss of an entire bot network if a command and control server is identified, also act as a deterrent. It is likely that bot network owners are now moving away from DoS extortion and towards more lucrative ventures like spam. Not surprisingly, we saw a noted increase in spam volumes in the last six months of 2006", the researcher continued.

Read the full article in The Register here.

 

According to a recent Press Realease by The Infocomm Development Authority of Singapore (IDA), Singapore is already looking into a new five-year infocomm security roadmap (2008-2012) as it embarks on the final year of the current three-year Infocomm Security Masterplan (2005-2008). The Infocomm Security Masterplan was launched on 22 February 2005 as a strategic roadmap to chart Singapore's national efforts in developing capabilities to prevent cyber-security incidents and protect the critical infrastructure from cyber-threats. According to Dr. Vivian Balakrishnan, Second Minister for Information, Communications and the Arts, Singapore "cannot afford to be complacent, especially with new and dangerous threats evolving and growing at such an alarming rate. Instead of simply taking one step forward, we need to be many steps ahead in our efforts to combat cyber threats."

Providing a glimpse of the new five-year Masterplan to be launched in 2008, Dr. Balakrishnan shared that the new infocomm security roadmap will build on Singapore's existing efforts to focus on more international collaborations to improve Singapore's ability to combat cyber threats. The collaborations will look into knowledge exchanges and regular communication between governments on cyber threat trends and protection of critical infrastructure. When launched in 2008, the new security roadmap will also secure Singapore's ultra high-speed and pervasive Next Generation National Infocomm Infrastructure (NGNII) to provide a secure and trusted environment for the creation of new value-added services such as location-based marketing, goods tracking and localised information services and the pervasive adoption of online services such as those in the area of banking, healthcare and education.

Under the current Masterplan, the government has developed various security initiatives to equip public officers with more timely information and knowledge to assess and improve on their cyber defence. This allows them to better protect, detect and respond to cyber threats. An example is the Cyber-WatchCentre which monitors cyber threats real-time and round-the-clock. By mid 2008, the centre will ensure end-to-end security for all public officers, allowing government agencies to better anticipate cyber attacks and respond to them speedily.

For more information on these inititiatives, view the IDA Press Release.

The second edition of the World Information Society Report: Beyond WSIS is going to be launched on the occasion of the World Information Society Day on 16 May 2007.

Published by ITU and UNCTAD, this report looks beyond the World Summit on the Information Society (WSIS, Geneva 2003 - Tunis 2005) to the creation of an inclusive, people-centered and development-oriented Information Society, open to all. Some of the themes covered in the report are: the evolution of the digital divide, trends in the information society, ICT growth strategies, cybersecurity and WSIS implementation. The report tracks progress in digital opportunity for 181 economies over the past few years since the start of the WSIS process and is accompanied by a series of tables providing the latest statistics on the development of Information and Communication Technologies (ICTs) worldwide.

The report has been created by the “Digital Opportunity Platform”, an open multi-stakeholder platform with contributions from governments, private sector, academics and civil society, as well as inter-governmental organizations.

More information on the forthcoming publication will be made available on its website in due course.

The first steps towards a globally harmonized approach to identity management (IdM) have been taken during a meeting of the ITU Focus Group on Identity Management (FG IdM) bringing together, for the first time, the world’s key players in the IdM space.

IdM promises to reduce the need for multiple user names and passwords for each service used, while maintaining privacy of personal information. A global IdM solution will help diminish identity theft and fraud. Further, IdM is one of the key enablers for a simplified and secure interaction between customers and services such as e-commerce. Experts at the meeting concurred that interoperability between existing IdM solutions will provide significant benefits such as increased trust by users of on-line services as well as cybersecurity, reduction of spam and seamless "nomadic” roaming between services worldwide. Abbie Barbir, chairman of the Focus Group on Identity Management: "Our main focus is on how to achieve the common goals of the telecommunication and IdM communities. Nobody can go it alone in this space, an IdM system must have global acceptance. There was a very positive feeling at the meeting that we can achieve this and crucially we saw a great level of participation from all key players."

The meeting of the FG IdM brought together developers, software vendors, standards forums, manufacturers, telcos, solutions providers and academia from around the world to share their knowledge and coordinate their IdM efforts. Interoperability among solutions so far has been minimal. One conclusion of attendees is that cooperation is crucial and that players cannot exist in isolation.

The spirit of the meeting was that everyone will gain by providing an open mechanism that will allow different IdM solutions to communicate even as each IdM solution continues to evolve. Such a "trust metric" does not exist today experts say. Work will continue online and during Focus Group meetings in April, May, and July 2007. An analysis of what IdM is used for will be followed by a gap analysis between existing IdM frameworks now being developed by industry fora and consortiums. These gaps should be addressed before the interworking and interoperability between the various solutions can be achieved. The aim is to provide the basis for a framework which can then be conveyed to the relevant standard bodies including ITU-T Study Groups. The document will include details on the requirements for the additional functionality needed within next generation networks. ITU has a long history of innovation in this field, with key work on trusted, interoperable identity framework standards including Recommendation X.509 that today serves as the primary "public key" technical mechanism for communications security across all telecom and internet infrastructures.

See more information on the Focus Group on Identity Management (FG IdM) website.

Kaspersky Lab, a developer of secure content management solutions, recently announced its annual report on malware and spam evolution. The report, authored by Kaspersky Lab analysts, surveys the trends of 2006 and looks at what 2007 may bring.

Malware Evolution: 2006. The report provides an overview of the most important incidents in the malware world, highlights the main trends, and examines how the situation will evolve. Particular stress is laid on the continuing increase in the number of Trojan programs, particularly those designed to steal online gaming account data; the first viruses and worms for MacOS; and Trojans for J2ME, which are designed to steal funds from mobile user accounts. The number of new malicious programs was up 41% on 2005. As for the future evolution of malicious programs, Kaspersky Lab virus analysts believe that virus writers and spammers will work ever more closely together; the number of Trojans will continue to increase; and that virus writers will be on the lookout for exploitable vulnerabilities in Vista.

Spam Evolution: 2006. Data provided by the Kaspersky Spam Lab shows that in 2006, between 70% and 80% of mail traffic on the Russian Internet was spam. The majority of spam sent to Russian users originates in Russia, the U.S.A. and China. Spammers actively used graphics in order to evade spam filters. They are also continued to send spam masquerading as personal correspondence in order to get the recipient to read the whole message and then act as the spammers intended, whether by calling a designated number or clicking on a link. The report on spam evolution also highlights how mass mailings differ from each other according to language: most Russian language spam offers education and training, and a wide range of goods ranging from busts of the Russian president to a device which will 'translate' a dog's bark. English language spam, on the other hand, tends to focus on advertising for stocks and shares, viagra and cheap software. The report also notes that spam became increasingly criminalized in 2006, with spammers actively using SMS to spread spam.

The company's analysts believe that technologies currently in use will continue to evolve in 2007, together with further development of graphical spam, and increased criminalization of mass mailings.

Read the executive summaries here: Malware Evolution: 2006 and Spam Evolution: 2006.
The full annual report can be found here.  

This news item was accessed through Russia Newswire.

The SHA-1 algorithm, which has been widely used in many of today's mainstream security products since 1995, was significantly compromised in February 2005 by a team of researchers led by Xiaoyun Wang based at China’s Shandong University. (This team had already undertaken attacks against the MD5 and SHA: hash functions previously, prior to their attack on SHA-1).

Their success prompted calls for a replacement algorithm. The U.S. National Institute of Standards and Technology had already announced that they planned to phase out the use of SHA-1 by 2010 in favour of the SHA-2 variants. The need for a replacement algorithm has now led NIST to launch a contest to devise a successor on 27 January 2007. The competition is to begin in the fall of 2008, and continue until 2011, with full completion and approval by 2012. Contests like this one have a promising history in cryptography. Notably, the Advanced Encryption Standard (devised as a more secure replacement to the prior Data Encryption Standard) was devised through an open competition between fifteen teams of cryptographers between 1997-2000.

This summary provides a general discussion of the amended Information Network and Privacy Protection Act (“INPPA”) of Korea. INPPA sets out the minimum procedural requirements for lawful online transmissions in Korea whereby transmissions of advertised materials against recipients’ refusal to accept are strictly prohibited. Although these rules are applicable to unsolicited commercial e-mails via the internet, they were intended to apply to all modes of telecommunication such as cellular phones, facsimiles, etc.

The Korean government has made continuing efforts since 1999 to curb the increase in spam mail and has since been monitoring the effectiveness of the implementation of additional provisions. The new law targets senders of spam mail that are commercial in nature. Consistent with its effort to protect minors from being exposed to obscene and violent materials online, the Korean government has also included a provision in the INPPA that requires senders to label those materials as such.

More information can be found here. 

Ross Anderson and Tyler Moore have published their survey paper on "The Economics of Information Security: A Survey and Open Questions".

Read the full version of the paper, and the shorter version of the paper, which appeared in Science Magazine.

Their presentation at The Economics of the Software and Internet Industries conference in Toulouse, France, 19-20 January 2007, can be found here.

14-15 May 2007 The next annual facilitation meeting for WSIS Action Line C5 has been rescheduled one day earlier and will be held 14-15 May 2007 at ITU in Geneva in conjunction with a cluster of events held 14-25 May around 17 May (World Telecommunication and Information Society Day).  The meeting is open to all participants with an interest in C5 activities. The invitation letter and draft agenda is available here. More details are available will become available on the WSIS C5: Partnerships for Global Cybersecurity website. Enquiries can be directed to cybersecurity@itu.int.

Go to the 14-15 May meeting page to get more information on how to register for the meeting.

According to Mark Hall, the Director of the U.S. Defense Department's International Information Assurance Program and co-chair of the National Cyber Response Coordination Group (NCRCG), DOD is about to sign an agreement to share incident and threat information with the North Atlantic Treaty Organization's Computer Emergency Response Team (CERT).  NCRCG is the U.S. federal government's incident response coordinator.  It works to defend U.S. cyberspace by providing guidance to federal agencies and working the private sector, state governments, and other countries.  Currently, there are 26 NATO countries and Hall feels that it will be much easier for him to work with NATO rather than each of the countries bilaterally.  Hall was also recently a participant in a panel at RSA Conference 2007 that discussed "Protecting U.S. Cyberspace:  Coordinating National Response to Cyber Attacks." 

For the full article, please go here.

Almost 40 countries will participate in the fourth edition of Safer Internet Day (SID) which this year takes place on 6 February.

The event is organised by European Schoolnet, coordinator of Insafe, the European safer internet network. Viviane Reding, EU Commissioner for the Information Society and Media is once again patron of Safer Internet Day, as in the past two years.

The highlight of the day will once again be a worldwide blogathon, which will reach Australia on 6th February and progress westward through the day to finish up in the USA and Canada. Following the huge success encountered in 2006, this year’s blogathon goes one step further to include the voices of hundreds of youngsters.

In the framework of a competition launched in October 2006, more than 200 schools in 25 countries across the globe have been working in pairs, using technology to cross geographical borders, to create internet safety awareness material on one of three themes: e-privacy, netiquette, and power of image. On Safer Internet Day, all of the projects they have produced will be uploaded to the blogathon. The 4 prize-winning teams in the competition will be announced on 6 February when the blogathon opens to well over 100 organisations waiting on the starting block to add their postings on this year’s theme, Crossing borders.

To find out more about young people’s use of the internet and mobile phones, Insafe has been collecting data over the past two months through an online survey. Preliminary results will be made available on Safer Internet Day along with a wealth of other information tailored to the needs of not only media but also parents, teachers and youngsters in an online media room specially set up at www.saferinternet.org to mark the event.

On Safer Internet Day in the Netherlands, HRH Princess Maxima will be the special guest at an event featuring theatre, music and stories. In Slovenia, young people will showcase art projects and Slovenian national television will broadcast internet safety clips.

Across the globe, hundreds of other events will highlight the growing importance of internet safety in the lives of us all.
For further information see the following links:

Insafe
National nodes of Insafe
Safer Internet Day Blogathon
Safer Internet Programme
eTwinning (partner in the Safer Internet Day competition for schools)

In today's interconnected world of networks, threats can now originate anywhere − our collective cybersecurity depends on the security practices of every connected country, business, and citizen. The International Telecommunication Union (ITU), a specialized agency within the United Nations system, would like to draw Safer Internet Day participants' interest to a number of information resources dedicated to cybersecurity and spam.

The ITU Cybersecurity Gateway is an easy-to-use online information resource on national and international cybersecurity related initiatives worldwide. A vast number of resources and links are available and organizations are invited to join in partnership with the ITU and other stakeholders to build confidence and security in the use of information and communication technologies (ICTs).

The StopSpamAlliance is a joint initiative to gather information and resources on combating spam. This initiative was undertaken by Asia-Pacific Economic Cooperation (APEC), the EU's Contact Network of Spam Authorities (CNSA), International Telecommunication Union (ITU), the London Action Plan, Organisation for Economic Co-operation and Development (OECD) and the Seoul-Melbourne Anti-Spam group. The StopSpamAlliance.org website contains an overview about each of these organization’s activities in countering spam and related threats.

The outcome documents from the two phases of the World Summit on the Information Society (WSIS) emphasize that building confidence and security in the use of information and communication technologies (ICTs) is a necessary pillar for building a global information society. ITU has been asked to play the main facilitator role for to assist stakeholders in building confidence and security in the use of ICTs. To stress the importance of the multi-stakeholder implementation of this task, ITU has named this the Partnerships for Global Cybersecurity (PGC) initiative.

In commenting on the Safer Internet initiative, newly elected ITU Secretary-General Hamadoun Toure stressed the need for greater cooperation between regulators, government, security firms, communication service providers, and end users in dealing with the challenges to building a safe and secure information society.

The International Telecommunication Union wishes you all a very successful Safer Internet Day 2007!

Enquiries related to ITU activities in the area of cybersecurity can be directed to cybersecurity@itu.int.

 

About ITU

The International Telecommunication Union (ITU) is an international organization (specialized agency) within the United Nations System where governments and the private sector coordinate global telecommunication networks and services. Through its standards, development, and policy research activities, ITU has a long-standing track record in security for information and communication systems. There are currently more than seventy ITU recommendations focusing on security.

According to a recent article in The Register, two young Dutch hackers who built a large botnet were sentenced to prison earlier this week. The main suspect, now 20, was handed a two-year sentence and a €9,000 f($11,800) fine, while his 28-year-old partner was given 18 months and ordered to pay €4,000 0 ($5,200).

As stated by the article, the men, part of a larger hacking ring, and one other suspect, were arrested in 2005 for extorting a US company, stealing identities to purchase cameras and games consoles, and distribute spyware. The operation netted an estimated €60,000 over a period of six months.

Read the full The Register article here.

Two resolutions relating to cybersecurity and defining ITU's activity in that domain were adopted by ITU Member States at its Plenipotentiary Conference in Antalya, Turkey, held in November 2006. These are:

• RESOLUTION 130 (Rev. Antalya, 2006): Strengthening the role of ITU in building confidence and security in the use of information and communication technologies
  
• RESOLUTION 149 (Antalya, 2006): Study of definitions and terminology relating to building confidence and security in the use of information and communication technologies

5-6 April 2007 The Russian Association for Networks and Services (RANS) will hold its sixth international security conference entitled Security and Trust for Infocommunication Networks and Services on 5-6 of April 2007 at the Moscow Marriott Grand Hotel. One of the topics to be considered on the agenda in a grand plenary session will be WSIS Action Line C5 with the participation of Houlin Zhao, ITU Deputy Secretary-General.

14-15 May 2007 The ITU has a new Secretary-General, Dr. Hamadoun Toure, who has indicated in his first public statements and to senior ITU staff that he considers cybersecurity and particularly follow-up to WSIS Action Line C5 to be a key strategic area of focus for future ITU activities.

The next annual facilitation/consultation meeting for WSIS Action Line C5 will be held 14-15 May 2007 at ITU in Geneva in conjunction with a cluster of events to be organized around 17 May (World Telecommunication and Information Society Day).  The meeting is open to all participants with an interest in C5 activities. More details concerning the draft agenda and administrative arrangements for the event will be circulated shortly along with a list of other WSIS-related meetings to be held 14-25 May 2005 in Geneva.

Further information will be posted at the WSIS C5: Partnerships for Global Cybersecurity website. Enquiries can be directed to cybersecurity@itu.int.

IDG Sweden has published an interview between a journalist from Computer Sweden Magazine and a person claiming he is the creator of the Haxdoor Trojan, a program used for bank fishing and responsible for the recent phish of an Australian bank as well as the recent phish of Nordea bank.  The interview was done over ICQ.  With the assistance of someone from Symantec, the interviewer reached the interviewee, who uses the screen name Corpse, by pretending to be interested in buying a handcrafted version of the program for the phish of a particular bank. 

In the interview, Corpse indicates that he is clearly aware that his program is used for bank fraud and offers to sell Haxdoor, including support by him, to the journalist for $3000.  In their discussion about attacks that have been perpetrated by Haxdoor, Corpse states that security staff at banks try to hide 99% of the actual attacks in an attempt to prevent their customers from being frightened.  However, Corpse will not discuss previous customers or the person(s) who may have been behind some of the attacks by Haxdoor that have become public.  When the journalist expresses concern about being caught, Corpse offers to make the attack untraceable by providing the journalist with servers in China, the United States, or Europe for $150 per month.  Corpse also makes that claim that versions of Haxdoor exist with the ability to hide in the operating system, and therefore, cannot be detected by anti-virus programs.  He goes on the talk about the features of Haxdoor, which include a graphical interface allowing attacks to be tailored, rootkit and self-defense functions, support for all versions of Windows from 98 to Vista, and delivery as a rar or zip archive.

For a full version of the interview (in Swedish), please click here.

Last week, the Anti-Spyware Coalition released its guides on best practices and conflict resolution. The best practices guide is based on a set of software definitions and the risk-model description created by the Coalition.  It is intended to provide insight into the way security firms identify applications, flag behavior, and then distinguish between "unwanted" software and software that provides "real value to users."  Included is the "clearest description" that the Coalition has issued of the methodology used by anti-spyware companies in determining what software is "unwanted."  The conflict resolution guide addresses the topics of competing anti-spyware software on a system and helping consumers understand the problems that may result in their security applications.

For links to the Anti-Spyware Coalition guides and supporting documentation, please click here.

The European Parliament held an STOA Workshop on "RFID in the everyday life of Europeans: A citizen's perspective on ambient intelligence" on 24 January 2007. The workshop was organized as part of the project "RFID and identity management: Case Studies from the frontline of the development towards ambient intelligence" commissioned by the Scientific Technology Options Assessment (STOA) Panel of the European Parliament, and carried out by the European Technology Assessment Group.

ITU's Lara Srivastava delivered a presentation on the topic "Is our enviroment getting smarter? Are we". Her presentation is available here. 

The North American Consumer Project on Electronic Commerce (NACPEC) has created a section on its website that provides visitors with relevant and up to date information on spam and phishing.

Although there is no international consensus on the definition of spam, spam has evolved from a minor nuisance to a problem, which is often criminal and fraudulent, for users and computer networks. In addition to the fact that most spam advertises goods or services that are of questionable quality or that contain deceptive or misleading offers, spam is a channel for the propagation of viruses and spyware as well as a way to perpetrate other criminal activities through phishing and pharming techniques.  It is a threat to the use and functioning of corporate, public, and academic networks; assists cybercrime; threatens consumer confidence; and undermines the use of email. 

Since 2000, the amount of spam circulated has more than doubled, reaching somewhere between 58% to 85% of all email.  Spam is the cause for significant economic costs and losses in productivity for service providers, businesses, civil society, academic institutions, and especially consumers.  During the World Summit on the Information Society (WSIS) thematic meeting on spam in July 2004, the Chairman reported that spam costs the global economy approximately US$ 10 billion per year, and the European Commission has estimated that spam costs users EUR 10 billion per year. Spam is now no longer only a problem for computer networks, it is also becoming an issue in mobile phones, instant messaging services, weblogs, and wireless networks. Currently, there is no one solution to the problem of spam.  It is a complex, cross-border issue requires the adoption of a multi-dimensional and multi-stakeholder approach as recommended by the Anti-Spam Toolkit for the OECD.  To curb spam, a combination of solutions will be required.

More information can be found here.

 

As one the series of Google TechTalks, Van Jacobson presents his talk entitled "A New Way to Look at Networking."

Jacobson's motivation for giving this talk is his feeling that in the last decade network research in the United States has been at a dead end. Despite technological advances, everything with networking is becoming more difficult. People are spread out over multiple devices, wireless barely works, and the solutions that are being presented solve the small problems but do not deal with the larger cause.  In the current situation, Jacobson feels the Internet is not a bad solution but the problem has changed. We are on the verge of a Copernican revolution. A good analogy to this situation is the one faced in the 1960s and 1970s when efforts were being made to use the telephony system to move data.

The traditional telephony system was not about calls, it was about wires. To have a successful business model, a ubiquitous wire system was necessary. Jacobson provides an explanation of the system, how it works, and the issues that arose over ownership of the network. One characteristic of the network was its unreliability. Every piece had to work all the time. Because of this the network was designed to have reliable elements instead of being reliable as a whole. 

The current issue is in order to have access to information, the device used must be connected to the Internet or the user will be cut off. This can be difficult because the device must have a topologically stable address. Also, the Internet does not like things that move or broadcast; it was not designed for this.  How the network is being used has changed. We are not longer in a conversation model. A conversation model cannot be transformed into a viable security model. Instead, Jacobson promotes a dissemination model by discussing the work that is being done with this framework including ways of transferring and storing information and their advantages.

Jacobson feels that the continued reliance on the conversation model has evolved the situation to the point where the user must now do the low level connection plumbing to get what he/she wants.  If we change our view to the dissemination model, the network does the plumbing. 

The full talk can be found here.

 

In his article "Trench Warfare in the Age of the Laser-guided Missile," Neil Schwartzman gives a brief description of the history of spam and the anti-spam movement, provides a summary of the current state of spam, and makes a series of recommendations concerning what actions the anti-spam community should take.

History of Spam and the Anti-Spam Movement:  According to Schwartzman, both spam and the anti-spam movement have steadily evolved since 1995.  The anti-spam movement has seen the rise of government groups, NGOs, and industry coalitions as well as anti-virus and spyware technologists and companies working individually to stop spam.  Spam, however, has stayed ahead of the anti-spam movement, becoming more and more sophisticated in its ability avoid filters, collaborate with viruses, and reach users. 

The Current State of Spam:  Schwartzman sums up the current situation as a "blended criminal threat."  He examines penny stocks, promoted using 'image-only' payloads.  Stock spamming leaves paper trails and this led to some successful prosecutions at the end of 2006.  He reaches the conclusion that although currently popular, stock spamming will decline as prosecutions increase.   He also looks at phishing, which he feels is far more serious than stock spamming, because  "personal information is the currency used by criminals on the net."

Consumer Confidence & Organized Crime:  Although online commerce continues to grow, user confidence is e-commerce is decreasing as the number of threats from spam increase.  Recent studies show that up to 90% of polled consumers are deeply skeptical about their ability to conduct business safely online.  Schwartzman feels that as more users become victims or personally know victims of online fraud, they will cease their online purchasing and return to traditional retail outlet purchasing.  One major concern is the possible failure of a major online financial service, which would certainly speed up users return to traditional retail and cause massive damage to the reputations of all online service providers.  There is also additional concern as there is now "full integration with the bad-guy technologists and sophisticated groups of computer-aware criminals."  The large amount of money that can be made from spam has now attracted organized crime including the Russian mob, the Italian mafia, the Hell's Angels, and the Columbian drug cartels.

The Future:  At the inbox level, anti-spam technologies are very effective at blocking spam; however, the resource cost is becoming an issue as "major receiving sites have said privately that their systems are all but overwhelmed by the new levels of spam."  The latest spam/malware threat is known as SpamThru.  Although not yet being used to its full capacity, it caused an 80% increase of spam on some sites in the last three months of 2006.  It also has the capability of avoiding complete deletion by removal programs.  Other technologies which are also popular right now are 'Queen bots', which are capable of changing profiles and controlling subservient zombie computers, and 'fast-flux dns', which is a DNS server hosted on an infected machine that resolves human-recognizable URLs to a multitude of similarly infected machines.  If spam continues to increase, and there are several ways it can, the result could be the end of e-mail or the Internet itself or virtual attacks on the real world (several of which have already been realized),  

What Should Be Done:  According to Schwartzman, the anti-spam movement is losing.  This can be mostly attributed to the fact that the movement is disjointed and disorganized.  Companies often have various groups dealing with different aspects of spam and malware who never communicate or coordinate.  This is also seen in the interaction of the various anti-spam groups organized within the industry.  Schwartzman believes that active participation and cooperation by all stakeholders is necessary to successfully fight spam and he makes a series of suggestion as to how this can be achieved.

See the complete article here. 

A public forum on the availability and robustness of electronic communications networks was held in Brussels, Belgium on 18 January, 2007.  It was done as part of a study being conducted for the European Commission by Alcatel-Lucent's Bell Labs and professional services organizations on this issue.  The study provides insights into the availability and security provisions of electronic communication networks and also makes recommendations to the Commission, Member States, and private sector designed to enhance the security and resilience of these networks.  The findings of the study will be presented at the multi-stakeholder dialogue in Europe, which will be attended by representatives of governments, industry, and users.  Opening the dialogue will be speakers from the financial sector, the electricity sector, and the transport sector who will stress the importance of reliable communications in their operations. 

This study follows a request form the European Council in June 2004 to prepare a critical infrastructure for Europe, the adoption of a Green Paper on critical infrastructure protecion in November 2005 (more information), and a proposal by the Commission for a European Programme on Critical Infrastructure Protection (EPCIP) in December 2006.  In May 2006, the Commission adopted a Communication on a strategy for a secure Information Society - "Dialogue, partership and empowerment" (COM(2006)251).  This action was endorsed the Council Resolution adopted on 11 December 2006.

See more information here.

In their paper "Spam Works: Evidence from Stock Touts and Corresponding Market Activity," Laura Frieder and Jonahan Zittrain examine the impact of spam that advertises stock upon the trading activity of those stocks, how profitable such spamming might be for the spammer, and how harmful this behavior is to those who follow the advice in stock-touting e-mails. Using a large sample of touted stocks listed on the Pink Sheets quotation system, the authors offer evidence showing that the use of spam is affecting stock prices. In addition to an increase in transaction volume, spammers are acheiving 5% gain on the stock before they dump it.  They also suggest that the effectiveness of this practice "calls into question the prevaling models of securities regulation that rely principally on the proper labeling of information and disclosure of conflicts of interest to protect consumers." In response to this, they propose several regulatory and industry interventions.

The paper can be found here.

Several Internet-related Decisions and Resolutions were adopted at the ITU 2006 Plenipotentiary Conference. These include:

• DECISION GT-PLEN/A (Antalya, 2006): Fourth World Telecommunication Policy Forum
• RESOLUTION 101 (Rev. Antalya, 2006): Internet Protocol-based networks
• RESOLUTION 102 (Rev. Antalya, 2006): ITU’s role with regard to international public policy issues pertaining to the Internet and the management of Internet resources, including domain names and addresses
• RESOLUTION 130 (Rev. Antalya, 2006): Strengthening the role of ITU in building confidence and security in the use of information and communication technologies
• RESOLUTION 133 (Rev. Antalya, 2006): Role of administrations of Member States in the management of internationalized (multilingual) domain names
• RESOLUTION GT-PLEN/7 (Antalya, 2006): Study on the participation of all relevant stakeholders in the activities of the Union related to the World Summit on the Information Society

The text of these resolutions and decisions can be found here.

A presentation entitled Update on ITU Cybersecurity and Countering Spam Activities (PDF), was made by Robert Shaw, Deputy Head, ITU Strategy and Policy Unit, at the 2nd Joint London Action Plan (LAP) - EU Contact Network of Spam Authorities (CNSA) meeting on 13-14 December in Brussels.

At the same event, Mark Sunner of MessageLabs gave a presentation entitled Security Landscape Update describing the latest kinds of security threats, including the emergence of a new peer-to-peer 'SpamThru' zombie botnet (Slide 7).

A detailed presentation by Joe St. Sauver at a recent Messaging Anti-Abuse Working Group meeting in Toronto, Canada describes how spammers are now resorting to hijacking IP address blocks.

8 December 2006 At last week's ITU WORLD TELECOM FORUM in Hong Kong, China, a special event was held entitled Countering Spam Cooperation Agenda. The agenda with submitted presentations from the meeting is now available on the WSIS Action Line C5: Partnerships for Global Cybersecurity website.

A ComputerWorld article describes Microsoft's battles with hackers: the software giant fights off more than 100,000 attacks every month.

[via Slashdot]

The 8^th edition of the ITU Internet Reports, entitled "digital.life" was prepared especially for ITU TELECOM World 2006 (December 4-8 2006, Hong Kong). The report examines how innovation in digital technology is radically changing individual and societal lifestyles.

Chapter four, identity.digital, explores the changing nature of the digital individual and the need for greater emphasis on the creation and management of digital identity. Individuals today spend more and more time using digital means to communicate and transact, be that sending and receiving e-mail, talking on a mobile phone, participating in a social networking site, buying music, booking vacations over the internet, or playing an online game. The complexity of the interaction between technology, personal consumption and the construction of identity in the virtual space is a growing area of research. Users of digital technologies have a wide scope for constructing their virtual identity.

The mostly nameless and faceless environments of cyberspace create an ideal background for developing alternate identities or digital personae. At the same time, there is an alarming increase in the amount and quality of data generated, collected and stored in the digital world. The sheer amount of this data is alarming, but so too is its nature, which is ever more detailed and personal. The public and private spheres of existence are experiencing a progressive blurring of the boundary separating them. These developments create a new set of concerns relating to human identity, data privacy and protection.

Information regarding individual identities is becoming an increasingly valuable commodity, and as a consequence, its protection and management are vital to a healthy and inclusive digital world. To learn more about these issues, download identity.digital.

For more information, please contact lara.srivastava(a)itu.int. All chapters of the digital.life report are available online free of cost.

In conjunction with the Forum at ITU TELECOM WORLD 2006, 4-8 December in Hong Kong, China, ITU is organizing a one day event on 8 December entitled "Countering Spam Cooperation Agenda". Key international and regional organizations involved in the fight against spam will gather to discuss greater collaborative efforts to combat spam and related threats. The event is open to all ITU TELECOM WORLD 2006 participants.

See the full ITU Press Release for the event here.

Prepared especially for ITU TELECOM World (December 4-8 2006 in Hong Kong), the 8^th in the series of ITU Internet Reports, entitled digital.life, begins by examining the underlying technologies for new digital lifestyles, from network infrastructure to value creation at the edges. In studying how businesses are adapting to fast-paced digital innovation, the report looks at how they can derive value in an environment driven by convergence at multiple levels. Moreover, a great challenge lies in extending access to underserved areas of the world. In light of media convergence, a fresh approach to policy-making may be required, notably in areas such as content, competition policy, and spectrum management. And as our lives become increasingly mediated by digital technologies, digital identities (both abstract and practical) take on a new dimension. Concerns over privacy and data protection do not seem to be sufficiently addressed by today's online environments. In this context, the report examines the changing digital individual, and outlines the need for improving the design of identity management mechanisms for a healthy and secure digital world.

The summary of the report highlights a few themes from each chapter to give a flavour of the report and puts forward key findings of digital.life.

 

For more information about the report as well as for downloading the full text of the report, please see the digital.life website or download the presentation from the digital.life press briefing.

You can purchase a hard copy of the report as well as a full electronic copy (including the complete statistical annex) online at the ITU Electronic Bookshop.

For more information about the report (including media enquiries), please contact lara.srivastava(a)itu.int.

A recent CNet News article shares background information and definitions on different topics in the area of security, including on botnets, distributed denial-of-service attacks, hacking, spyware, etc.

Read the full article here.

Splogs are blogs where the articles are fake and only created for spamming purposes. According to Technorati in its State of the Blogosphere the number of blogs created these past months has diminished largely because "splogs" are now easier to detect. Blog search engines detect and delete most of the "splogs", but according to Technorati, 4% of the "splogs" still manage to get through the filters in place.

Despite "splogs", the blogopsphere continues to grow. At the end of October 2006, 57 million blogs existed, 3 million more than in June 2006, and 55% were considered active (updated at least once in the last 3 months.).

To read the full l'Expansion magazine article in French, click here.

According to the European Commission, EU member states are not doing enough to tackle the problems of spam, spyware and malicious software, despite the existing EU legislation. The implementation by EU members of this legislation is still a problem and Europe continues to suffer from illegal online activities from inside the EU and from third countries.

The Commission is now calling on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software and urging governments and industry to cooperate fully in this fight by applying proper filtering policies and assuring good online commercial practices. The Commission has also called for prosecution of those involved in illegal online activities. Because of the criminal and fraudulent trend in spam, and its cross border aspects, good cooperation and dialogue between the EU and third countries is essential to succeed in this fight. According to Viviane Reding, the Commissioner for Information Society and Media "it is time to turn the repeated political concern about spam into concrete actions to fight spam."

For more information, see the newly released Commission Communication.

Read also the SiliconRepublic article.

ITU-T Focus Group on Security Baseline for Network Operators has issued a survey which seeks to assess the security preparedness of network operators. The results from the survey will be used in preparation of a new ITU-T Recommendation: "Security Baseline for Network Operators". Participants are asked about their level of preparedness for various security threats.

Once approved the ITU-T Recommendation will show the readiness and ability of operators to collaborate and coordinate counteraction against security threats arising from interconnected networks. The Security Baseline will allow network operators to assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied. It will also identify security Recommendations and standards to support evaluation of operators’ network security and information security.

Commencement of the first draft of the Recommendation will begin towards the end of 2006.
See the online survey which is aimed at network and service providers.

A deadline of 24 November 2006 has been set for survey responses.

Researchers and IT managers are confirming that spam levels have been particularly high in the past month and that there are no signs of a decrease. This phenomenon is the result of a new generation of viruses and zombies that infect computers very quickly and are increasingly difficult to get rid of. Image-based spam is also to be blamed. Spammers now know how to represent words in an image that are recognizable only by the human eye tricking anti-spam technologies and further increasing the negative effects of spam.

Read the full PC World article here.

The Asia Pacific Economic Cooperation (APEC), the EU Contact Network for Spam enforcement Authorities (CNSA), the International Telecommunication Union (ITU), the London Action Plan for Spam Enforcement (LAP), the Organisation for Economic Cooperation and Development (OECD), and the Seoul-Melbourne Anti-Spam group, six leading international anti-spam initiatives/organizations, launched at the United Nations Internet Governance Forum (IGF) in Athens, Greece, a new online information resource to assist stakeholders in their fight against spam.

This new website (http://www.stopspamalliance.org/) aims to help coordinate international action against spam more effectively and improve information sharing in this area. It will contain information on anti-spam laws and enforcement activities, consumer and business education, best practices for fighting spam, and international cooperation.

For further information, please visit http://www.stopspamalliance.org/

Read also the OECD news release for the launch of the StopSpamAlliance website.

Computer World reports of a new kind of spam called "targeted spam or spear phising". This type of spam, currently on the rise, is particularly hard to catch for spam filters because the spammer is able to "spoof" the sending e-mail address to make it look like it's coming from within the organization of the recipient. Unlike traditional spam, spammers send just a few of these messages at the same time, making antispam technology’s job even harder.

These attacks affect essentially large organizations or very well-known brands. Once the company has been alerted, blocking it is pretty easy. But detecting such well-crafted messages is becoming harder as the sophistication level of spam increases.

For more information, read the full Computer World article.

According to a recent Forbes article a new kind of spam is rapidly invading users’ e-mail boxes: image spam.

To the human eye, image spam looks like regular junk email, but for anti-spam software, the image spam is very hard to detect. Usually anti-spam programs scan messages for certain key phrases but do not analyze pictures, so the same word saved as an image file goes undetected. Anti-spam technology is trying to adapt to this new phenomenon. However, for now, image spam is on the growth and is consuming much more bandwidth and storage space in consumers’ e-mail boxes.

To read the full Forbes article, please click here.

For more information, see Secure Computing’s Report on Image Spam.

"In a sweeping set of measures, the German Federal Network Agency has ordered more than 80 network operators and service providers not to bill or collect for any phone numbers used illegally. A large number of consumers had complained to the German Federal Network Agency about so-called ping calls and other forms of telephone spamming."

"A ping call is where a call is made to a telephone number and broken off after just one ring. The subscriber’s display shows a “missed call” with an expensive premium-rate number or an 0137 number. In addition to these ping calls, another form of telephone spamming promises prizes where the person called hears a prerecorded message saying that they have won a large amount of money that can be collected by calling an expensive premium-rate number."

"The Federal Network Agency’s stringent measures are a continuation of the intense battle against telephone spam. Since May 2006 alone, the Federal Network Agency has disconnected 237 call numbers on account of ping calls and prize promises. In addition, a ban has been imposed on billing and collecting for 78 call numbers. These bans protect consumers that have called a spam number back, and prevents them from having to pay any charges. The spammer does not receive any payment for the calls initiated."

See the Federal Network Agency's press release here.

"Authentication processes can contribute to the protection of privacy by reducing the risk of unauthorized disclosures, but only if they are appropriately designed given the sensitivity of the information and the risks associated with the information. Overly rigorous authentication process, or requiring individuals to authenticate themselves unnecessarily, can be privacy intrusive."

The Office of the Privacy Commissioner of Canada's recently released new Guidelines for Identification and Authentication. The Guidelines are intended to help organizations develop appropriate identification and authentication processes in ways that respect the fair information practices in the Personal Information Protection and Electronic Documents Act (PIPEDA) and ensure compliance with its security provisions by providing the strongest protection for customers’ personal information. The scope of the document is limited to identification and authentication techniques between organizations and individuals.

These guidelines were released by the Canadian Privacy Comissioner, is a good document discussing both privacy risks and security threats:

See also a more detailed document published by Industry Canada in 2004 named "Principles for Electronic Authentication".

This article was accessed through Schneier's blog: Schneier on Security.

On 16 October 2006, Mauritius officially launched their Anti-Spam Awareness Campaign. On this occasion the Minister of IT and Telecommunications also presented a dedicated Anti-Spam Website with resource aimed at raising awareness and sharing information on spam, malwares, etc.

In Mauritius, the spamming problem is gaining in magnitude and there is a need to have a concerted approach to address this issue. Without remedial action to address the problem of spam in Mauritius, the country runs the risk of being seen as a safe haven for spammers and there is the risk that legitimate email traffic from Mauritius to other countries which have anti-spam legislation, could be blocked. In this context, the National Computer Board has set up a National Anti Spam Committee to co-ordinate activities at the national level with regards to combating spam.

The Anti-Spam Co-ordination Committee consists of representatives from the following national organisations: National Computer Board; IT Security Unit, Ministry of IT and Telecommunications; Ministry of Education and Human Resources; Ministry of Industry, Commerce, Small and Medium Enterprises and Cooperatives; Ministry of Foreign Affairs, International Trade and Cooperation Joint Economic Council; Mauritius Chamber of Commerce and Industry (MCCI); State Law Office; ICT Authority; Mauritius IT Industry Association; Internet Society; University of Mauritius (UOM); University of Technology; Telecom Plus/Mauritius Telecom ACT.

For further information see the newly launched Anti-Spam Website and Mauritius' Anti-Spam Action Plan.

The Journal du Net states in a recent article that organized cybercrimes represent a growing risk for internet users. Hackers use new techniques to hide and make their attacks more efficient. Their main goal is not to destroy computers. With the rapid development of e-commerce, hackers want to take over personal data and make as much profit as they can with it.

To achieve this, they use different forms of worms or trojans send from servers hosted in countries where the legislation is less strict. To protect their economic interests, businesses need to include employees in their security policies so they do not become the weak link in the security chain.

See Journal du Net for the full article in French.

There is growing interest in the economics of information infrastructure security.

Some of the seminal work in the field has been done by Ross Anderson of Cambridge University, particularly in his original paper Why Information Security is Hard - An Economic Perspective as well as in some of Bruce Schneier's work. Ross Anderson maintains an excellent resource page on the topic with pointers to relevant material.

In June of this year, the Fifth Workshop on the Economics of Information Security (WEIS 2006) was held in Cambridge, England and next week the The Workshop on the Economics of Security the Information Infrastructure will take place on 23 October 2006 in the Washington, D.C. area.

The first meeting of the Internet Governance Forum (IGF) will be held in Athens, Greece from 30 October - 2 November 2006.

The current programme is available here.

A couple of related websites have been unveiled:

• Australian academic Jeremy Malcolm has established IGFWatch at igfwatch.org.
  
• Jeremy Malcolm and also joined with UK journalist Kieren McCarthy to establish the IGF Community Site at www.igf2006.info for interaction before, during and after the event.

CircleID has a related article asking What Will Be the Outcome of the Internet Governance Forum Meeting in Athens?

Business Week Online shows in a recent article entitled "Needed: A National Cyber Security Law'" that more and more people have their personal information lost, stolen or compromised. Security breaches are eroding their trust in the capability of the Internet to deal with their private personal information. This growing confidence-deficit represents a serious threat to the economic growth of each country, according to the article. Therefore, it is time for officials to act by passing strong data-security laws. These national laws must aim to both prevent further data breaches and address leaks once they occur.

"To accomplish these goals, lawmakers should establish reasonable security measures, create a consistent and recognizable notification standard, encourage best practices such as encryption, and include effective enforcement capabilities".

See Business Week Online for the full article.

Computer World released an article entitled “Ten security trends worth watching”, based on Bruce Schneier’s speech at last month’s Hack in the Box Security Conference in Kuala Lumpur, Malaysia.

Mr. Schneier identified 10 trends affecting information security today:

1. Information is more valuable than ever.
2. Networks are critical infrastructure. "If the Net goes down, or part of the Net goes down, it really affects the economy".
3. Users do not necessarily control information about themselves. For example, Internet service providers have control over records the Web sites that users visit and email messages they send and receive.
4. Hacking is increasingly a criminal profession. More and more, attacks are organized and led by criminals who are driven by a profit motive.
5. Complexity is your enemy. "As systems get more complex they get less secure". Mr. Schneier mentioned that the Internet is "the most complex machine ever built".
6. Attacks are faster than patches. New vulnerabilities and exploits are being discovered faster than vendors can patch them.
7. Worms are more sophisticated than ever. 
8. The endpoint is the weakest link. "It doesn't matter how good your authentication schemes are if the remote computer isn't trustworthy".
9. End users are seen as threats.
10. Regulations will drive security audits.

See Computer World for the full article.

"The existing identity infrastructure of the Internet is no longer sustainable. The level of fraudulent activity online has grown exponentially over the years and is now threatening to cripple e-commerce. Something must be done now before consumer confidence and trust in online activities are so diminished as to lead to its demise." A recently released paper by the Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, tries to address this: 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age. 

See more information on the 7 Laws in the related news release and brochure.

Slashdot has an article that says "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."

As a result of a British documentary, India is now under pressure to strengthen its laws combating data theft and other electronic crimes in the country. Amendments to India’s IT Act of 2000 have been proposed and should be enacted by the national parliament in its upcoming winter.

Read the full Information Week article here.

See also Department of Information Technology, Ministry of Communication and Information Technologies for more information.

An Open Event on "Security and Identity Management in a Federated World" was held on 2 October 2006, hosted by the Ecole Polytechnique Federale de Lausanne (EPFL) in collaboration with Sun Microsystems. Speakers included Sun Microsystems' John Gage and Liberty Alliance's Hellmuth Broda. ITU's Lara Srivastava participated in the event and spoke on "the problem of identity in networked spaces". Her presentation is available here.

The subject of digital identity will be examined more closely in the forthcoming 2006 ITU Internet Report entitled "digital.life", to be released at ITU Telecom World 2006, 4-8 December 2006 (Hong Kong, China).

 

A recent BBC article shows how vulnerable XP Home really is. "Using a computer acting as a so-called 'honeypot' the BBC has been regularly logging how many potential net-borne attacks hit the average Windows PC every day. With a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet."

The majority of the incidents were merely nuisances. "Many were announcements for fake security products that use vulnerabilities in Windows Messenger to make their messages pop-up. Others were made to look like security warnings to trick people into downloading the bogus file." "However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs. Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003. The bugs swamp net connections as they search for fresh victims and make host machines unstable. They have not been wiped out because they scan the net so thoroughly that they can always find another vulnerable machine to leap to and use as a host while they search for new places to visit."

Read the full BBC story.

This article was accessed through Slashdot.

Wired News in an article brings attention to the insecurity of some of the new technologies online. “VOIP and Ajax -- are dangerously insecure, and likely to only get worse as they become more prevalent, according to security researchers presenting their findings at the ToorCon security conference.”

"Voice over internet protocol is going mainstream, available to consumers and increasingly replacing the private phone systems in businesses of all sizes. Like the traditional phone, a VOIP call is broken into two parts, or channels. The first is signaling, which negotiates things like when to start and stop a call, what to do if another call comes in, and what to do if something about the call changes. The second part is media, the bit where we talk. In most VOIP systems neither of these channels is actually encrypted."

"According to Dustin Trammell, VOIP security researcher at Tipping Point, this leaves most VOIP calls vulnerable. Calls can be hijacked without either party's knowledge anywhere along the route over the net that connects the call, and nearly all VOIP systems can fall victim to signal-channel attacks that can fake caller ID, degrade call quality, end calls suddenly, and crash the end device -- either your VOIP phone or computer. Internet telephony can even fall victim to denial-of-service attacks that flood a phone with fake requests to start a call, rendering it useless."

Read the full Wired News article on VOIP and AJAX security issues.

The European Commission has signed a contract with the consortium Equant/Hewlett Packard for the provision of the infrastructure replacing several data communication infrastructures at EU level. sTESTA (Trans European Services for Telematics between Administrations), is the European Union's classified telecommunication network and responds to the growing need for secure information exchange between European and National administrations.

In order to respond to the need for a telecommunication network serving multiple stakeholders in multiple policy areas, the European Commission, the European Council, Europol and the European Railway Agency have joined forces. The sTESTA framework contract was awarded following a jointly launched tendering procedure. This contract will allow European and National Administrations to exchange data within several policy areas in a secured and reliable way. Commission Vice President Günter Verheugen, responsible for enterprise and industry policy, said: "This initiative will make the EU’s electronic communication infrastructure considerably more efficient. It will enable us to better respond to the many challenges in the field of eGovernment, making our society more modern and safer."

Read more in the EC Press Release.

The United States National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, aims to educate the public about core security protections this October, during the national cyber security awareness month, with its campaign on 'Cyber Security: Make It A Habit'.

U.S. National Cyber Security Awareness Month is a national campaign designed to increase the public’s awareness of cyber security and crimes issues, so that users can take precautions to avoid these threats on the Internet. The month will feature public relations activities, educational programs, events and initiatives throughout October that targets Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online.

See the U.S. National Cyber Security Awareness Month 2006 website for further information on this collective effort aimed at protecting the public from internet threats.

PhishTank is a collaborative clearing house for data and information about phishing on the Internet. PhishTank was launched by the people behind OpenDNS and will be used to dynamically block access to phishing sites. For more information, see their FAQ.

A Strategic and Coordinated Approach Needed for Cybersecurity In a recent GovTech article, the Cyber Security Industry Alliance (CSIA) calls for a more strategic and coordinated approach from the U.S. government to ensure the nation's cybersecurity.

CSIA’s Executive Director Paul Kurtz emphasized that "the level of attention given to securing our information infrastructure is inadequate considering the reliance of Americans on the nation’s cyber systems." "In testimony before the House Committee on Energy and Commerce's Subcommittee on Telecommunications and the Internet, Kurtz highlighted the importance of the nation's cyber systems, calling them the newest and most pervasive portion of our critical infrastructure, and discussed the federal government's role in its protection. At the core of CSIA's recommendations is the need for a Strategic National Information Assurance Policy that would outline the key roles that relevant government agencies should play in the protection of our cyber infrastructure."

"No single entity owns our information infrastructure and no single government agency is solely responsible for its protection." "While the Department of Homeland Security clearly plays a critical role, many other agencies share responsibility for the overall well being of our cyber systems," said Kurtz. "Yet the government has shown little strategic direction or leadership when it comes to ensuring the resiliency and integrity of our information infrastructure and the protection of the privacy of our citizens. This is baffling when one considers that nearly every service we use, from our communications and utility networks to our financial and medical systems, is in some way reliant upon our nation's digital networks." Kurtz called out the need for a cyber early warning system that provides the nation with situational awareness of attacks.

Read the full story here.

The ITU has unveiled a new website Partnerships for Global Cybersecurity dedicated to moderation/facilitation activities related to implementation of WSIS Action Line C5: Building Confidence and Security in the Use of ICTs.

Background

The outcome documents from the World Summit on the Information Society (WSIS) emphasize that building confidence and security in the use of ICTs is a necessary pillar for building a global information society (see extracts). The Tunis Agenda describes the establishment of a mechanism for implementation and follow-up to WSIS and requests ITU to play a facilitator/moderator role for WSIS Action Line C5: Building Confidence and Security in the Use of ICTs. In order to stress the importance of the multi-stakeholder implementation of related work programmes, ITU has named this the Partnerships for Global Cybersecurity initiative.

Here's how to participate and how to contact us if you would like to contribute to the work programmes.

Work Programmes

Based on the first facilitation meeting held in May 2006 and the related Chairman's Report, work programmes in three focus areas have been initiated:

• Focus Area 1 (National Strategies): The development of a generic model framework or toolkit that national policy-makers could use to develop and implement a national cybersecurity or CIIP (Critical Information Infrastructure Protection) programme. More information on activities, mailing lists and events.
  
• Focus Area 2 (Legal Frameworks): Capacity-building on the harmonization of cybercrime legislation, the Council of Europe's Convention on Cybercrime, and enforcement. More information on activities, mailing lists and events.
  
• Focus Area 3 (Watch, Warning and Incident Response): Information-sharing of best practices on developing watch, warning and incident response capabilities. More information on activities, mailing lists and events.

For general information on WSIS implementation as a whole, including other action lines and themes, see here.

 

In a press release, Gartner, Inc. advises businesses to plan for five increasingly prevalent cyberthreats that have the potential to inflict significant damage on organisations during the next two years. These threats are:

• Targeted threats (Targeted threats are cyber attacks with a financial motivation that are aimed at one company or one industry);
• Identity theft (Identity theft refers to the theft of an individual's personal or financial information for the purpose of stealing money or committing other types of crimes);
• Spyware (Spyware is malicious software that can probe systems, reporting user behaviour to an advertiser or other party without the user’s knowledge);
• Social engineering (Social engineering is the practice of obtaining confidential information by manipulating legitimate users);
• Viruses (Viruses are malicious programmes that use a propagation method to enable widespread distribution.)

According to Amrit Williams, research director at Gartner, "We are seeing an increasingly hostile environment fuelled by financially motivated and targeted cyber attacks. By 2008 we expect that 40 percent of organisations will be targeted by financially motivated cybercrime."

"Cyber attacks are not new, but what is changing is the motivation behind them. They are no longer just executed by hackers for hobby or cybervandilism, but by professionals with a targeted aim at one person, one company or one industry," said Williams.

"For example, we have recently seen several companies hiring private investigators to spy on their competitors. Private investigators used Trojans to install targeted spyware on competitors’ computers to gather confidential information about such things as upcoming bids and customers."

Gartner said that social engineering and viruses will remain an everyday nuisance for chief information security officers through 2009. It warned that in the next two years, at least 50 percent of organisations will experience a social engineering or a virus attack."

Access the full report and Gartner news release here.

Business Communications Review has an article entitled The Botnet Threat reviewing a recent report put out by Arbor Networks, which surveyed ISPs about their biggest security concerns.

"When they surveyed 55 ISPs, McPherson and Labovitz discovered that distributed denial of service attacks, and the related threat of botnets, remain the biggest security problem that ISPs face. Together, these two elements were named as the top threat by 77 percent of respondents. "Brute-force attacks remain the most predominant attack type on the Internet today," the authors write.

The largest sustained attack reported by the survey respondents was a whopping 17 Gbps; a UDP flood of 22 million packets per second (pps) and a SYN flood of 14 million pps have also been reported. "The magnitude of these attacks is incredible when you consider that a 14 Mpps SYN flood can nearly fill an entire OC-192 (10 Gbps) circuit with a minimum packet size," McPherson and Labovitz write. "Any one of these attacks, or even a fraction thereof, can create significant pain for even the largest ISP networks in the world today."

The report also cites what the authors call "a new and disturbing observation" made by one respondent: Not only are botnets highly organized and "uniformly gargantuan," but there's an increasing amount of marketing of these botnets. ("Blast your affiliate numbers overnight!" is a typical pitch they report seeing.)"

InfoWorld reports that the U.S. Department of Homeland Security has released the findings of Operation Cyber Storm, a large-scale simulation of combined cyber-physical attacks on U.S. critical infrastructure.

"The U.S. Department of Homeland Security (DHS) released its public findings from Operation Cyber Storm, a large-scale tabletop simulation of a coordinated cyber attack on the government and critical infrastructure that was held in February, 2006. The exercise involved US-CERT, the Homeland Security Operation center as well as the National Cyber Response Coordination Group (NCRCG) and the Intragency Incident Management Group (IIMG), various ISACs from the transportation, energy, IT and telecommunications sectors, and 100 private sector companies." "The exercise simulated a large-scale cyber campaign that disrupts multiple critical infrastructure, as well as simulated "physical demonstrations and distrubances" to test the ability of government to respond to multiple incidents simultaneously, even when its not clear that the events are related (read: 9/11)."

From the article: According to DHS, "observers noted that players had difficulty ascertaining what organizations and whom within those organizations to contact when there was no previously established relationship or pre-determined plans for response coordination and risk assessments/mitigation. There was a general recognition of the difficulties organizations faced when attempting to establish trust with unfamiliar organizations during time of crisis."

Read the InfoWorld article here.
See the DHS press release on Operation Cyber Storm. 

This article was accessed via Slashdot.

A select committee has recommended a major change to New Zealand's anti-spam bill, suggesting anyone should be able to send unsolicited emails that are of an entirely non-commercial nature and need not desist even if asked to do so by the recipient. The original anti-spam bill said that organisations that sent unsolicited emails to promote their aims or ideals - such as school newsletters and messages from political lobbyists - would fall foul of the spam bill. This is if they did not stop sending messages when asked to do so, by letting recipients "opt-out". The select committee dropped this requirement in amendments it proposed early September 2006.

The proposed amendments also drop the legal requirement that spam be reported to a customer's internet service provider before Internal Affairs could take action. Other proposed amendments eliminate the distinction between emails whose prime purpose is commercial and ones that are primarily promotional, but which contain a commercial element, and lift a ban on possessing or supplying email harvesting software, but bans New Zealanders from using such software to send spam.

This news item was retrieved through the APCAUCE Newslog.
The full article is available at stuff.co.nz.

The Messaging Anti-Abuse Working Group (MAAWG), in the context of its work together with the OECD Anti-Spam Task Force has developed an E-mail Metrics Program and agreed on a series of ISPs spam indicators. In June 2006 MAAWG released the second spam metrics report. The report, providing data for the first quarter 2006, is key to evaluating the evolution of spam and the effectiveness of anti-spam solutions and educational efforts.

Download the full MAAWG report here.

On the 5th of May 2006, France and Japan signed a joint statement within the framework of a coordinated international action in order to fight spam. Both countries especially consider to exchange informations and good practices regarding the field of anti-spam policies and strategies.

The French Direction du Developpement des Medias (DDM) has more information on their website.

See other spam-related articles on the OECD Task Force on Spam website

The Vietnamese Ministry of Trade is drafting a circular governing advertising activities by electronic means, including emails, pop-ups and mobile phone messages.

"Local Internet users have been bombarded with spam mails but most of them are from overseas. Now such a circular is necessary as local spamming activities are on the rise.

The circular has basic requirements for users to fight spams such as opt-out options, genuine sender addresses, sender telephone numbers and obvious headings. But it seems that the draft circular is too lenient towards spammers when it provides them five working days before they have to stop their spams in case recipients choose to opt out. It also allows for the collection of personal data including email addresses and telephone numbers. Even though the circular requires collecting parties to ask for permission first and to keep those data confidential, this provision can be abused and can cause disputes later on.

This is all the more possible because the circular provides two scenarios: A complete ban of sales of email addresses and telephone numbers to advertisers; or allowing such an activity. Unsolicited short mobile messages are now possible because some carriers are selling subscribers’ numbers to various advertising companies. Users are especially frustrated when senders use some automatic message generation device so that they might receive an advertising message in the middle of the night.

The fines provided in the draft circular are from VND5 million to VND20 million, which many say are not heavy enough to prevent harmful violations of personal information."

[via APCAUCE and Viet Nam News]

"As cell phones and PDAs become more technologically advanced, attackers are finding new ways to target victims. By using text messaging or email, an attacker could lure you to a malicious site or convince you to install malicious code on your portable device."

The U.S. CERT (Computer Emergence Readiness Team) recently published a list of tips for users on how they can protect themselves against these increasing threats.

What unique risks do cell phones and PDAs present?

Most current cell phones have the ability to send and receive text messages. Some cell phones and PDAs also offer the ability to connect to the internet. Although these are features that you might find useful and convenient, attackers may try to take advantage of them. As a result, an attacker may be able to accomplish the following:

• Abuse your service;
• Lure you to a malicious web site;
• Use your cell phone or PDA in an attack;
• Gain access to account information.

What can you do to protect yourself?

• Follow general guidelines for protecting portable devices;
• Be careful about posting your cell phone number and email address;
• Do not follow links sent in email or text messages;
• Be wary of downloadable software;
• Evaluate your security settings.

Read the full article on the U.S. CERT website.

The top three antivirus programs -- from Symantec, McAfee, and Trend Micro -- are less likely to detect new viruses and worms than less popular programs, because virus writers specifically test their work against those programs:

"On Wednesday, the general manager of Australia's Computer Emergency Response Team (AusCERT), Graham Ingram, described how the threat landscape has changed -- along with the skill of malware authors.

"We are getting code of a quality that is probably worthy of software engineers. Not application developers but software engineers," said Ingram.

However, the actual reason why the top selling antivirus applications don't work is because malware authors are specifically testing their Trojans and viruses to make sure they can bypass these applications before releasing them in the wild.

It's interesting to watch the landscape change, as malware becomes less the province of hackers and more the province of criminals. This is one move in a continuous arms race between attacker and defender."

[via Schneier on Security]

In separate reporting on the Black Hat USA conference, experts say that the spyware problem has "gotten so bad that it is unlikely it can ever be solved on a technical level. Instead, the solution will have to come from regulators and law enforcement agencies" .

"It's not technically feasible to stop spyware. You will not be able to stop this technically "This problem lives at the legal-technical boundary. We can't go around arresting people," said Dan Kaminsky, senior security researcher and founder of Seattle-based Doxpara Research, speaking on a spyware panel at the recent Black Hat USA 2006 event. "We need to create standards that clearly delineate legitimate code from illegitimate code where you throw people in jail."

"To protect Internet users from online fraudsters and defend the Internet against scammers commandeering network resources, the two most influential global trade associations combating Internet crime have jointly released an explicit new set of Best Practices to combat “phishing,” a major cause of online identify theft and fraud. The recommendations will help Internet Service Providers (ISPs) and mailbox providers better police their own infrastructures and filter traffic traversing their networks."

The Anti-Phishing Working Group (APWG) and the Messaging Anti-Abuse Group (MAAWG) jointly developed the recommendations outlined in "Anti-Phishing Best Practices for ISPs and Mailbox Providers." The paper provides technical and business practices to help ISPs and mailbox providers thwart phishing attacks and other malevolent network abuses and also includes practices to respond constructively when these attacks occur. “Phishing” employs deceptive technology such as spoofing and social engineering to steal consumers' personal identity and financial account data, and has become a major concern."

To download the full recommendations, click here.

The Secretary-General of the United Nations has announced the convening of the Internet Governance Forum, to be held in Athens on 30 October - 2 November 2006.

The Secretary-General's message is available in all UN languages: [English] [Français] [中文] [عربي] [Русский] [Español]. The message in English reads:

"The second phase of the World Summit on the Information Society (WSIS), held in Tunis on 13-15 November 2005, invited me to convene a new forum for multi-stakeholder policy dialogue -- called the Internet Governance Forum (IGF). The Summit asked me to convene the Forum by the second quarter of 2006 and to implement this mandate in an open and inclusive process.

The Government of Greece made the generous offer to host the first meeting of the IGF and proposed that it take place in Athens on 30 October - 2 November 2006.

I have asked my Special Adviser for Internet Governance, Mr. Nitin Desai, to assist me in the task of convening the IGF and I have also set up a small secretariat in Geneva to support this process. Two rounds of consultations open to all stakeholders held in Geneva on 16-17 February and 19 May have contributed towards a common understanding with regard to the format and content of the first IGF meeting. I have also appointed an Advisory Group with the task of assisting me in preparing the IGF meeting.

The Advisory Group held a meeting in Geneva on 22 and 23 May 2006 and made recommendations for the agenda and the programme, as well as the structure and format of the first meeting of the IGF in Athens.

As the IGF is about the Internet, it is appropriate to make use of electronic means of communication to convene its inaugural meeting. The document adopted by WSIS -- the Tunis Agenda for the Information Society -- calls on me "to extend invitations to all stakeholders and relevant parties to participate at the inaugural meeting of the IGF". Therefore, it is my pleasure to make use of the World Wide Web to invite all stakeholders -- governments, the private sector and civil society, including the academic and technical communities, to attend the first meeting of the IGF in Athens. The overall theme of the meeting will be "Internet Governance for Development". The agenda will be structured along the following broad themes.

• Openness - Freedom of expression, free flow of information, ideas and knowledge
• Security - Creating trust and confidence through collaboration
• Diversity - Promoting multilingualism and local content
• Access - Internet Connectivity: Policy and Cost

Capacity-building will be a cross-cutting priority.

The meeting will be open for all WSIS accredited entities. Other institutions and persons with proven expertise and experience in matters related to Internet governance may also apply to attend.

In its short life, the Internet has become an agent of dramatic, even revolutionary change and maybe one of today's greatest instruments of progress. It is a marvelous tool to promote and defend freedom and to give access to information and knowledge. WSIS saw the beginning of a dialogue between two different cultures: the non-governmental Internet community, with its traditions of informal, bottom-up decision-making; and the more formal, structured world of governments and intergovernmental organizations. It is my hope that the IGF will deepen this dialogue and contribute to a better understanding of how we can make full use of the potential the Internet has to offer for all people in the world.

(Signed) Kofi A. Annan" 

[via the Internet Governance Forum]

In a new scam, called vishing, identity thieves use bogus phone numbers instead of Web sites, reports PC World in a recent article featuring phishing scams on VoIP phones.

"Related to phishing scams, the new scheme uses cheaply obtained VoIP numbers as bogus credit card or financial services telephone numbers", the article continues.  "With Internet users being warned about clicking on hyperlinks in unsolicited e-mail, the new scam includes a phone number instead". "It's a natural elevation of the art to move it to the telephone. People are getting nervous about clicking on links", the article states.

The articles gives examples of how these new scams take place: "In one vishing case, scammers targeted PayPal users by including a telephone number in a spam e-mail. In the other case, the criminals configured an automatic telephone dialer to dial phone numbers, and when the phone was answered, played an automated recording saying their credit card has had fraudulent activity. The recording asked the telephone customer to call a number with a spoofed caller ID related to the credit card issuer. Once users call, they are asked for personal account information."

VoIP numbers are easy to obtain anonymously, but an industry expert interviewed for the story did not fault VoIP providers for vishing scams. "A larger problem is the ease of obtaining credit online or over the telephone. Consumers are comfortable with obtaining credit online or by dialing automated telephone services to get credit, but if credit-granting businesses required physical contact, phishing and vishing scams would be almost eliminated. In today's environment, it's absurd," the industry stated.

Read the full article on the PC World news website.

 

A presentation entitled Cybersecurity & Spam after WSIS: How MAAWG Can Help (PDF) was made by Robert Shaw, Deputy Head, ITU Strategy and Policy Unit at the Messaging Anti-Abuse Working Group meeting held 27-29 June 2006 in Brussels, Belgium.

Anti–spam legislation for the Cayman Islands is being considered by the Information and Communications Technology Authority.

The ITCA is now seeking input through a public consultation campaign. The goal is to ensure that any anti–spam legislation enacted in Cayman Islands is an effective tool as part of a multi–pronged attack on spam.

More information can be found here.

The Department of Communications, Information Technology and the Arts has conducted a legislative review of the Spam Act.

The review is required by legislation to assess the operation of the Spam Act after two years of its operation. The Department prepared a report based on the submissions received. The Minister tabled the report in Parliament on 22 June 2006.

The Minister’s press release is available here.

More information can be found here.

Ministry of Information Industry (MII), Internet Society of China (ISC) and China Communications Standards Association (CCSA) launched a national anti-spam campaign on June 21, reports Nanfang Daily. An insider at ISC said MII has set up a hotline at 01-12321 for spam-related tip-offs and is preparing to send out one million anti-spam notices.

The report said that professional training will be offered for 1,000 email administrators and that 20,000 anti-spam volunteers will be recruited.

This news item was accessed through Slashdot Newslog.

United Kingdom's Ofcom is currently working on a publication examining various national and international approaches to protecting consumers on the internet.

Coincidening with this publication, the regulator will hold a seminar will that allow stakeholders to examine the results of Ofcom's survey, hear the views of Internet industry stakeholders and discuss what can be done in the future to better protect consumers on the Internet. Ofcom organising such an event is a measure of the challenge posed to both regulator and consumer by the growth of net services and the collision of the highly regulated world of broadcasting with the virtually unregulated world of the internet.

This news item was accessed through Roger Darlington's CommsWatch blog.

According to a recently released article by CircleID, the United Kingdom today is one of the main attack targets by phishing organized crime groups, globally. Worldwide it is estimated (CircleID) that phishing damages will amount to about two billions USD in 2006 -- not counting risk management measures such as preventative measures, counter-measures, incident response and PR damages.

In most cases, phishing is caused by the fault of the users, either by entering the wrong web page, not keeping their computers secure or falling for cheap scams. Often this is due to lack of awareness or ability in the realm of Internet use rather than incompetence by the users.

For more information see CircleID article on Phishing: Competing on Security. 

A news release by the Japanese MIC announces the signing of a "Joint Statement between France and Japan, Concerning Cooperation in the Field of Anti-spam Policies and Strategies".

Particular areas of cooperation will include:

• Exchanging information about anti-spam activities such as anti-spam policies and strategies, as well as technical and educational solutions to spam, including mobile spam;
• Encouraging the adoption of effective anti-spam technologies and network management practices by French and Japanese Internet service providers and major business network managers, and further cooperation between government and private sectors;
• Supporting French and Japanese marketers or bulk email senders in adopting spam-free marketing techniques;
• Identifying and promoting user practices and behaviours which can effectively control and limit spam and supporting the development of public relations and awareness campaigns for the multi-stakeholders to foster increased adoption of anti-spam practices and behaviours by end users in France and Japan;
• Cooperating to strengthen anti-spam initiatives being considered in international forum.

More information can be found here.

[Via APCAUCEWiki News]

Microsoft today gave the world a rare - albeit conservative - glimpse of its view on just how bad the virus and bot problem has gotten for Windows users worldwide.

The data comes from 15 months' worth of experience scanning computers with its "malicious-software removal tool," a free component that Microsoft offers Windows XP, Windows 2000 and Windows Server 2003 users when they download security updates from Microsoft.

More information can be found here.

Do not panic if your data is hidden by virus writers demanding a ransom. A woman from Greater Manchester has become a victim of an internet scam in which hackers hijack computer files and blackmail owners to get them back.

More information can be found here.

Study Group 17 Questionnaire on information about experiences on the use of IDN

"The World Telecommunication Standardization Assembly (Florianópolis, 2004) in Resolution 48 instructed Study Group 17 (Security, languages and telecommunication software) to study Internationalized Domain Names (IDN).  The belief is that IDN implementation will contribute to easier and greater use of the Internet in those countries where the native or official languages are not represented in ASCII characters.

To assist this plan, Question 16/17 (Internationalized Domain Names) has been brought into being and tasked with investigating all relevant issues in the field of IDNs.

To recognize national, regional and international issues concerning IDNs, Study Group 17 prepared a questionnaire (see Annex 1) on information about experiences on the use of IDNs.

The objective of this questionnaire is to collect information and experiences on Internationalized Domain Names under ccTLD (country code Top Level Domain) around the globe. This will help identify Member States’ needs and practices concerning this subject. This information will serve to prepare a report on the implementation of IDNs and facilitate future work on IDN within Study Group 17.

If there are two or more ccTLDs in the responder's Member State, please complete separate answer sheets for each, unless they have exactly the same answers.

If the Member State is not responsible for the ccTLD, please forward the questionnaire to the concerned body."

Australian PC users can now get more proactive about combating SPAM email with the launch of a reporting system by the Australian Communications and Media Authority.

More information can be found here.

The April MessageLabs Intelligence Report includes analysis of the threat landscape during the first quarter of 2006. Overall, threat levels remained largely stable with previous months, with the U.S. continuing to play the role as the largest source of malware, spam and phishing attacks, hosting 18.1 percent of the world’s compromised (zombie) computers in the first quarter of 2006 (down from a high of 44 percent in Q2 05).

More information can be found here.

Take Back the Net is an initiative of The Institute for Spam and Internet Public Policy (ISIPP). ISIPP is committed to helping to rid the Internet of spam and other illegal activities, and to helping people to secure their computers. Thanks to Suresh Ramasubramanian for the pointer.

Use the Internet at home and you have a 1-in-3 chance of suffering computer damage, financial loss, or both because of a computer virus or spyware that sneaks onto your computer. That's one of the unsettling conclusions from the 2005 Consumer Reports State of the Net survey of online consumers.

More information can be found here.

Bruce Schneier's Schneier on Security points to an article explaining the steps that someone has taken to deal with identity theft.

In a press release today, ITU announced a global opinion survey to assess trust of online transactions and awareness of cybersecurity measures. The survey was conducted by ITU in conjunction with World Telecommunication Day, celebrated on 17 May to commemorate the founding of ITU in 1865. The theme chosen this year — Promoting Global Cybersecurity — aims to highlight the serious challenges of ensuring the safety and security of networked information and communication systems.

The announcement of the results of the survey coincides with the launch of an ITU Cybersecurity Gateway portal. The portal is a global online reference source of national cybersecurity initiatives and websites around the world and provides an integrated platform for sharing cybersecurity related information and resources. Presenting information tailored to four specific audiences: citizens, businesses, governments, and international organizations, the portal also provides information resources on topical cybersecurity concerns such as spam, spyware, phishing, scams and frauds, worms and viruses, denial of service attacks, etc.

With thousands of links to relevant materials, ITU intends to constantly update the portal with information on cybersecurity initiatives and resources gathered from contributors around the globe. For example, a number of countries are now ramping up national critical information infrastructure protection (CIIP) programmes and sharing information on these initiatives through the portal can assist both developed and developing economies in promoting global cybersecurity.

These efforts highlight work being carried out as follow-up to the World Summit on the Information Society (WSIS) Action line C5 dealing with "Building confidence and security in the use of ICT", for which ITU is the facilitator/moderator.

Update: UN Secretary-General Kofi Annan has made the following statement in conjunction with World Telecommunication Day giving his perspectives on promoting global cybersecurity.

The European Commission has launched a public consultation on RFID, with a view to developing a coherent RFID Policy for Europe. In order to prepare for the consultation, the Commission is organizing a series of workshops (5) between March and June 2006, in which experts and stakeholders from all over Europe and the world come together to debate the key issues.

ITU's Lara Srivastava spoke at the first workshop (6-7 March 2006), and also at the third workshop in the series held 16-17 May 2006 on "RFID Security, Data Protection & Privacy, Health and Safety Issues" (see the presentation here). The Policy Framework Paper written by the Commission in advance of the meeting highlighted the vision of the ITU's 2006 Internet Report on "The Internet of Things" released in November 2005.

Two more workshops are planned in early June, after which the Commission will open up the debate for a wider on-line public consultation, resulting in a Communication on RFID to be issued later this year.

For more information, including webcasts, see the European Commission RFID Consultation Website.

 

The Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML) authored by OASIS (Organization for the Advancement of Structured Information Standards) have been consented as internationally recognised ITU-T Recommendations. The announcement is the first result of the formal relationship between the standardization sector of ITU and OASIS.

The standards (ITU-T Recommendations X.1141 (SAML) and X.1142 (XACML)) address the concern of how to allow safe single sign-on, a system that enables a user to authenticate once and gain access to the resources of multiple software systems. While solutions existed in this space, all were proprietary, and therefore not addressing the problem on a global level.

SAML and XACML are designed to control access to devices and applications on a network. The need for standards in this area has become more of an issue as business networks increasingly use the public Internet.

SAML addresses authentication and provides a mechanism for transferring authentication and authorization decisions between cooperating entities, XACML leverages this information to determine access to resources by focusing on the mechanism for arriving at those authorization decisions.

An additional feature of SAML is that it allows organizations to communicate information without any change to their own internal security architectures.

[via ITU-T Newslog]

The Secretariat of the Internet Governance Forum (IGF) has released a summary of the discussions and contributions for the substantive agenda of the first meeting of the IGF, to be held in Greece later this year.

Singapore’s mobile users – 99.8% of Singapore’s population, according to the Infocomm Development Authority’s (IDA) February 2006 stats – will have more protection against mobile spam in the future. IDA has put its foot down on this issue, warning of “swift enforcement” of penalties should mobile operators continue to fail to resolve mobile spam issues satisfactorily.

A strong warning letter was sent to SingTel, StarHub and M1, the three mobile operators in Singapore. In addition, IDA decided to make an example of errant content operator mTouche in the highly publicized mTouche spam case. Between 30th January to 5th February this year, 300,000 mobile end users were billed S$1 for unsolicited SMSes sent by mTouche through the three telcos.

More information can be found here.

China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law. The new email licensing clause is just a small part of a new anti-spam law formulated by China's Ministry of Information Industry (MII).

The impact on corporate email servers, which are commonly used by companies with more than a handful of employees, appears to have gone unnoticed until now. However, Singapore-based technology consultant, James Seng, who first drew attention to the new email licence requirement, believes the inclusion of the prohibition on mail servers is no accident.

More information can be found here.

NetWizard's Blog points to the publishing of RFCs for authentication proposals Sender Policy Framework (SPF) and Sender-ID:

• RFC 4405 - SUBMITTER SMTP extensions to be used with Sender-ID
• RFC 4406 - main Sender-ID draft
• RFC 4407 - PRA algorithm (which is what Microsoft was trying to patent - also see this)
• RFC 4408 - main SPF draft

The "Survey on Industry Measures taken to comply with National Measures implementing Provisions of the Regulatory Framework for Electronic Communications relating to the Security of Services" conducted by the Technical Department of ENISA, Section Security Policies is available here.

The US Federal Communications Commission today adopted a Second Report and Order and Memorandum Opinion and Order (Order) that addresses several issues regarding implementation of the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994. Among other things, the Order affirms that the CALEA compliance deadline for facilities-based broadband Internet access and interconnected VoIP services will be May 14, 2007, as established by the First Report and Order in this proceeding. The Order concludes that this deadline gives providers of these services sufficient time to develop compliance solutions, and notes that standards developments for these services are already well underway. Further details and background are available in the FCC news release and statement by individual FCC commissioners:

• News Release: Word | Acrobat
• Martin Statement: Word | Acrobat
• Copps Statement: Word | Acrobat
• Adelstein Statement: Word | Acrobat
• Tate Statement: Word | Acrobat

"As the International Telecommunication Union (ITU) prepares to celebrate this year's World Telecommunication Day, Nigerian experts on information communications technology, mobile telecommunication firms and industry regulators will converge in Abuja to brainstorm on the strides the nation had taken in the sector over the last couple of years and take stock on the level at which the government and the citizenry have embraced the new technologies as a tool for economic and social development."

"In keeping with the theme of this year's celebration - 'Promoting Global Cybersecurity'- an international symposium has been scheduled to held (in Abuja) where issues such as internet governance, financing of ICT development and universal access to the information superhighway will be discussed."

"Experts and technocrats will also compare notes on the theories and realities of Information Communication Technology in terms of achieving the Millennium Development Goals in Nigeria. The symposium is also expected to explore avenues of strengthening bilateral and multilateral development and economic cooperation for ICT expansion in Nigeria."

For the full story featured in This Day Online  and shared through All Africa.com, click here.

Following a decision by ITU Council during Council 2006 held 19-28 April, the following documents are available: Council Document 2006/04: ITU activities related to Internet Protocol (IP)-based networks and management of Internet domain names and addresses; including activities related to Internet governance (PDF), Addendum 1 (PDF), Briefing Note (PDF).

References to related materials can be found here and here.

A new wave of spam could be on the way that tricks recipients by looking like it’s a message sent from their friends' e-mail address. This sort of spam would bypass even those filters that currently weed out 99% of the bad stuff, says John Aycock, an assistant professor of computer science at the University of Calgary.

Aycock and student Nathan Friess conducted research and wrote a paper dubbed "Spam Zombies from Outer Space" to show that generating such customized spam -- such as in the form of e-mail replies -- would not be too difficult, as has been assumed in the past. Spammers have leaned toward bulk e-mail generation that is less customized.

More information can be found here.

In a press release, the European Commission has indicated its views on follow-up to the international policy commitments made at WSIS:

To keep up the momentum of the successful World Summit on Information Society (Tunis, 16-18 November 2005), the European Commission has set out today its priorities for implementing the international policy commitments made at the Summit. These priorities include safeguarding and strengthening human rights, in particular the freedom to receive and access information. Information and communication technologies (ICTs) should be used to contribute to open democratic societies and to economic and social progress worldwide. The Commission calls for continuing international talks to improve Internet governance through the two new processes created by the Summit: the multi-stakeholder Internet Governance Forum and the mechanism of enhanced cooperation that will involve all governments on an equal footing.

The EC has also issued a FAQ on Internet Governance.

Via Schneier on Security comes news of a Kaspersky Labs report on extortion scams using malware:

We've reported more than once on cases where remote malicious users have moved away from the stealth use of infected computers (stealing data from them, using them as part of zombie networks etc) to direct blackmail, demanding payment from victims. At the moment, this method is used in two main ways: encrypting user data and corrupting system information.

Users quickly understand that something has happened to their data. They are then told that they should send a specific sum to an e-payment account maintained by the remote malicious user, whether it be EGold, Webmoney or whatever. The ransom demanded varies significantly depending on the amount of money available to the victim. We know of cases where the malicious users have demanded $50, and of cases where they have demanded more than $2,000. The first such blackmail case was in 1989, and now this method is again gaining in popularity.

In 2005, the most striking examples of this type of cybercrime were carried out using the Trojans GpCode and Krotten. The first of these encrypts user data; the second restricts itself to making a number of modifications to the victim machine's system registry, causing it to cease functioning.

Though the United States is making progress in the war on unsolicited commercial e-mail, or spam, it still generates more than any other nation in the world, according to recent statistics from Sophos, a provider of anti-malware solutions.

Sophos ranked spam outputs of the top 12 countries and top six continents based on messages it received in its “global network of spam traps” between January and March, according to the group’s release.

More information can be found here.

The Federal Trade Commission (FTC) joined 29 other countries in calling for increased cooperation between nations in combating spam. The FTC signed off on a set of anti-spam recommendations by the Organization for Economic Cooperation and Development (OECD), a coalition of 30 countries organized to promote economic growth and trade.

More information about OECD activities on  countering spam can be found here.

Please clik here to read the article.

The third edition of the International Critical Information Infrastructure Protection (CIIP) Handbook focuses on key aspects of CIIP related to security policy.

The CIIP Handbook is the product of a joint effort within the Comprehensive Risk Analysis and Management Network (CRN) partner network. The CRN is run by the Center for Security Studies (CSS) at the Swiss Federal Institute of Technology (ETH Zurich) and is a member of the Center for Comparative and International Studies (CIS).

"The first (2002) edition of the CIIP Handbook contained an inventory of protection policies in eight countries (Australia, Canada, Germany, the Netherlands, Norway, Sweden, Switzerland, and the United States) and their methods employed for CII assessment. The second edition (2004) included an update of existing surveys and covered six additional countries (Austria, Finland, France, the United Kingdom, Italy, and New Zealand) as well as international protection efforts."

"The latest version continues the tradition of the past two editions, while its scope has been extended: not only has the country survey section been further expanded with a specific focus on Asia by including India, Japan, the Republic of Korea, Malaysia, Singapore, and Russia, but it is also accompanied by a second volume with in-depth analysis of key issues related to CIIP."

Please click here to read more about the 2006 CIIP Handbook.

Volume 1 of the 2006 CIIP Handbook can be downloaded here.
Volume 2 of the 2006 CIIP Handbook can be downloaded here. 

The United States National Science and Technology Council (NSTC), a Cabinet-level Council that coordinates science and technology policies across the Federal Government, on April 17th, 2006, released the Federal Plan for Cyber Security and Information Assurance Research and Development.

"This report sets out a framework for multi-agency coordination of Federal R&D investments in technologies that can better secure the interconnected computing systems, networks, and information that together make up the U.S. information technology (IT) infrastructure."

"This country’s IT infrastructure – which includes not only the public Internet but also the networking and IT systems that control critical infrastructures ranging from power grids to emergency communications systems – is vital not only to our national and homeland security but to our economic security," said John H. Marburger III, Science Adviser to the President and Director of the Office of Science and Technology Policy (OSTP). "This report provides a blueprint for coordination of Federal R&D across agencies that will maximize the impact of investments in this key area of the national interest."

The Plan was prepared by the Interagency Working Group (IWG) on Cyber Security and Information Assurance (CSIA), whose members represent more than 20 government organizations. The CSIA IWG operates under the auspices of the NSTC’s Subcommittee on Infrastructure and Subcommittee on Networking and Information Technology Research and Development (NITRD).

The Federal Plan for Cyber Security and Information Assurance Research and Development is available through the NITRD Program Web site.

Please see the recent Press Release and the Federal Plan for further details on these activities.

China’s Ministry of Information Industry has adopted the Measures for the Administration of Internet E-mails. The regulations, which took effect from 30 March 2006, are designed to apply to email service providers and apply to any person operating an email service for Internet users in Mainland China.

The regulations are as follows:

• A provider is defined as any person in the service supply chain involved in delivering or helping users to receive email;
• Service providers must register with the government and obtain a license before providing email services;
• Violators face warnings or penalties of up to 30,000 yuan (approx. $3,700 US) and risk losing their license;
• Firms are barred from sending unsolicited commercial messages without prior consent from recipients;
• All commercial email must have a subject header of “AD” or the Chinese character for advertisement;
• The rules only apply to email containing commercial advertisements;
• The rules state that providers must stop delivery of any messages containing commercial advertisements even if a recipient first consents, but later changes his or her mind.

A copy of the rules (in Chinese) can be found here.

 

The Federal Trade Commission and members of the International Consumer Protection and Enforcement Network (ICPEN) are meeting in Jeju, Korea, on March 26-28, to discuss the progress of international efforts to combat cross-border fraud and explore new international initiatives to protect consumers around the world.

The FTC’s participation in ICPEN is one part of the agency’s ongoing effort to combat a rising number of cross-border fraud complaints from American consumers. ICPEN members discussed the results of a recent Internet surf for Web sites that are “hidden traps online.”

Over 30 countries participated in the international surf. In the United States, the focus was on Web sites with fraudulent claims advertising “miracle cures” for diabetes, with the FTC, FDA, and several states Attorneys General offices participating.

The FTC and its partners reviewed over 1,000 Web sites and identified over 150 with potentially misleading diabetes claims. The FTC will follow-up, sending warning letters to Web sites that appear to have deceptive or false claims.

More information can be found here.

Owing the dangers of cybercrime and the need for common minimum technical and legal standards to fight such crime at a global level, the Convention on cybercrime (ETS N° 185) was prepared by Council of Europe member States and Canada, Japan, South Africa and the United States. It entered with force on 1 July 2004. Its Additional Protocol concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS N° 189) entered into force on 1 March 2006.

The Convention is the only binding international instrument dealing with cybercrime. It has received widespread international support and is open to all States.

The Convention provides for consultations of the Parties (the Convention Committee on Cybercrime (T-CY)). The first meeting of the consultation of the parties took place in Strasbourg, France from 21-22 March 2006. Documents and materials from the meeting are available on the T-CY website.

Activités de l’UIT dans la Lutte contre le SPAM, PDF, Cristina Bueti, ITU Strategy and Policy Unit,21 March 2006, presented at the workshop on "Lutte contre le SPAM"(Rabat, Morocco).

The fight against spam, phishing and e-mail fraud should focus on economic incentives and aiding law enforcement, according to attendees at a conference examining the problem this week. Speakers at MIT's 2006 Spam Conference were notably cognizant of the recent proposals of white lists and AOL's Goodmail, a pay per e-mail service offering preferential treatment in e-mail delivery for marketers.

More information can be found here.

 

World Telecommunication Day (WTD) commemorates the founding of ITU on 17 May 1865. This year, WTD could carry added significance as 17 May has been identified by the Tunis phase of the World Summit on the Information Society as “World Information Society Day”.

While World Information Society Day is yet to be proclaimed, ITU, as the leading ICT agency of the UN system, upholds the idea and looks forward to its members to raise awareness of the role of ICT in achieving the development goals of all people.

For WTD 2006, the ITU Council chose the theme of Promoting Global Cybersecurity to highlight the serious challenges we face in ensuring the safety and security of networked information and communication systems.

In today’s interconnected and increasingly networked world, societies are vulnerable to a wide variety of threats, including deliberate attacks on critical information infrastructures with debilitating effects on our economies and on our societies. In order to safeguard our systems and infrastructure and in order to instill confidence in online trade, commerce, banking, telemedicine, e-government and a host of other applications, we need to strengthen the security practices of each and every networked country, business, and citizen, and develop a global culture of cybersecurity.

The urgency of promoting cybersecurity has been called for by the ITU Plenipotentiary Conference in 2002, the World Telecommunication Standardization Assembly (WTSA-2004) as well as the United Nations General Assembly (resolutions 58/199, 2004, and 57/239, 2002).

Invitations to organize national programmes in the context of promoting the theme Promoting Global Cybersecurity for WTD 2006 were sent to all ITU Member States and ITU Sector Members. Sector Members represent over 647 public and private companies and organizations with an interest in telecommunications. Also in conjunction with WTD 2006, the ITU is conducting a survey of cybersecurity trust and awareness. A list of links to the related materials includes:

• Message from the ITU Secretary-General, Yoshio Utsumi
• Circular Letter sent to ITU Member States
• Circular Letter sent to ITU Sector Members
• Cybersecurity Trust and Awareness Survey

 

Internet service providers could face huge fines if they do not provide spam filtering or impose email sending limits under new rules set down by a communications watchdog. The Australian Communications and Media Authority (ACMA) today registered the world's first legislative code of practice for internet and email service providers.

More information can be found here.

At a technology forum in Brussels hosted by EuroISPA - the European Internet Services Providers Association, and co-sponsored by Interpol, Neil Holloway, president, Microsoft (Europe, Middle East and Africa), inaugurated a global law enforcement campaign targeted at cybercriminals responsible for phishing attacks.

This is part of Microsoft's larger program dubbed - the Global Phishing Enforcement Initiative (GPEI), that aims at co-ordinating and expanding the company's anti-phishing efforts globally.

More information can be found here.

On 23-24 March 2006 at ITU headquarters, the ITU Strategy and Policy Unit hosted a high-level experts workshop entitled What Rules for IP-enabled NGNs? focused on the policy and regulatory challenges related to the deployment of IP-enabled NGNs. The following materials are now available:

• The original workshop concept document providing details on the objectives of the workshop
• Final Agenda
• Background papers:
  • Ruling the New and Emerging Markets in the Telecommunication Sector by Christian Wey, Pio Baake and Sven Heitzler 
  • Interconnection in an IP-enabled NGN Environment by Scott Marcus
  • Universal Service in an IP-enabled NGN Environment by Patrick Xavier
• All presentations and contributions
• Webcast archives

Communications points to an interesting presentation on reverse engineering Skype given by Philippe BIONDI & Fabrice DESCLAUX at the Blackhat Europe conference in Amsterdam, March 2nd & 3rd. Warning: 115 highly technical slides including this conclusion:

The « Direction du Développement des Médias (France), l’Agence Nationale de Réglementation des Télécommunications (Morocco), l’Institut Francophone des Nouvelles Technologies de l’Information et de la Formation (Francophonie) et le Service Public Fédéral Economie, PME, Classes moyennes et Energie (Belgium) » are jointly organizing a workshop on the « Fight against Spam ».

The workshop will be held in Rabat (Morocco) from 22 to 23 March 2006.

More information can be found here.

Click here to see the agenda.

The OECD hosted a workshop entitled The Future of the Internet in Paris on 8 March 2006. Presentations given at the event will serve at "food for thought" for future OECD work.

The Economist has a related article entitled Reinventing the Internet.

"The case for promoting a global culture for cybersecurity was strongly emphasized at the World Telecommunication Development Conference (WTDC) during an information session for participants conducted by ITU on Friday.

ITU pointed out that in an increasingly interconnected and networked world our societies are vulnerable to a wide variety of threats, including deliberate attacks on critical information infrastructures with debilitating effects on our economies and on our societies. In order to safeguard our systems and infrastructure, we need to strengthen our collective cybersecurity.

As this depends on the security practices of each and every networked country, business, and citizen, we need to develop a global culture of cybersecurity. According to ITU, cybersecurity is critical in the use and development of ICT. The lack of adequate security is an obstacle for using ICTs that rely on the protection and confidentiality of sensitive data. Unless these security and trust issues are addressed, the benefits of the Information Society to governments, businesses and citizens cannot be fully realized.

The information session was aimed at raising awareness on this very important subject and to contribute to bridging the information and knowledge divide between and within countries.

At that session, ITU launched a new reference guide on Cybersecurity for Developing Countries and informed delegates of ITU’s initiative in Promoting Global Cybersecurity as the theme for World Telecommunication Day on 17 May this year. ITU will also assist developing and least developed countries in increasing cybersecurity and will conduct workshops and seminars to enable countries to exchange ideas and discuss common issues." [Via WTDC 2006 Highlights]

For more information about the World Telecommunication Development Conference (WTDC), please click here. 

Qatar's Prime Minister Sheikh Abdullah bin Khalifa al-Thani said in his opening speech to ITU World Telecommunication Development Conference 2006 on Tuesday 7 March that "communication, especially information technology, has become a major pillar of the economic and social development of all countries."

"Sheikh Abdullah said WTDC 06 had a key role to play in bringing peoples together and help them live in peace and with mutual respect. However, he cautioned against misuse of communication technology and said a legal and regulatory environment must be set up to secure the optimum use of the resources of knowledge."

WTDC, held for the first time in the Arab region, is organized by International Telecommunication Union (ITU) and hosted by Qatar’s Supreme Council for Information and Communication Technology (ictQATAR).

For the full article featured in Gulf Times, please click here.

Microsoft founder Bill Gates said in 1998 that spam was "an annoying and sometimes destructive use of the Internet's unprecedented efficiency." Gates communicated the problem. The makers of Spam Cube created the solution.

The launch of Spam Cube gives everyday personal computer users a revolutionary new tool in the battle against unwanted email. Working in harmony with every operating system and nearly all email providers, Spam Cube protects up to four home computers with its breakthrough anti-spam technology. A technology spawned by the frustration felt by computer users worldwide, forced to endure invasive junk e-mail campaigns.

For more information, please click here.

Including data from some of the world's largest Internet Service Providers, MAAWG (Messaging Anti-Abuse Working Group) has developed its first metrics report outlining the scope of the problem and validating that approximately 85 percent of Internet traffic today is abusive email.

The report, "MAAWG Email Metrics Program: The Network Operators' Perspective," provides data for the fourth quarter of 2005 and will continue to be updated on a quarterly basis as an objective tool for tracking the industry's efforts at controlling abusive email.

For more information, please click here.

Efforts by governments to counter internet spam by tracking down and prosecuting spammers have had limited impact and require far more resources than most countries can muster, the United Nations telecoms agency (ITU) warned on Tuesday.

It says in a report that while all countries need anti-spam legislation so that spammers have nowhere to hide, a more effective approach would be to require the establishment of enforceable codes of conduct by internet service providers (ISPs).

For more information about the article, please click here.

For more information about the report "Stemming the International Tide of Spam", please click here.

Recognising the importance of electronic interdependencies, India and the United States on Thursday agreed for greater cooperation to protect electronic transactions and critical infrastructure from cyber crime.

"The two sides recognised the importance of capacity building in cyber security and greater cooperation to secure their growing electronic interdependencies, including to protect electronic transactions and critical infrastructure from cyber crime, terrorism and other malicious threats," the Indo-US joint statement said.

For more information, please click here.

Soon PC users could be literally stamping out spam instead of hitting the delete key.

"Many information workers spend a majority of their time trapped at their desk dealing with e-mail," said Brian Meyers, from the Step User Interface Project Group who helped develop the prototype.

For more information, please click here.

On Tuesday, the anchors of the coalition – the Electronic Freedom Foundation and Free Press -- hosted a national conference call asking for allies to unite to fight AOL's "e-mail tax."

Under the banner of DearAOL.com, a total of fifty organizations, including MoveOn.org, Civic Action, Gun Owners of America, The Association of Cancer Online Resources and Craig Newmark of Craigslist.com joined in to offer up a number of explanations as to why such a "pay-to-send" policy would harm the Internet forever.

For more information, click here.

See also "The Future of Some Email May Not Use Email".

Symantec launches a new Internet security barometer that gives consumers clues on which online activities are currently safest. But unlike rival security meters, Symantec's new Internet Threat Meter breaks out current risks by activity: e-mail, Web browsing, instant messaging, and file sharing.

For more information, please click here.

Three civil suits were filed under Virginia's new anti-phishing statute, the Federal Lanham Act, marking the first time an ISP has used the new law.

For more information, please click here.

A group of security researchers claims to have found the first virus that can jump to a mobile device after infecting a PC.

"Crossover is the first malware to be able to infect both a Windows desktop computer as well as a PDA running Windows Mobile for Pocket PC," the research group said.

For more information, please click here.

APCAUCE's 2006 meeting was organized in Perth, Australia in conjunction with the APRICOT Conference. The Regional Update meeting was on Sunday 26 February 2006, and APCAUCE (Asia Pacific Coalition Against Unsolicited Commercial Email) will also organize an antispam technical conference track as part of APRICOT on 1 March 2006.

For more information, please click here.

The Japan E-mail Anti-Abuse Group (JEAG), a working group founded by Japan's ISPs and mobile operators to counter spam, has drafted a list of recommendations for the reference of companies and mail server system administrators that are considering counter-spam measures. The recommendations include information on introducing effective technological counter-measures and working policies to eliminate spam.

For more information, please click here.

Since Yahoo first proposed its DomainKeys authentication standard for email (DKIM), AOL has played coy. That strategy has apparently served the uber-ISP well, as it has been extended indefinitely.

In a standing-room-only webinar courting direct marketers, AOL speaker Nicholas Graham was asked when the firm will get around to adopting DKIM's cryptographic-based technology. Christine Blank of DMNews reports Graham responded, "We will have to wait and see. The facts are still out."

For more information, please click here.

Commtouch has announced spam and computer virus statistics for the month of January 2006. The data is based on information continuously gathered by the Commtouch Detection Center, which analyzed more than 2 billion messages from over 130 countries during the month of January.

For more information, please click here.

Liberal political action group MoveOn.org is organizing a petition drive against America Online's certified email service, whereby advertisers could pay a per-message fee to guarantee their messages will bypass AOL's spam filtering technologies and be delivered directly to AOL users.

Claiming the service amounts to an "email tax" by granting large email senders preferential access to AOL users mailboxes, while leaving other email users (like small businesses, friends, family members, charities, and co-workers) in the dark, wondering if their mail will get through.

For more information, please click here.

Ahmed Bin Ali, Manager Corporate Communications, Etisalat, said: 'We are happy to make this option available to all our valued customers, and we are empowering them to be able to decide what content they receive and from whom. Our customers have shown interest in a service like this, and we have taken all the steps to make this option available at the earliest.'

For more information, please click here.

Programs that fight viruses have become a necessary evil on Windows PCs. Now the antivirus industry is turning its attention to mobile phones, but it's running into reluctance from cell service providers, who aren't so sure that the handset is the best place to handle security.

For more information, click here.

  The Golden Book — a record of work undertaken to implement the goas of the World Summit on the Information Society and build the future Information Society — was launched on 24 February 2006 during the Consultation Meeting of WSIS Action Lines Facilitators/Moderators, convened by ITU, UNESCO and UNDP in Geneva.

This Golden Book highlights some of the valuable work being done around the world to promote ICTs in projects, large and small, by governments, individuals or team effort, for the benefit of all. It provides illustrative examples of new and innovative projects to build infrastructure, promote ICTs in education, health and governance, ensure fair access and enhance online security.

The Golden Book has been published by the International Telecommunication Union (ITU) as a permanent record of the new commitments and resources pledged by stakeholders during the Tunis Phase of the World Summit on the Information Society (WSIS). All WSIS stakeholders at the Summit were invited to submit an online questionnaire with details of their activities announced during the Tunis Phase. These activities have been planned or are already being undertaken to implement the WSIS Plan of Action. The Golden Book also serves as a tool helping to coordinate the action taken to implement the 11 Action lines and avoid duplication.

More than 375 submissions were made to the Golden Book by governments, international organizations, NGOs, companies and individuals, describing their work towards promoting ICT activities. ITU estimates that the activities announced during the Tunis Phase to promote WSIS goals represented a total value of at least € 3.2 billion (US$ 3.9 billion). Governments committed to implement projects for some € 1.9 billion, representing nearly two-thirds of estimated total value of all commitments, while international organizations pledged to carry out activities for around half that amount, i.e. 0.83 billion Euros. Business entities announced plans to realize projects for around 0.35 billion Euros and civil society projects amount to least 0.13 billion Euros.

Amount of financial commitments by stakeholder

Breakdown by anticipated expenditure

For more information on the Golden Book, please see here.

In line with paragraph 108 and the Annex of the Tunis Agenda for the Information Society, a consultation is being held on 15-16 May 2006, at ITU Headquarters in Geneva, on WSIS Action Line C5: Building Confidence and Security in the use of ICTs. The purpose of the meeting is to discuss the WSIS multi-stakeholder implementation process for Action Line C5.

The meeting is open to all WSIS stakeholders that are interested and involved in the implementation process in the field of building confidence and security in the use of ICTs.

A draft agenda for the consultation on WSIS Action Line C5 Facilitation and the invitation letter to the meeting from ITU Secretary-General Yoshio Utsumi can be viewed on the WSIS C5 Implementation website.

More information on the activities related to WSIS implementation and follow-up can be viewed here.

China's Ministry of Information Industry launched its anti-spam center, www.anti-spam.cn, today as part of their net safety efforts. There are ongoing efforts to also enhance its email management sometime between March and April 2006.

Additionally, the Chinese government issued a regulation on the management of emails, which will take effect on 30 March 2006. Sending advertisement emails without the receiver's permission is banned, according to this new regulation.

For more information, click here

At the behest of the GSM Association (GSMA), fifteen network operators have founded a joint initiative against the spread of spam via mobile communications networks and published a "Code of Practice" (PDF file).

The initiative is focusing on spam sent as a text message or MMS, which has been divided into three categories: first, advertising that the cell phone user did not request; second, messages that directly or indirectly lead to calls of expensive premium services; and third, fraudulent content, such as the spoofs familiar to users of fixed Internet.

For more information, click here.

OECD Scoping Study for the Measurement of Trust in the Online Environment:

Creating an online environment which builds on trust among users of ICT networks is an increasing priority for business, industry and governments and has been on the OECD agenda since the late 1990s. The aim of this report is to undertake a review of the data available from official, semi-official and private sources which can assist in informing developments and progress in this area. There is a need to be able to use relevant data to assess the effectiveness of public and private initiatives aimed at building trust among users.

The NY Times has an article about cooperation between the telecommunications industry and the US government for legal intercept, including through NSTAC.

Bruce Schneier's Schneier on Security points to a paper dismissing the myth that worms won't be able to propagate under IPv6.

Bruce Schneier's Schneier on Security has a post on the new security features of IE7.

Today (7 February 2006) marks the third edition of Safer Internet Day, held under the patronage of Viviane Reding, European Commissioner for Information Society and Media.

Safer Internet Day is celebrated by more than 96 organisations in 36 countries across the world: 24 EU countries, and others including Russia, Argentina, New Zealand and the USA. Safer Internet Day's biggest event is a worldwide blogathon on safer use of internet launched by Commissioner Reding in Brussels at a minute past midnight, then taken up by New Zealand who post an entry a few minutes later.

All day long the blogathon will continue to move across the world, through Australia and Russia to Europe, then across to Argentina, Canada and the USA. Over 300 local, regional and national events include press conferences, and competitions in Finland, Germany, Spain and the Czech Republic. There will also be internet safety quizzes and crosswords in Greece, pupil-teach-parent days in Belgium and the Netherlands, conferences in the UK, Hungary and Argentina and a broad palette of activities in schools and libraries.

For an overview of the days' events, see the main Safer Internet website.

To view the International Telecommunication Union's entry to the blogathon, click here.

To coincide with Safer Internet Day, British Telecom (BT) announced today that, over the last 18 months, the number of attempts to access sites hosting child abuse images has increased from around 10,000 a day to 35,000 a day. All these attempts have been blocked utilising the company's Cleanfeed technology which uses a database of sites supplied by the United Kingdom's Internet Watch Foundation.

According to Roger Darlington's blog, "BT developed and implemented Project Cleanfeed during my tenure as independent Chair of the IWF and, throughout the process and since, I have been a strong supporter of the initiative and would like to see all British Internet service providers using the same or similar technology."

For more information and analysis with regards to this steep rise in attempts to access sites hosting child abuse images, see Roger Darlington's blog.

The United States Homeland Security Department’s Cyber Storm cybersecurity exercise scheduled to start 6 February 2006 is said to have worldwide scope.

"Australia, Canada and the United Kingdom will join 20 companies and two U.S. government agencies, said a senior industry official who requested anonymity because of the information’s sensitive nature. Cyber Storm will test federal and private-sector readiness for cyberattacks, particularly against critical infrastructure. The massive exercise, scheduled for Feb. 6-10, has been planned for a long time, the official said. Participants will face realistic scenarios, the official said. Critical sections of the UK IT infrastructure will come under attack this week as the US Department of Homeland Security runs Operation Cyber Storm, a global penetration test to assess how vulnerable the nation is to online attack."

"An anonymous source has confirmed to US publication Federal Computer Week that the exercise will be global in scale and include attempted penetration of key UK infrastructure, as well as targets in the US, Canada and Australia. The US National Cyber Security Division is funding the testing programme and Donald Purdy, its acting director, told Congress in October that such a test was being planned. The Department of Homeland Security confirmed in November that the original plan was to hold the test in November but that the response to hurricanes Katrina and Rita forced a rescheduling for February. Penetration tests will be conducted on financial institutions, power companies and other users of critical IT systems."

For further details about the cybersecurity exercise see the full vnunet.com article.

An article featured in the Technology Review; "A Tangle of Wires", discusses United States’ approach to cybersecurity.

Among other things it states that: "The major problems in Internet security [many of which are detailed in "The Internet Is Broken"], are nowhere close to being addressed at the federal level, and what little is being done is on the wrong track, favoring summits, partnerships, and "information sharing" over the much more necessary but less visible work of long-term research and development.”

The article also points to two reports: ""Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities," a report presented by the U.S. Government Accountability Office to Congress in May 2005. It contends that "While DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cybersecurity-related responsibilities that we identified...and it has much work ahead in order to be able to fully address them.""
And "Cyber Security: A Crisis of Prioritization," "prepared by the President's Information Technology Advisory Committee (PITAC) and delivered to the executive branch in February 2005." This report does, according to the article, "in its way offer a solution to the long-term problem of cybersecurity."

View Technology Review for the full article.

According to an article in the IHT, companies will soon have to buy the electronic equivalent of a postage stamp if they want to be certain that their e-mail will be delivered to many of their customers.

America Online and Yahoo, two of the world's largest providers of e-mail accounts, are about to start using a system that gives preferential treatment to messages from companies that pay from a quarter of a cent to 1 cent each to have them delivered. The Internet companies say this will help them identify legitimate mail and cut down on junk e-mail, identity-theft scams and other scourges of users of their services.

From Bruce Schneier's blog Schneier on Security comes a pointer to an article about someone convicted for running a for-profit botnet:

November's 52-page indictment, along with papers filed last week, offer an unusually detailed glimpse into a shadowy world where hackers, often not old enough to vote, brag in online chat groups about their prowess in taking over vast numbers of computers and herding them into large armies of junk mail robots and arsenals for so-called denial of service attacks on Web sites.

Ancheta one-upped his hacking peers by advertising his network of "bots," short for robots, on Internet chat channels.

A Web site Ancheta maintained included a schedule of prices he charged people who wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of Web site.

In July 2004, he told one chat partner he had more than 40,000 machines available, "more than I can handle," according to the indictment. A month later, Ancheta told another person he controlled at least 100,000 bots, and that his network had added another 10,000 machines in a week and a half.

In a three-month span starting in June 2004, Ancheta rented out or sold bots to at least 10 "different nefarious computer users," according to the plea agreement. He pocketed $3,000 in the process by accepting payments through the online PayPal service, prosecutors said.

Starting in August 2004, Ancheta turned to a new, more lucrative method to profit from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Fla., whom prosecutors identified by his Internet nickname "SoBe," Ancheta infected more than 400,000 computers.

The ITU-T Newslog is announcing the first release of an ICT Security Standards Roadmap developed to assist in the development of security standards by bringing together information about existing standards and current standards work in key standards development organizations. The Roadmap is a work in progress,

The Roadmap is in four parts:

• Part 1: ICT Standards Development Organizations and Their Work
  
  Part 1 contains information about the Roadmap structure and about each of the listed standards organizations, their structure and the security standards work being undertaken. In addition it contains information on terminology by providing links to existing security glossaries and vocabularies.

• Part 2: Approved ICT Security Standards
  
  Part 2 contains a summary catalogue of approved standards.

• Part 3: Security standards under development
  
  Part 3 is structured with the same taxonomy as Part 2 but contains work in progress, rather than standards that have already been approved and published. Part 3 will also contain information on inter-relationships between groups undertaking the work and on potential overlaps between existing projects.

• Part 4: Future needs and proposed new security standards
  
  Part 4 is intended to capture possible future areas of security standards work where gaps or needs have been identified as well as areas where proposals have been made for specific new standards work.

It is hoped that standards organizations whose work is not represented in this version of the Roadmap will provide information to ITU-T about their work so that it may be included in future editions. In the near future provision will be made to allow each organization to manage its own data within the Roadmap.

Two recent articles on the growing influence of national governments over the internet.

1. Legal Affairs has just published Digital Borders By Jack Goldsmith and Timothy Wu. The article is an excerpt from the book Who Controls the Internet?: Illusions of a Borderless World

In this provocative new book, Jack Goldsmith and Tim Wu tell the fascinating story of the Internet's challenge to governmental rule in the 1990s, and the ensuing battles with governments around the world. It's a book about the fate of one idea--that the Internet might liberate us forever from government, borders, and even our physical selves. We learn of Google's struggles with the French government and Yahoo's capitulation to the Chinese regime; of how the European Union sets privacy standards on the Net for the entire world; and of eBay's struggles with fraud and how it slowly learned to trust the FBI. In a decade of events the original vision is uprooted, as governments time and time again assert their power to direct the future of the Internet. The destiny of the Internet over the next decades, argue Goldsmith and Wu, will reflect the interests of powerful nations and the conflicts within and between them.

While acknowledging the many attractions of the earliest visions of the Internet, the authors describe the new order, and speaking to both its surprising virtues and unavoidable vices. Far from destroying the Internet, the experience of the last decade has lead to a quiet rediscovery of some of the oldest functions and justifications for territorial government. While territorial governments have unavoidable problems, it has proven hard to replace what legitimacy governments have, and harder yet to replace the system of rule of law that controls the unchecked evils of anarchy. While the Net will change some of the ways that territorial states govern, it will not diminish the oldest and most fundamental roles of government and challenges of governance.

2. First Monday has published The filtering matrix: Integrated mechanisms of information control and the demarcation of borders in cyberspace by Nart Villeneuve.

Increasingly, states are adopting practices aimed at regulating and controlling the Internet as it passes through their borders. Seeking to assert information sovereignty over their cyber–territory, governments are implementing Internet content filtering technology at the national level. The implementation of national filtering is most often conducted in secrecy and lacks openness, transparency, and accountability. Policy–makers are seemingly unaware of significant unintended consequences, such as the locking of content that was never intended to be blocked. Once a national filtering system is in place, governments may be tempted to use it as a tool of political censorship or as a technological "quick fix" to problems that stem from larger social and political issues. As non–transparent filtering practices meld into forms of censorship the effect on democratic practices and the open character of the Internet are discernible. States are increasingly using Internet filtering to control the environment of political speech in fundamental opposition to civil liberties, freedom of speech, and free expression. The consequences of political filtering directly impact democratic practices and can be considered a violation of human rights.

Malaysia has recently launched its latest 5 year ICT master plan called MyICMS 886.

[Via James Seng's blog]

Tides in Communication Politics? About Shifting Involvements and Technologies of Freedom and the Relevance of Albert Hirschman and Ithiel de Sola Pool for Today’s Communication Studies, by Willem Hulsink, former editor of Trends in Communications.

So like the tides, we can see swings of involvement in shaping the information and communication technologies of the past and the future: initially these technologies are mechanisms of freedom, questioning existing roles and practices, and keeping the hope alive for a better world, but at a later stage, when we realize both their possibilities and complications in real life, these technologies may end in the regulatory domain, provided that they generate perverse effects (e.g. one of Internet’s byproducts, unsolicited mail – spam – is now being addressed by the regulators).

The Net's basic flaws cost firms billions, impede innovation, and threaten national security. It's time for a clean-slate approach, says MIT's Dave Clark. This article, the cover story in Technology Review’s December 2005/January 2006 print issue, is divided into three parts: Part 1, Part 2, Part 3. [via James Seng]

"Computer security isn't a technological problem -- it's an economic one." That is the message Bruce Schneier, Counterpane Internet Security, emphasized in his presentation at an infoSecurity Conference according to an article in InternetNews.com.

"The future of security is getting harder to predict". Industry professionals "must start paying attention to the economics of security if they hoped for technology to keep pace." "To understand the difference it's necessary to understand the basic economic incentives of companies and how businesses are affected by liabilities" Mr. Schneier pointed out in his presentation. "The problem is that most of the costs of insecure software fall on the users." In economics, this is known as an externality: an effect of a decision not borne by the decision maker", according to Schneier. "When a company leaks data they are not the victim -- you as a user are."

"Depending on where you put liability, security improves or it doesn't," Mr. Schneier added. "Put the liability on the responsible party than we can do something," he said. That liability usually comes through legislation or lawsuits, according to Schneier. Mr. Schneier also pointed out that "Security is a process, it is not a product," he said.

Access the full article here.

The University of Masschusetts Center for Information Technology and Dispute Resolution's Cyberweek 2005-2006 Conference on ODR, eLawyering and ethics in the internet law age, was held 23-28 October 2005.  

Cyberweek is the Center's free online conference. Each year individuals and organizations from all over the world come together online for a week of Online Dispute Resolution (ODR) simulations, demonstrations, presentations, discussions, experiments, and resource sharing.

Presentations, and material from this year's event can be viewed here.

WSIS Thematic Meeting on Cybersecurity: Outcome and Next Steps (PDF) presented at the Global Symposium for Regulators, Yasmine Hammamet, Tunisia on 23 November 2005, Robert Shaw, ITU Strategy and Policy Unit

Today the French Goverment has organized a workshop on Spam at the World Summit on Information Society with the support of the European Presidency and the European Commission. At this occasion, France, Marrocco and the Francofone Institute of New Information and Formation Technologies (INTIF - OIF) have annonced the organisation of the first francofone anti-spam workshop in Rabat to be held at the begining of 2006.

Presentations will be available soon at the ITU/SPU website on Spam.

 

The WSIS Stocktaking Report has been officially launched during the World Summit on the Infrmation Society in Tunis. The report has been prepared on the basis of activities entered to the WSIS Stocktaking Database that by November 2005 contained more then 2500 entries. 

For the launch presentation see Stocktaking.pdf (1.47 MB).

For the WSIS Stocktaking Database see here. 

Yesterday the Honourable Anne McLellan, Deputy Prime Minister and Minister of Public Safety and Emergency Preparedness, introduced legislation on the lawful interception of communications. The Modernization of Investigative Techniques Act (MITA) will ensure that the law enforcement community and the Canadian Security Intelligence Service (CSIS) maintain their ability to investigate crime and terrorism in the face of rapidly evolving communications technology.

“Currently, under the law, police and CSIS can only intercept communications with authorization. This Act will not change that,” said the Deputy Prime Minister. “However, that authorization may be of no effect if companies do not have the technical ability to intercept new communications technology. This legislation will ensure that criminals can no longer take advantage of new technologies to hide their illegal activities from the law.”

Click here to read more.

The final documents submitted to the second phase of WSIS being held 16-18 November 2005 in Tunis have been posted. They are:

• Tunis Agenda for the Information Society
• The Tunis Commitment

In The Tunis Agenda for the Information Society, paragraphs 3-28 related to Financial Mechanisms for Meeting the Challenges of ICTs for Development, paragraphs 29-82 relate to Internet Governance, and paragraphs 83-122 relate to Implementation and Follow-up.

 

An article on BBC News discusses the new UNCTAD Information Economy Report 2005 and says the costs of fast net access and linking up to the internet's global infrastructure hits poorer nations much harder than developed countries. Chapters in the report include:

1. ICT indicators for development; Trends and measurement issues
2. International Internet backbone connectivity: Issues for developing countries
3. E-credit information, trade finance and e-finance: Overcoming information asymmetries
4. Taking off: E-tourism opportunities for developing countries
5. Information technology and security: Risk management and policy implications
6. Protecting the information society: Addressing the phenomenon of cybercrime

The latest edition of ITU News has a commentary from Yoshio Utsumi, ITU Secretary-General on the expectations beyond the upcoming Tunis phase of the World Summit on the Information Society.

We started on the long journey to Tunis in 1998, when the government of Tunisia proposed to the ITU’s Plenipotentiary Conference in Minneapolis to hold a World Summit on the Information Society (WSIS). We have accomplished much during this journey. At the first phase of WSIS in Geneva in December 2003, we developed a common vision of the information society. In particular, we declared our common desire and commitment to build a people-centred, inclusive and development-oriented society where the potential of information and communication technologies (ICT) is used to promote sustainable development and improve the quality of life. It is a society where everyone, anywhere should have an opportunity to participate and no one should be excluded from the benefits the information society offers.

At the second phase of the Summit in Tunis on 16-18 November 2005, we will be closing one chapter, but we will be opening a new and much bigger chapter on the implementation of that vision. In this endeavour, we should really recognize the true value of ICT as a central theme in national development policies. ICT is changing our society in ways which are as fundamental as the changes wrought by steam engines in the 19th century or motor cars in the 20th century. As those machines did, ICTs help us to be more productive and efficient than ever before to fulfil our natural desire for a better life....

Nowhere are the challenges to the conventional sovereign State greater than in the realm of cyberspace. And Internet governance has dominated our discussions since the conclusion of the Geneva phase.

The traditional principles of “national sovereignty” that have been applied to telecommunications —namely that each State regulates its telecommunication sector as it sees fit — are not working for the Internet. The Internet, which started in one country, has rapidly penetrated everywhere. Now that the Internet has become a basic element of infrastructure for every nation, it is natural that nations wish to claim sovereignty over the Internet as they do over traditional telecommunication infrastructure.

However, the value of the Internet lies in the value of information created and consumed by users rather than in the infrastructure itself. So, Internet governance requires a multi-stakeholder approach in which users and consumers of information alike agree, at a global level, to cooperate on a basic set of guidelines on such issues as security, privacy protection and efficient operation.

That is why our discussion of Internet governance has been so difficult: because the existing models do not work well. We need to embrace a new model, which I will call “new communication sovereignty.” In this model, we must fight to defend the “right to communicate” rather than the “right to govern.”

Communication is a basic human need and the foundation of all social organization. What matters is whether you have guaranteed access to information or the means to communicate with others, rather than the ability to control the means of communication. The “right to communicate” is a fundamental human right in the information society.

As the Secretary-General for the World Summit on the Information Society, I feel truly honoured to have been given the opportunity to serve the international community at this key moment of change in its history. As the wheel of change continues to turn, we must work together to create a more just and equitable information society.

The Belgian Federal Public Service Economy, SMEs, Self-employed and Energy has published a brochure on spam named “Spamming: 24 questions & answers”.

The objective of the brochure is to raise awareness of spam affected persons as to the spamming issue; applicable spamming regulations in Belgium; advice to follow in order to cope with this phenomenon and information on the authorities having competency to receive complaints.

Click below to download the brochure available in four languages: English; French; German; Dutch

The US House of Representatives Subcommittee on Telecommunications and the Internet is holding a hearing on 9 November 2005 on the Staff discussion draft of legislation to create a statutory framework for Internet Protocol and Broadband Services (this is a new draft dated 3 November 2005).

The draft legislation includes provisions on broadband internet transmission services, VoIP, video services and general provisions on how the FCC should address public interest issues, including broadening of the FCC's responsibilities in countering spam.

Schneier on Security is reporting that Microsoft has released a document outlining a series of steps it would like to see the US Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information. According to their press release:

[Microsoft's senior vice president and general counsel Brad] Smith described four core principles that Microsoft believes should be the foundation of any federal legislation on data privacy:

• Create a baseline standard across all organizations and industries for offline and online data collection and storage. This federal standard should pre-empt state laws and, as much as possible, be consistent with privacy laws around the world.
• Increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and features that permit individuals to access and manage their personal information collected online.
• Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals' consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice.
• Ensure a minimum level of security for personal information in storage and transit. A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information.

For the upcoming Global Symposium for Regulators (GSR) to be held in Hammamet, Tunisia, 14-15 November 2005, just before the second phase of the World Summit on the Information Society (WSIS), the ITU has released a paper by Tracy Cohen, Olli Mattila and Russel Southwood, entitled VoIP and Regulation, which will be presented at the GSR:

Voice over Internet Protocol (VoIP) is generally viewed as a “disruptive technology”. All the current market indications show that IP networks and services like Voice over Internet Protocol (VoIP) will replace traditional PSTN networks and services. ITU estimates that by 2008, at least 50 percent of international minutes will be carried on IP networks and that many carriers will have all-IP networks. Recent trends are certainly headed in this direction. For example, in the United States, residential VoIP subscriber numbers have increased from 150,000 at the end of 2003 to over 2 million in March 2005. It is predicted that subscribers in the US will exceed 4.1 million by 2006, generating over USD 1 billion in gross revenues for the year. In March 2005, the Chilean broadband operator VTR launched the first telecommunication network for residential services based on IP technology. The operator expects to expand its platform and reach 2 million customers in five years. There are approximately 35,000 residential telephones that use IP technology in Chile, either through Chilean operators or through Vonage...

This paper examines how VoIP services will affect future regulation. Due to the starkly contrasting global perceptions of VoIP however, it is difficult to present a unified approach to regulatory treatment of VoIP and this paper aims to reflect regulatory experiences from a wide range of countries that are grappling with the transition to VoIP. The three sections of this paper are structured to answer both the broad and specific questions raised by VoIP services, including the overall approach to regulating VoIP as a mainstream service; how VoIP has changed voice business models and the various ways of classifying the services it has created; and finally, other related issues frequently raised in connection with VoIP, such as quality of service; network integrity; emergency calling, numbering, communication security and lawful interception.

For the upcoming Global Symposium for Regulators (GSR) to be held in Hammamet, Tunisia, 14-15 November 2005, just before the second phase of the World Summit on the Information Society (WSIS), the ITU has released a paper by John Palfrey entitled Stemming the International Tide of Spam: a Draft Model Law, which will be presented at the GSR:

This discussion paper primarily takes up the question of what – beyond coordinating with technologists and other countries’ enforcement teams and educating consumers – legislators and regulators might consider by way of legal mechanisms. First, the paper takes up the elements that might be included in an anti-spam law. Second, the paper explores one alternative legal mechanism which might be built into an anti-spam strategy, the establishment of enforceable codes of conduct for Internet Service Providers (ISPs). Third, this paper also examines a variant of the legal approach where ISPs are formally encouraged by regulators to develop their own code of conduct. ISPs should be encouraged to establish and enforce narrowly-drawn codes of conduct that prohibit their users from using that ISP as a source for spamming and related bad acts, such as spoofing and phishing, and not to enter into peering arrangements with ISPs that do not uphold similar codes of conduct. Rather than continue to rely upon chasing individual spammers, regulators in the most resource-constrained countries in particular would be more likely to succeed by working with and through the ISPs that are closer to the source of the problem, to their customers, and to the technology in question. The regulator’s job would be to ensure that ISPs within their jurisdiction adopt adequate codes of conduct as a condition of their operating license and then to enforce adherence to those codes of conduct. The regulator can also play a role in sharing best practices among ISPs and making consumers aware of the good works of the best ISPs. While effectively just shifting the burden of some of the anti-spam enforcement to ISPs is not without clear drawbacks, and cannot alone succeed in stemming the tide of spam, such a policy has a far higher likelihood of success in the developing countries context than the anti-spam enforcement tactics employed to date.

Virus scanners made moot by new exploit.

Recently, researcher Andrey Bayora revealed that it is possible to fool the scanners into thinking that a file under scan is one kind, when it is in actuality something entirely different. Bayora (of www.securityelf.org), a Russian-born Israeli, has issued an advisory that details how to bypass many popular Windows AV programs.

The London Action Plan of spam enforcement authorities has a new website with news. A spam enforcement workshop is now taking place in London:

The Office of Fair Trading, through the UK presidency of the European Union, has invited members of the London Action Plan (LAP) network and the Contact Network of Spam Authorities (CNSA) to participate in a two-day ‘spam enforcement workshop’. The workshop will be held in London at the Department of Trade and Industry Conference Centre on Thursday 3rd and Friday 4th November 2005.

The Anti-Spyware Coalition (ASC) has released the Final Working Report of the Spyware Definitions. In addition, ASC has released a number of supporting documents, including a Vendor Dispute Resolution Process, a Glossary and a set of Safety Tips for Users. A summary of the almost 400 comments used to help finalize the Report is also available for review.

Botnet Detection and Response: The Network is the Infection by David Dagon at the OARC Workshop, 2005. A botnet scammer has just been arrested in Los Angeles and it is charged that he peddled his "botnets to other black hats, for use in launching denial-of-service attacks or laundering spam".

NetWizard's Blog points to an Email Battles interview with Meng Wong, creator of SPF and his ideas on using RSS for email presented at the recent MAAWG meeting in Europe.

Aux armes, citoyens: Cyber security and regulation in the United States by James Andrew Lewis, Center for Strategic and International Studies, Washington, DC

Abstract: Government policy for cyber security in the United States relies on voluntary and cooperative action by the private sector and has, until now, explicitly rejected the use of mandate or regulation. This stands in contrast to other defense and homeland security issues, such as those involving border protection or transportation, where government intervention is the norm. The decision to rely on voluntary action for cyber security reflects influential trends in security policies, deregulation, and the government's relation to the Internet that continue to shape US policy even after the attacks of September 11. The result is an ineffectual policy that underestimates the role of government.

Federal initiatives for homeland security have profound implications for how the government will interact with the economy. Efforts to protect security undertaken by the US (and now being considered by many other countries) have become a check on the larger tide of deregulation. The experience of the National Strategy shows that these efforts will need to engage in a more complex interaction with private sector actors than was the case in the past. The mix of security concerns, deregulation and privatization has led to a new kind of public policy, where governments share responsibility for some functions with the private sector and seek to manage this responsibility through public/private partnerships.

Adam Smith wrote that there are some functions that the market will not necessarily provide, or provide well. He used the example of highways and mental institutions as activities where the market would not adequately provide for society's needs. The Internet is one such activity. While governments were initially leery of regulating the Internet, a period has now been entered in which governments actively intervene in Internet governance and in which the Internet is moving to a more regulated environment. The unavoidable problem of determining where and how to regulate for cyber security will grow more complicated as the US moves ahead with a major reorientation of its security policies.

This recent presentation What2what (was end2end): the future of the Internet by Scott Bradner discusses the disappearing end-to-end nature of the Internet and the reasons, evolution to NGN, as well as his views on how innovation may slow down.

Warren New's Washington Internet Daily is reporting on the recent ITU-T Study Group 17 meeting activities that related to IDN and countering spam: 

Facilitating internationalized domain names and new measures to counter spam via technical means are part of an ITU push to meet member states' demands for more security standardization.

Last Oct.'s World Telecom Standardization Assembly in Brazil added 2 work items to the agenda of the group, called ITU-T SG-17: The first is to study IDNs, which raise a major security issue because "some national characters can make a user think he is going to one place, but really going to another place," said Herbert Bertine of Lucent, chmn. of SG-17: "We are looking to make sure that when you use internationalized domain names, the possibility that users can be confused, misdirected," will be reduced.

"The belief is that IDN implementation will contribute to easier and greater use of the Internet in those countries where the native or official languages are not yet represented in ASCII characters," documents said. Andrzej Bartosiewicz, head of the DNS Div. at Poland's NASK has been named the group's reporting member on IDNs. The SG will assess ITU members' needs in light of existing standards, he said.

SG-17 has seen "an enormous increase [of work] in the area of security," said Bertine. SG-17 published 5 security recommendations in the last 4-year study period, which ended late in 2004. Bertine said the SG may produce 15-20 during the next period, but said much of the work is in its infancy.

Countering spam by technical means is a new security area for SG-17. Spam has policy, regulatory, legal and technical aspects, but the SG will address the technical side of spam fighting. "A lot of work has been done by IETF," said Bertine. "There's a lot of [standards] material out there. We don't want to duplicate work. We want to leverage and reference" what's other standards bodies have done and fill gaps, said Bertine, "but we have a lot of countries -- particularly developing countries -- who are really looking for the ITU to provide this information."

How spammers do what they do is under consideration; but more important is that spam is not only unwanted e- mail but now a vehicle for viruses and other malware, said Bertine.

SG 17 is working with the ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission) on new to be designated as the 27,000 series and dealing with information security management systems, officials said. Bertine thinks the new series will result in companies finding that "it's in their best interest to be certified, whether it means better insurance rates, less liability because you can claim conformance... plus the most fundamental, if you've got vulnerabilities, you sure want to catch them because it's going to cost you a pile of money if somebody discovers a major weakness."

"The field of information technology and the field of communications continue to overlap and merge more and more every year. That's why collaboration is so important," said Bertine.

At this meeting it was also decide to adopt OASIS' Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML) into ITU-T standards.

A list of documents from the last meeting of SG-17 is available here.

Anti-Spam: les actions menées au plan international (PDF), Robert Shaw, ITU Strategy and Policy Unit, 18 October 2005, presented to Coalition Anti-Spam Nord–Sud: Atelier de travail (Rabat, Morocco).

According to BBC News: A third of the UK's top companies are not complying with the European Union's (EU) regulations on unsolicited emails, or spam, a report has alleged.

The Information Commissioner's Office - an independent body appointed by the Crown - said that while it has the power to fine transgressors up to £5,000 it often proves impossible to track them down.

The Finnish technical research center VTT has developed a new technology that makes it possible to identify the user based on their physical movements such as walking style. This feature is said to prevent unauthorized use of portable devices such as laptops or mobile phones. The research center said that in the future this technology could also be used for credit cards to verify a user's identify based on their physical movements before approval of payment transactions.

The new identification system provides users with the advantage of increased security and reduced risk in situations where a portable computer, mobile phone or other digital device has ended up in the wrong hands due to loss or theft. The technology makes the device non-usable in the wrong hands. For example, the identity of a mobile phone user can be verified before the phone can be used for banking transactions. Compared with passwords and traditional bio-identification, the new method is simple: confirmation of identity takes place as a background process without any need for user's intervention.

For more information go to IT News Online.

Home Networking is the linking of all types of electronic devices for applications such as entertainment, telecommunication, home automation systems and telemetry (remote control and monitoring systems). And given the wide range of previously unrelated technologies involved, standards that allow for interoperability are seen as key to the successful marketing of the concept.

Now taking place at the ITU is a workshop on Opportunities and Challenges in Home Networking. The event is organized by ITU-T Study Group 9, in cooperation with several other ITU-T study groups and various organizations outside of ITU. It follows the Workshop on Home Networking and Home Services held 17-18 June 2004, Tokyo.

Study Group 9 has been working on standardization in home networking systems for more than four years. It has already approved three ITU-T Recommendations in the field, particularly dealing with IP-based multimedia services over cable networks. A current focus is a new Recommendation that will specify ways to bridge conditional access systems (that ensure payment in pay TV for example) to digital rights management (DRM) systems, an important step toward smooth operation of fully integrated home networking.

This workshop will bring together experts from all over the world who are pushing forward the frontiers of this fast-moving field. It will provide an overview of the technology as well as an examination of standards that address access, services, performance, Quality of Service, electromagnetic interference and security issues. The workshop will deal with current technology and future trends to provide a framework for moving forward standardization work. Attention will be given to both the technology and service aspects of this new technology.

The programme can be found here with links to the presentations. Highlights include:

• Worldwide Status of Home Networking
• Home Network Architecture and Technologies (including an update on UPnP and DLNA)
• Home Networking Services and Business Models
• Security and Digital Rights Management
• Quality of Service in the Home Network
• Electromagnetic Interference in the Home Environment
• The Home Networking Future: Efforts and Challenges

The ITU Strategy and Policy Unit, in collaboration with the Italian Ministry of Communications, the Ugo Bordoni Foundation and the Aosta Valley regional authority, organized a Workshop on “Tomorrow’s Network Today” on 7-8 October 2005.

The workshop considered five broad themes:

• International Visions of Ubiquitous Networks and Next Generation Networks
• National Visions of Ubiquitous Networks and Next Generation Networks
• Creating an Enabling Environment
• The Italian Path Towards Ubiquitous Networks
• An example of Italian best practice: "Being Digital in the Aosta Valley"

Now available on the workshop website  are the agenda, with links to presentations as they were delivered and the two Case Studies on Italy – “Bridging the Gap: Taking Tomorrow’s Network Today” presented by Marco Obiso and “Ubiquitous Networks Societies: The Case of Italy” presented by Cristina Bueti - as well as background papers and voluntary contributions produced for the workshop.

During the event, Tim Kelly, Head of the Strategy and Policy Unit (ITU) presented “Tomorrow’s Network and the Internet of Things”, showing some of the outcomes of the forthcoming ITU Internet Reports publication that this year will be dedicated to the theme of the “Internet of Things “.

A final report of the workshop will be available in the next few weeks at the workshop website.

Countering Spam, PDF, Cristina Bueti, ITU Strategy and Policy Unit, 11 October 2005, presented to ITU-T Study Group 17 Meeting (Geneva, Switzerland).

The WSIS Executive Secretariat has announced that under the Chairmanship of the President of PrepCom of the Tunis phase of WSIS, a Negotiation Group will meet in two consecutive sessions from 24 to 28 October 2005. In its first session, on 24 and 25 October 2005, its objective will be to finalize the negotiation on the Political Chapeau and on the paragraphs remained in brackets of Chapter two of the Operational Part.

In its second session, from 26 to 28 October 2005, the Negotiation Group will aim to finalize the negotiations on Chapters one and four of the Operational Part of the final documents of the Tunis phase. It will be an intergovernmental negotiation process, to be held every day from 10.00 - 13.00 and from 15.00 - 18.00 hours in the Palais de Nations, Room XX, Gate 40. Interpretation in the six UN working languages will be provided. After each session, the President of PrepCom will inform the observers on the advancement of the work. Participants without badges should contact the Executive Secretariat with a completed badge request form by Friday 21 October 2005 at the latest.

The resumed PrepCom-3 will be held back to back to the Tunis Summit. The Prepcom Bureau decided that PrepCom-3 of the Tunis phase of WSIS will be reconvened on 13 November 2005, at 10.00 hours, in Tunis, for a three-day session (13-15 November 2005). Information about the venue will be provided at a later stage. The resumed PrepCom-3 will start with a short organizational Plenary meeting. The modalities of work of the resumed PrepCom-3 will follow the Rules of Procedure of the PrepCom, including the participation of observers in Plenary and Subcommittee meetings. Interpretation in the six UN working languages will be provided.

More information will be made available here.

According to an article in ZDNET UK, User authentication for email "may be worse than useless" at preventing the spread of spam, according to Nick Fitzgerald, security consultant at Computer Virus Consulting.

As an anti-spam measure, SPF is broken before it's implemented, as it's not just breakable, it's trivial to break," Fitzgerald told an audience at the Virus Bulletin conference in Dublin on Friday.

"Knowing a message arrived SPF compliantly tells us nothing about the actual sender and the 'spaminess' of the message," Fitzgerald added, claiming that SPF has been "widely hyped" as solving the problem of user authentication.

Fitzgerald's views were challenged by other conference attendees, who insisted that SPF would play a valuable role in fighting unsolicited junk email.

Also see John Levine argues that SPF is losing market mindshare and a related article on ZDNET with more details.

The “Robust Yet Fragile” Nature of the Internet (PDF) by John C. Doyle, David Alderson, Lun Li, Steven Low, Matthew Roughan, Stanislav Shalunov, Reiko Tanaka, and Walter Willinger:

The search for unifying properties of complex networks is popular, challenging, and important. For modeling approaches that focus on robustness and fragility as unifying concepts, the Internet is an especially attractive case study, mainly because its applications are ubiquitous and pervasive, and widely available expositions exist at every level of detail. Nevertheless, alternative approaches to modeling the Internet often make extremely different assumptions and derive opposite conclusions about fundamental properties of one and the same system. Fortunately, a detailed understanding of Internet technology combined with a unique ability to measure the network means that these differences can be thoroughly understood and unambiguously resolved. This paper aims to make recent results of this process accessible beyond Internet specialists to the broader scientific community, and to clarify several sources of basic methodological differences that are relevant beyond either the Internet or the two specific approaches focused on here; i.e., scale-free networks and highly optimized tolerance networks.

The paper concludes that the Internet is not as vulnerable to specific attacks on major hubs as is often claimed.

Promoting Global Cybersecurity, PDF, Robert Shaw, ITU Strategy and Policy Unit, 6 October 2005, presented to ITU-T Study Group 17 Meeting (Geneva, Switzerland)

Links to documents from WSIS Prepcom-3 (19-30 September 2005) Sub-Committee A, which dealt with the topic of Internet Governance, can be found on the WSIS website. The key documents from Prepcom-3 include:

• Report of the Work of Sub-Committee A [WSIS-II/PC-3/DOC/11 (Rev. 1)]
• Chair's "Food for Thought" (Section Five) [WSIS-II/PC-3/DT/15]
• Internet Governance proposals [WSIS-II/PC-3/DT/17] to [WSIS-II/PC-3/DT/25]
• Chair's paper (after fourth reading): Chapter three [WSIS-II/PC-3/DT/10(Rev.4)]
• Report from the WGIG [WSIS-II/PC-3/DOC/5]
• Compilation of comments [WSIS-II/PC-3/DT/14(Rev.2)]
• All Chair's Papers
• Contributions

According to the Report of the Work of Sub-Committee A, in order to complete the work in time for the Summit, document DT/10 Rev. 4 is offered as basis for further negotiations. The following documents elaborated during PrepCom-3 are offered as a further input to future negotiations:

• DT/15 containing a food for thought paper from the chairman;
• DT/17 (African common position, submitted by Ghana
• DT/18 (Argentina)
• DT/19 (Brazil)
• DT/20 (Canada)
• DT/21 (European Union position, submitted by United Kingdom)
• DT/22 (Islamic Republic of Iran)
• DT/23 (Japan)
• DT/24 (Russian Federation/Azerbaijan/Belarus/Moldova)
• DT/25 (position of Arab Group, submitted by Saudi Arabia).

Update on ITU and WSIS Activities Related to Spam and Cybersecurity (PDF) presented at OECD Spam Task Force Meeting, Paris, France on 3 October 2005, Robert Shaw, ITU Strategy and Policy Unit

On the 23 September 2005, the FCC released statements on legal intercept for broadband and VoIP providers as well as stating its jurisdiction over providers of telecommunications for Internet access and IP-enabled services in the United States of America.

FCC Requires Certain Broadband and VoIP Providers to Accommodate Wiretaps.
Order: Acrobat
News Release (8/5/05): Word | Acrobat
Martin Press Statement: Word | Acrobat
Abernathy Statement: Word | Acrobat

FCC Adopts Policy Statement on Broadband Internet Access.
Policy Statement: Word | Acrobat
News Release (8/5/05): Word | Acrobat
Martin Press Statement: Word | Acrobat

"...the Commission has jurisdiction necessary to ensure that providers of telecommunications for Internet access or Internet Protocol-enabled (IP-enabled) services are operated in a neutral manner. Moreover, to ensure that broadband networks are widely deployed, open, affordable, and accessible to all consumers, the Commission adopts the following principles:

• To encourage broadband deployment and preserve and promote the open and interconnected nature of the public Internet, consumers are entitled to access the lawful Internet content of their choice.
• To encourage broadband deployment and preserve and promote the open and interconnected nature of the public Internet, consumers are entitled to run applications and use services of their choice, subject to the needs of law enforcement.
• To encourage broadband deployment and preserve and promote the open and interconnected nature of the public Internet, consumers are entitled to connect their choice of legal devices that do not harm the network.
• To encourage broadband deployment and preserve and promote the open and interconnected nature of the public Internet, consumers are entitled to competition among network providers, application and service providers, and content providers."

John Levine in his blog describes how, on September 22 2005, Robert Braver, an Oklahoma ISP owner who is a long time activist against both spam and junk faxes, received a default judgement of over $10 million against high profile spammer Robert Soloway and his company Newport Internet Marketing. Soloway has frequently been cited as one of the ten largest spammers in the world.

Details of the case including a copy of the decision and other documents are available on a website that Braver set up.

The Chair of WSIS Phase 2 Prepcom-3 Sub-Committee A dealing with Internet Governance has released a chair's draft of Chapter 3: Internet Governance for consideration of Sub-Committee A.

Highlights from the discussions at WSIS Prepcom-3 19-21 September 2005 can be found here.

From TPRC 2005: DNSSEC and Hardening Security in the Internet Infrastructure: The Public Policy Questions by Amy Friedlander, Stephen Crocker, Allison Mankin, W. Douglas Maughan, Douglas Montgomery, Shinkuro Inc.

This is a paper from the practitioner community. We are engaged in an effort to strengthen security in the Internet infrastructure. Our immediate task is to deploy a new Internet protocol, DNS Security Extensions (DNSSEC), which promises to harden features of the Domain Name System (DNS), a key element in the infrastructure of the Internet. In our work, we find ourselves at the intersection of the following questions:

How do we stimulate innovation in infrastructure services when those services are provided in a competitive, largely private commercial environment and the returns are likely to occur in the long term and will also be shared?

What is the appropriate role of government in fostering infrastructure development when we are committed to largely privately-owned and operated infrastructure facilities and services?

What is the balance among national and homeland security interests and global Internet management - or governance?

The video archives (Real Video) of yesterday's (20 September 2005) opening discussions on Internet governance in WSIS Prepcom-3 Sub-Committee A which is handling Internet Governance have been made available. They are available in English and in the original language from the Floor.

Access to the all real-time Prepcom-3 streams and archives can be found here.

Update: The archives of the 21 September 2005 discussions on Internet Governance in Sub-Committee A can be found here in English and in the original language from the Floor.

The third meeting of the Preparatory Committee (PrepCom-3 of the Tunis phase) for the upcoming World Summit on the Information Society (WSIS). The meeting takes place at the United Nations in Geneva from 19-30 September. The primary topics of discussion are finalizing texts for the WSIS and Internet Governance and the event is being webcast. Some quick links to related materials:

• Documents and contributions
• Webcast
• Newsroom
• Speeches at the Opening Ceremony
• Reports to PrepCom-3 on Regional and Thematic Meetings
• Information for Participants
• List of Participants
• Announced list of participants
• List of participants (present)
• Participants finder
• List of accredited NGOs, civil society and business sector entities
• Invitation letters
• Internet Governance
• The Golden Book: Stakeholders Commitments
• Information session for governments on the drawing of lots to establish the list of speakers of the Summit
• Parallel and Side Events
• Registration
• Media accreditation and registration

Symantec has released its bi-annual Internet Security Threat Report in September 2005:

The Symantec Internet Security Threat Report is an analysis and discussion of Internet security activity over the past six months. It covers Internet attacks, vulnerabilities, malicious code, and future trends. This edition of the Threat Report, covering the first six months of 2005, marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Unlike traditional attack activity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud.

SwissInfo is reporting that data-protection commissioners from 40 countries have called on the United Nations to prepare a binding legal instrument to enhance data protection.

A related press release and the final Montreux Declaration are available.

Top Problems of the Internet and How to Help Solve Them (PDF) by Kim Claffy: Top engineering and operational problems, why they persistently resist solution, how different communities are auspiciously reacting to the above, and implications for research, policy, and builders. Presented as invited keynote at AUSCERT 2005. An older version of this slideset was presented as a keynote address at the CENIC 2005 conference held March 7-9, 2005.

In 2003, the Washington Post ran an article on how a Sean Gorman's student Dissertation Could Be Security Threat. His dissertation has now been expanded into a book entitled Networks, Security And Complexity: The Role of Public Policy in Critical Infrastructure Protection (Amazon link). A description of the book follows:

The end of the 20th century witnessed an information revolution that introduced a host of new economic efficiencies. This economic change was underpinned by rapidly growing networks of infrastructure that have become increasingly complex. In this new era of global security we are now forced to ask whether our private efficiencies have led to public vulnerabilities, and if so, how do we make ourselves secure without hampering the economy. In order to answer these questions, Sean Gorman provides a framework for how vulnerabilities are identified and cost-effectively mitigated, as well as how resiliency and continuity of infrastructures can be increased. Networks, Security and Complexity goes on to address specific concerns such as determining criticality and interdependency, the most effective means of allocating scarce resources for defense, and whether diversity is a viable strategy. The author provides the economic, policy, and physics background to the issues of infrastructure security, along with tools for taking first steps in tackling these security dilemmas. He includes case studies of infrastructure failures and vulnerabilities, an analysis of threats to US infrastructure, and a review of the economics and geography of agglomeration and efficiency. This critical and controversial book will garner much attention and spark an important dialogue. Policymakers, security professionals, infrastructure operators, academics, and readers following homeland security issues will find this volume of great interest.

This statement by FCC Chairman Kevin Martin indicates that he intends to propose the creation of a new Public Safety/Homeland Security Bureau in the FCC. This Bureau would coordinate public safety, national security, and disaster management activities within the FCC.

Roger Darlington has a note about a new UK cybersecurity initiative to be launched soon called Get Safe Online. 

"I spent yesterday at a conference with the title eConfidence - Spam, Scams And Security and posted a short report. I mentioned that a major awareness campaign is due to be launched at the end of next month. It has been nine months in conception and creation and was planned under the name "Project Endurance", but it is being launched under the banner Get Safe Online. At yesterday's event, Tony Neate of the National Hi-Tech Crime Unit described the content as "outstanding", but so far the only public presence is one page on the web. As you can see from this page, eight companies have joined the Home Office and the National Hi-Tech Crime Unit to sponsor the campaign, but more sponsors are sought. I understand that the Netherlands and Norway have run similar campaigns against spam, scams and viruses. Anyone out there got any relevant information? I welcome this initiative. My concern is that there are now a variety of web sites and organisations providing advice on different forms of Internet content and activity - with some major gaps, such as harmful and offensive content -and what the consumer needs is a 'one stop shop' linking all these resources in a high-profile, user-friendly manner."

The recent Asia Pacific Telecommunity (APT) Symposium on Network Security and SPAM presented background information, detailed the current situation, new developments and steps ahead on network security and fighting spam in the Asia-Pacific region.

TSB presented highlights of ITU-T work on security, also detailing the level of participation of the AP region in Study Group 17, the ITU-T group that looks at security issues. Mr Jianyong Chen (ITU-T SG 17 Vice Chair from China ) also attended the event and made a detailed presentation on current SG 17 work. He also chaired two sessions.

In addition TSB presented the results of the ITU WSIS Thematic Meeting on Cybersecurity held in Geneva , 28 June – 1 July 2005. The meeting was organized in three full-day sessions and was attended by some 70 representatives from the Asia-Pacific area. The first day was dedicated to cybersecurity, the second to countering spam, and the third to cooperation initiatives.

The complete set of presentations given at the APT meeting can be downloaded here. The meeting invited AP countries to step-up their capability building initiatives and encouraged APT to increase its collaboration on network security and spam with international organizations working in the area.

For more information, see the ITU-T Newslog.

The ITU Secretary-General, Yoshio Utsumi has presented a report to the ITU Council 2005 on ITU activities on Countering Spam.

"During the Geneva phase of the World Summit on the Information Society (WSIS), spam was identified as a potential threat to the full utilization of the Internet and e-mail. Accordingly, WSIS participants recognized that spam is a "significant and growing problem for users, networks and the Internet as a whole" (WSIS Declaration, paragraph 37) and that, in order to build confidence and security in the use of ICTs, there is a need to "take appropriate action at both national and international levels" (WSIS Plan of Action, paragraph C5, d).

The acknowledgement that spam is a problem at the global level, contributed to the fostering of various activities in the field. Countries became aware of the need to take action on this issue, and recognized the fundamental importance of international cooperation and coordination."

For the full report click here.

The Chairman's report (PDF) from the ITU WSIS Thematic Meeting on Cybersecurity held June 28 - July 1 2005 has been released.

The event was organized in the framework of the implementation of the Declaration of Principles and Plan of Action adopted on 12 December 2003, at the first phase of the World Summit on the Information Society (WSIS) and in preparation for the Tunis phase of WSIS, to be held from 16 to 18 November, 2005. The event website provides links to the final agenda, all background papers, presentations, electronic contributions, the Chairman’s Report and audio archives.

The four-day meeting was structured to consider and debate six broad themes in promoting international dialogue and cooperative measures among governments, the private sector and other stakeholders as well as promotion of a global culture of cybersecurity. These include information sharing of national and regional approaches, good practices and guidelines; developing watch, warning and incident response capabilities; technical standards and industry solutions; harmonizing national legal approaches and international legal coordination; privacy, data and consumer protection; and developing countries and cybersecurity.

The first day of the meeting focused on countering spam as follow-up to the ITU WSIS Thematic Meeting on Countering Spam, held in July 2004.

At a recent ITU cybersecurity event, Bruce Schneier, Founder and CTO, Counterpane Internet Security, Inc. gave a keynote speech entitled Negotiating for Security.

A Real Audio archive is available of Mr. Schneier's talk (speech starts 4 minutes from start of archive).

Mr. Schneier states that security is one of the fundamental building blocks of the information society as everything we now do with information requires some kind of security—sometimes a little, sometimes a lot, may it be personal, corporate or government related. He said that to a very real extent the limits of the information society can be seen as the limits of security. In other words, if we cannot do it securely, we will not do it with computers and on the internet. Therefore, this means that security is a fundamental enabling technology of the global information society. Moreover, he noted that society as a whole is increasingly moving onto computers and networks and therefore things that had previously nothing to do with computers suddenly do: whether airplanes or the national power grid, these now have an important information security component to their secure functioning. This means that information security therefore has become our general security, which is almost everything. This fact explains our need for an increased focus on security and why the things we are trying to achieve here at this meeting are so important.

At the recent ITU WSIS Thematic Meeting on Cybersecurity, Maria Cristina Bueti, Policy Analyst, Strategy and Policy Unit, ITU, presented a background paper entitled ITU Survey of Anti-Spam Laws and Authorities Worldwide. The survey was conducted in April 2005 and sent to ITU’s 189 Member States. The survey results, based on 58 responses received, showed that there are a number of countries that have already implemented anti-spam legislation. In some cases, countries use data protection laws or consumer protection laws to cope with spam issues. A number of countries do not have anti-spam legislation or any laws applicable to spam. A slide from her presentation is shown below.

From the Washington Post: To keep criminal hackers at bay, VeriSign, keeper of the master Internet address book, has been throwing mind-boggling amounts of money and computing firepower at security. VeriSign considers 2004 "the turning point" in the conflict because the bad guys exhibited such dramatic leaps in creativity, sophistication and focus.

 

The Korean Ministry of Information and Communication announced yesterday it will adopt new measures in December to reduce the circulation of spam e-mail. The ministry's plan is designed to prevent the delivery of spam messages with fake sender information. Under the ministry's Sender Policy Framework, participating portal sites will share e-mail server information.

For the full article click here.

From the list of presentations (check for update):

• Agenda, David Meyer

• Problem Statement, David Meyer

• Session Border Controllers, Gonzalo Coamarillo, Ericsson

• Issues in Numbering, Naming and Addressing, Richard Stastny, OFEG

• ENUM Update, Richard Shockey

• Service Provider Perspectives
  • PCH's Operational Experience with VoIP Peering, Bill Woodcock, PCH

  • Service Provider Perspectives on voipeer, Martin Dolly, AT&T Labs

  • A Broadband Service Provider's Perspective on VoIP Peering, Jason Livingood, Comcast

  • Peering Architecture, Sohel Khan, Sprint

• SIP Forum Tech WG: IP PBX to Service Provider Interoperability Task Group, Rohan Mahy

• Input on Inter-domain SIP Requirements for VoIP Peering, Jean Francois Mule, Cablelabs

• Original BOF Proposal, David Meyer

Dan Kaminsky of DoxPara Research has posted the presentation Black OPs of TCP/IP 2005 (PowerPoint) which he made at Black Hat 2005 which includes his probes of the global Internet DNS infrastructure. The results demonstrate a number of weaknesses in the DNS. In particular, almost 10% of the DNS 2.5 million name servers are potentially subject to cache poisoning which permits hijacking network traffic. Also see the related article on CNET.

Net criminals 'customise' attacks: Criminal gangs have become more astute in phishing attacks. Net criminals and hackers are increasingly targeting their attacks at specific organisations, research shows. Worse hit, according to a worldwide survey by IBM, are government departments, financial services, manufacturing and healthcare. Of the 237 million security attacks in the first half of 2005, 137 million were aimed at these four areas. Spam is becoming less attractive as criminals focus on fraud, identity theft and extortion. This has meant a decrease in the ratio of spam to legitimate e-mail from 83% in January to 67% in June.

From BBC News, IBM press release - Global Business Security Index via Ewan Sutherland's weblog.

Alex Shipp, Senior Anti-Virus Technologist at MessageLabs comments:

 "The banking system in South American countries has a higher take-up of internet banking than the banking experience we're used to in the US or Europe. This makes online banks a prime target for the high-tech gangs operating in the region who can get rich quick by selectively targeting local economic interests."

For the full article click here.

In a survey to test whether top e-tailers are allowing consumers to opt out of receiving promotional or marketing messages, the FTC has determined that 89 percent of the online merchants it tested are honoring requests to halt future mailings.

The study showed a high rate of compliance with the CAN-SPAM opt-out provisions. All of the e-tailers who sent e-mail to the FTC accounts provided clear notice of recipients’ right to opt out of receiving future mail and provided recipients with an opt-out mechanism. Eighty nine percent of the e-tailers honored all three of the opt-out requests made by FTC staff and 93 percent complied with opt-out requests for at least some accounts.

For the full report (PDF), click here.

Phishing emails go formal - New method hides the true web address: Researchers have discovered a new method used by criminals to hide the location of phishing websites in email messages. The technique uses a form that sends the users to phishing websites after they have pushed a button. Traditionally phishers employ a link in the body of the email message, security watchdog, the SANS Internet Storm Centre has warned. Forms are commonly used by websites to allow users to send information back to the sites, for instance to enter user names and passwords for log ins. A phishing email tries to lure the recipient to a website that the message claims is from a trusted organisation like a bank or credit card company. The aim of the message is to steal confidential information such as login names and passwords.

From VNUnet, SANS Internet Storm Center - diary via Ewan Sutherland's weblog.

John Levine, Chair, IRTF Antispam Research Group (ASRG) writes in his weblog that the anti-spam Sender Policy Framework (SPF) email authentication scheme is losing market mindshare.

In a recent talk at an ITU Cybersecurity Event, Mr. Levine gave a presentation entitled The Limits of Security Technology: Lessons from the Spam Wars. In his talk, he asked the audience to reflect carefully as to how technology fits in to the overall solution. He stressed that technology can be morally and politically neutral but we need to decide exactly what it is that we want. For example, an ultimate solution to spam could impact on issues such as anonymous speech, whether we wanted virtual or physical identities, or closed or open systems. These were all tradeoffs that needed to be considered.

The WSIS Executive Secretariat has released Draft Agenda and Time Management Plan for Prepcom-3. On this latter page is a link to contributions on Internet Governance.

New Zealand's Information Technology Minister David Cunliffe has tabled the Unsolicited Electronic Messages Bill, which will prevent the mass-marketing of emails and text messages to unsubscribed receivers. The Marketing Association's Chief Executive Keith Norris says while they support the bill, it won't change company practice, as they have had a permission-based code for five years.

Norris also says only 10% of spam originates in New Zealand and the bill is aimed at reinforcing international law.

Click here for the full article

"Just weeks after a Nigerian court convicted a woman in a massive e-mail scam case, the African nation will discuss spam and cybercrime solutions at a national seminar on economic crime. The four-day event, which begins Aug. 6, will take place at the Abuja headquarters of the Economic and Financial Crimes Commission, a government-sanctioned agency created in 2003 to "crack down on fraudsters," according to its Web site. Jonathan Rusch, the U.S. Department of Justice's special counsel for fraud prevention, is scheduled to speak on the last day of the conference about transnational "challenges in investigating and prosecuting telemarketing fraud, spamming and identity theft." A panel on cybercrime and national security is slated to follow his remarks."

Article accessed through fergie's blog.

The final version of a paper commissioned by the ITU entitled A Comparative Analysis of Spam Laws: The Quest for a Model Law (PDF) has been released. The paper was authored by Derek E. Bambauer, John G. Palfrey, Jr., and David E. Abrams, Berkman Center for Internet & Society, Harvard Law School, for the ITU WSIS Thematic Meeting on Cybersecurity held in Geneva, 28 June - 1 July 2005.

Executive Summary

Spam presents a significant challenge to users, Internet service providers, states, and legal systems worldwide. The costs of spam are significant and growing, and the increasing volume of spam threatens to destroy the utility of electronic mail communications.

The Chairman’s Report from the ITU WSIS Thematic Meeting on Countering Spam in July 2004 emphasized the importance of a multi-faceted approach to solving the problem of spam and named legal governance as one of the necessary means. Our paper focuses on the potential nature of the legal regulation of spam, specifically the importance of harmonizing regulations in the form of a model spam law. We agree with the Chairman that the law is only one means towards this end and we urge regulators to incorporate other modes of control into their efforts, including technical methods, market-based means, and norm-based modalities.

Spam uniquely challenges regulation because it easily transverses borders. The sender of a message, the server that transmits it, and the recipient who reads it may be located in three different states, all of which are under unique legal governance. If spam laws are not aligned in these states, enforcement will suffer because the very differences between spam laws may mean that a violation in one state is a permissible action in another. Moreover, spammers have an incentive to locate operations in places with less regulation, and the opportunity to states to create a domestic spam hosting market may engage them in a race to the bottom.

Harmonizing laws that regulate spam offers considerable benefits, insofar as a model law could assist in establishing a framework for cross-border enforcement collaboration. To those enforcing the regulation of spam, harmonization as a model law effort offers: clear guidelines, easy adoption, enhanced enforcement, stronger norms, fewer havens for spammers, and the increased sharing of best practices. If such regulators then agree that harmonization can aid legal regimes intent on curbing spam, they must initially address four critical tasks: defining prohibited content, setting default rules for contacting recipients, harmonizing existing laws, and enforcing such rules effectively. This legal approach must be concurrently matched by efforts that employ other modes of regulation, such as technical measures, user education, and market-based approaches.

Our analysis of existing spam legislation gathered by the ITU Strategy and Policy Unit evaluated these laws’ elements to determine whether they were commonly included or not, and whether provisions were uniformly implemented or varying when present. Our research documents seven instances in which extant laws strongly converge: a focus on commercial content, the mandatory disclosure of sender/advertiser/routing, bans on fraudulent or misleading content, bans on automated collection or generation of recipient addresses, the permission to contact recipients where there is an existing relationship, the requirement to allow recipients to refuse future messages, and a mix of graduated civil and criminal liability. Also documented are five key areas of disagreement which are vital to a harmonized spam law but which have evaded consensus thus far: a prior consent requirement for contacting recipients, a designated enforcer, label requirements for spam messages, the definition of spam (whether it is limited to e-mail communication, or includes other applications, such as SMS), and the jurisdictional reach of the system’s spam laws. Naturally, a harmonization effort must tackle and narrow these zones of divergence in order to succeed.

Spam laws, whether harmonized or not, are at best only part of the solution to the spam problem and must be developed in concert with technical, market, and norms-based tools if the scourge of spam is to be substantially reduced. Efforts to harmonize the legal regulation of spam can serve as one effective means to solving the unique challenges spam presents. A model spam law is possible to develop, despite the many differences among the world’s spam laws.

Announced today on the WSIS web site is that the second Informal Consultation Meeting on Internet Governance (open to all stakeholders) will take place at the United Nations (Palais des Nations), Geneva, on 6 September 2005. Further details will be available in due time here.

Presentations in a July 2005 ICANN GAC roundtable discussion:

• Root Server Anycast System (root server operators) provides an update of DNS root-server anycast status (103-worldwide with more planned for 2005) and the statement that root server anycast deployment is a "tremendous success".
  
• Assorted Slides (Daniel Karrenberg, RIPE NCC) provides views on deploying DNSSEC on the root server system and the Working Group on Internet Governance (WGIG) final report comments that the "Lack of formal relationship with root server operators" is a public policy issue relevant to Internet governance. It is stated that this is "wrong" and "not a way to solve the issues about who edits the [root] zone file."

Israel’s Knesset (or parliament) has passed a law to fight against spam, imposing fines and strict regulations on people who send unsolicited email, junk faxes, and spam text messages.

“State intervention was necessary in order to prevent the continued impingement on the public’s privacy,” said Israeli Communications Minister Dalia Itzik, who initiated the legislation. Unlike the United States’ CAN-SPAM Law, the Israeli law bars the sending of spam unless the recipient gives his or her prior consent".

For the full article click here.

The mozilla.org team has announced changes to Firefox regarding Internationalized Domain Names (IDN) to deal with homograph spoofing attacks.

• "We have implemented a TLD whitelist system, which currently contains 21 TLDs for which we correctly display IDN domain names in the UI (user interface). Any IDN domain name in a non-whitelisted TLD displays as punycode. This is a security feature and so there is no user interface for adding or removing TLDs.
• Any registry which wishes to be added to the whitelist should follow the instructions on that page. In terms of what constitutes a homograph, we are being guided by the Unicode Consortium's confusables list at http://www.unicode.org/draft/reports/tr36/data/confusables.txt and by common sense. Our policy in this area is still somewhat in flux - in particular, we are not yet sure whether we should require that registries to consider two characters which differ only in accent (sometimes by the shade of a single pixel at normal font sizes) as homographic. In the mean time, we strongly advise that registries do this.
• We have implemented a character blacklist, which will soon contain 'DIVISION SLASH' (U+2215) and 'FRACTION SLASH' (U+2044). After that, we may extend it to forbid more characters which may be used to spoof URL punctuation. https://bugzilla.mozilla.org/show_bug.cgi?id=301694
• This is not meant to prejudice the outcome of the current IAB-IDN discussions on potentially reducing the number of characters permitted in IDN, but we feel the danger posed by the use of such characters in 3rd and 4th level domains is great enough to require an immediate ban. Any domain name which contains one or more of these characters displays as punycode.
• We wish to thank Opera Software for their help in creating the initial whitelist and providing suggestions for the character blacklist."

The ITU Council has approved that the theme for World Telecommunication Day 2006 (May 17) be Promoting Global Cybersecurity.

Here is the background of this decision as contained in the proposal to ITU Council:

The United Nations General Assembly adopted, in 2002, a resolution entitled UNGA Resolution 57/239: Creation of a global culture of cybersecurity, calling for international organizations to consider measures to foster a global culture of cybersecurity and invited Member States to develop throughout their societies a culture of cybersecurity in the application and use of information technologies. The General Assembly also stressed the necessity to facilitate the transfer of information technology and capacity-building to developing countries, in order to help them to take measures in cybersecurity.

The ITU Plenipotentiary in 2002 adopted Resolution 130: Strengthening the role of ITU in information and communication network security, instructing the Secretary General and the Directors of the Bureaux to intensify work within existing ITU study groups and inviting ITU Member States and Sector Members to participate actively in the ongoing work of the relevant ITU study groups.

In 2004, a second resolution, UNGA Resolution 58/199: Creation of a global culture of cybersecurity and the protection of critical information infrastructure, was adopted by the United Nations on the global culture of cybersecurity and the protection of critical information infrastructure. The General Assembly, through this Resolution, encouraged Member States, regional and international organizations that have developed strategies to deal with cybersecurity and the protection of critical information infrastructures to share their best practices and measures that could assist other Member States in their efforts to facilitate the achievement of cybersecurity; it also stressed the necessity for enhanced efforts to close the digital divide, to achieve universal access to information and communication technologies and to protect critical information infrastructures by facilitating the transfer of information technology and capacity-building, in particular to developing countries so that all States may benefit fully from information and communication technologies for their socio-economic development.

In 2004, the World Telecommunication Standardization Assembly (WTSA) adopted Resolution 50 on Cybersecurity, requesting the ITU-T to continue to raise awareness, of the need to defend information and communication systems against the threat of cyberattack, and continue to promote cooperation among appropriate entities in order to enhance exchange of technical information in the field of information and communication network security.

In accordance with PP Resolution 130 and WTSA Resolution 50, it was proposed that ITU should take a lead role in promoting a global cybersecurity campaign. The vehicle of World Telecommunication Day can be used to build an awareness campaign in support of this objective. In implementing this campaign, ITU would work in close cooperation with organizations involved in global cybersecurity issues, including the European Network and Information Security Agency, the Organization for Economic Cooperation and Development as well as other national, regional and international interested entities.

The 2005 E-Crime Watch survey was conducted by CSO magazine in cooperation with the U.S. Secret Service and Carnegie Mellon University Software Engineering Institute’s CERT® Coordination Center. The research was conducted to unearth electronic crime fighting trends and techniques, including best practices and emerging trends. Respondents’ answers are based on the 2004 calendar year. A similar version of this survey was also conducted in 2004 with corresponding answers from the 2003 calendar year. Trending data is provided where relevant.

From CERT

The Anti-Spyware Coalition proposed a standardized definition of "spyware" on July 12, 2005. The definition, which is open for public comment until August 12, is intended to serve as the foundation for a more unified approach to tackling the spyware problem. In addition to defining spyware, the coalition's first public document also offers uniform definitions of other commonly used terms like "adware" and "cookie," and offers tips for users to avoid downloading unwanted programs.

For more information, see the full article.

For comments on the Anti-Spyware Coalition definitions, click here.

Yahoo and Cisco have teamed up in an effort to reduce the amount of junk email reaching users' inboxes.

The firms have announced a specification called DomainKeys Identified Mail (DKIM) that they hope will become a web standard. DKIM combines Yahoo's DomainKeys and Cisco's Identified Internet Mail authentication technologies.

For the full article click here.

Finnish citizens are to be offered the opportunity to use mobile telephones equipped with digital certificates to identify themselves when conducting business online.

The first SIM cards equipped with the security certificate are now being offered by Elisa, Finland's second-largest mobile network operator, for official transactions with the Finnish Population Register Centre.

If, for example, a citizen wants to register a move to a new home online, he opens the corresponding page on the Internet, fills out the form, and receives a message from the registration office on his mobile telephone requesting him to enter his mobile signature for the online request. The citizen enters a personal PIN to permit the generation of the digital signature. This is generated by the SIM card and returned to the registration office as a special encrypted message.

Citizens who want to use the mobile signature can register at a local police station and sign up for the service. The 128KB, Java-based SIM cards have been supplied by Giesecke & Devrient and are currently available at selected Elisa outlets.

By the end of 2005, the Finnish OKO Bank, the social insurance agency, the Tax Administration, as well as the Ministry of Labour want to offer the mobile citizen certificate as a new form of authentication for their services.

The article above was published on the Finextra.com website.

The Office of the Information Commissioner (ICO), enforcer of the UK's main anti-spam laws, has received around 600 spam complaints in the past 12 months. But it has taken no legal action, in part because its powers are inadequate and impractical.

For the full article click here.

See: Information Commissioner's Report, July 2005

See also: Information Commissioner publishes annual report

Australia's broadcasting and telecommunications watchdog has won its first injunction against an alleged spammer under anti-spam laws introduced early last year.

The full article can be accessed here.

Article in The Register talks about Scott Richter, who has been dropped from an authorative list of known spammers after cleaning up his act. "Richter and his OptInRealBig option were a fixture in Spamhaus's Register of Known Spam Operations (ROKSO) for years. Only hard-core spammers who become the subject of repeated complaints feature on the list."

"Presence in the rogues gallery makes it difficult to obtain internet service from ethical suppliers and problematic to register domain names. Only those who refrain from sending bulk unsolicited email for six months are eligible for removal from ROKSO. Richter switched to a confirmed opt-in mailing list business model that contrasts with his previous business activities. Richter was sued by New York State Attorney General Eliot Spitzer and brought to the brink of bankruptcy by Microsoft over allegations the he used a network of 500 compromised computers to send millions of junk emails to hapless Hotmail users. Richter denied any such wrongdoing in settling the NY lawsuit last July but he was forced to agree to stop sending deceptive emails and generally abide by the US's CAN SPAM Act."

For the full story click here.

Article in The Register was accessed through fergie's blog.

An FWC article featuring resources and the fight against electronic crime points out that although "electronic crimes are increasing at an alarming rate, there is a lack of reliable statistics measuring the frequency, size and impact of such crimes and little scientific research being done to profile the perpetrators".

An interview in the article also mentions that "law enforcement officials need better capabilities and more resources to deal with electronic crime whether it is committed in cyberspace or traditional crimes involving digital devices."

The article goes further on to say that "Some businesses aren’t reporting cybercrimes to law enforcement, but instead handling them internally. With the advent of instant messaging, voice over IP and other communication technologies, there are legal issues of intercepting messages to determine whether a crime has been committed. And getting information about possible crimes from Internet Service Providers might also pose a problem."

For the full article click here.

Article accessed through fergie's tech blog.

The U.S. Commerce Department's National Institute of Standards and Technology, or NIST, has released a draft version of the minimal security requirements for federal agencies. The report comes one month after government auditors found that the agencies are not prepared to deal with the triple Internet menaces of spam, phishing and spyware.

Full C|Net article can be found here.

Article accessed through fergie's blog.

A recent PCWorld.com article article reports that "The U.S. Department of Homeland Security needs to develop a recovery plan for widespread attack on the Internet, and it needs stable leadership in cybersecurity".

The article goes on to say that "While DHS can track Internet threats, it doesn't have an Internet recovery plan or a national cybersecurity threat assessment". Seemingly DHS is making progress but more work still needs to be done.

For the full article click here.

Article accessed through fergie's blog and Yahoo! News.

Last week Cisco joined Yahoo, Sendmail and PGP Corp. in submitting the DomainKeys Identified Mail (DKIM) specification to the Internet Engineering Task Force (IETF). DKIM results from Cisco and Yahoo merging separate e-mail verification technologies with similar attributes, which both companies had worked on for more than a year.

"Since all this [spam] traffic is running on Cisco networks in large part, many customers often ask, 'Why can't Cisco do something about it?' " says Sanjay Pol, vice president and director of Cisco's Anti-Spam Initiative. "The less trust people have of the Internet, the worse it is for Cisco and our customers."

Click here to view the full article.

A study titled "Open to Exploitation: American Shoppers Online and Offline" finds that "Internet users in the United States are dangerously ignorant about the type of data that Website owners collect from them and how that data is used, making them vulnerable to fraud and misuse of their personal information".

For the full story click here.

Article published in InfoWorld, accessed through fergie's blog.

From Paul Hoffman's blog: 

The IETF has finally emitted the email anti-spoofing documents for the SPF and Sender-ID protocols. The most important thing is that the two protocols are issues as experimental RFCs, not standards. There is a huge difference, and the IESG tried to make that as clear as possible:

"The following documents (draft-schlitt-spf-classic, draft-katz-submitter, draft-lyon-senderid-core, draft-lyon-senderid-pra) are published simultaneously as Experimental RFCs, although there is no general technical consensus and efforts to reconcile the two approaches have failed. As such these documents have not received full IETF review and are published "AS-IS" to document the different approaches as they were considered in the MARID working group.

The IESG takes no position about which approach is to be preferred and cautions the reader that there are serious open issues for each approach and concerns about using them in tandem. The IESG believes that documenting the different approaches does less harm than not documenting them.

The community is invited to observe the success or failure of the two approaches during the two years following publication, in order that a community consensus can be reached in the future."

And, to be clear, neither protocol is directly anti-spam: they simply help the receiver believe that the mail is sent by the organization that claims it sent the message.

The Working Group on Internet Governance has released its final report (Word, PDF).

The Report has been translated in all UN languages: Arabic, Chinese, French, Russian, and Spanish (all Word format).

A Background Report (Word) is also made available. It will be translated into French and posted on this website in due course.

Click here (PDF) to view the Press Release.

European Union home affairs ministers have promised that in October they will agree on a set of Europe-wide rules requiring companies to store phone call and e-mail data. The pledge was made at an emergency meeting of ministers in Brussels on Wednesday in response to the bombings in London last week which killed over 50 people.

The rules would require fixed and mobile telephone operators, ISPs (Internet service providers) and SMS (short messaging service) providers to keep data for at least a year with a possible maximum of three years. Only traffic data such as the time, duration and destination of calls would be kept, not the content of communications.

The Nigerian Anti-Scam Network is a movement that is composed of Nigerians who are concerned about the bad image that cybercrime and spam has brought to Nigeria. The Nigerian Anti-Scam Network is an online youth network consisting of young Nigerian professionals who are concerned about the situation and are willing to take actions for change. They aim to expose the supporters and perpetrators of online crimes on their online message boards so that people have a place where they can do spot-checks and thus hopefully avoid being spammed. The Network expresses its concern that foreign parties have anti-scam sites that are little more than anti-Nigeria sites. They believe that the activities of the Nigerian Anti-Scam Network can give a more balanced opinion.

The Network realizes that; "throughout the world, cyber crime is a very serious topic and a very contentious one at that. A lot of countries are losing a lot of money due to the activities of cyber 419s. Nigeria have been touted as the major breeding ground for most of these online scams. Nigeria's ranking in the corruption index have been very discouraging for the past three years and we know that this is not only as a result of Government officials' corruptness, but also as a result of activities of online scammers. To be better prepared to fight these menace and bring back our lost reputation, some young Nigerian professionals started the Nigerian Anti-Scam network and have been doing extensive research on the activities of these scammers and ways of salvaging the country's image."

For more information visit the Nigerian Anti-Scan Network website and online forum.

Following months of discussions, China has agreed to sign up to the London Action Plan, which will mean greater cooperation between countries in analyzing spam campaigns, investigating their origin and encouraging ISPs around the world to take appropriate measures to defend innocent users.

Click here to view the full article.

According to a CNET article, computer security and software companies are urging the U.S. Senate to approve the world's first treaty targeting cybercrime.

A letter from the groups, including the Business Software Alliance, VeriSign, InfraGard and the Cyber Security Industry Alliance, called on senators to ratify the controversial document, which was the subject of a brief flurry of attention last year before it expired without a floor vote.

"The cybercrime convention will serve as an important tool in the global fight against those who seek to disrupt computer networks, misuse private or sensitive information, or commit traditional crimes utilizing Internet-enabled technologies," said the letter, which was sent Tuesday. "It requires countries to adopt similar criminal laws against hacking, infringements of copyrights, computer-facilitated fraud, child pornography and other illicit cyberactivities."

Today's WSIS Thematic Meeting on Cybersecurity Sessions 13 and 14 includes discussion of the Convention on Cybercrime.

From the Seattle Times: Calls increasing for safer, more-secure Internet

Built by academics when everyone online was assumed to be a "good citizen," the Internet today is buckling under the weight of what is estimated to be nearly a billion diverse users surfing, racing and tripping all over the network.

Hackers, viruses, worms, spam, spyware and phishing sites have proliferated to the point where it's nearly impossible for most computer users to go online without falling victim to them.

During this morning's session at the ITU WSIS Thematic Meeting on Cybersecurity on Information Sharing of National and Regional Approaches, Good Practices and Guidelines, Myriam DUNN, Head, International Relations and Security Network (ISN), Center for Security Studies (CSS), Swiss Federal Institute of Technology, Switzerland presented a background paper (PDF) on A Comparative Analysis of Cybersecurity Initatives Worldwide.

The final presentation at yesterday's session on spam at the ITU WSIS Thematic Meeting on Cybersecurity, John LEVINE, Chair, IETF Antispam Research Group (ASRG) made a presentation entitled the Limits of Security Technology: Lessons from the Spam Wars.

Yesterday, at the ITU WSIS Thematic Meeting on Cybersecurity, during the day focused on spam, a session was dedicated to discussing national policies and legislative approaches to spam. As part of this session, a Background Paper commissioned by ITU, entitled A Comparative Analysis of Spam Laws: the Quest for Model Law, was presented (presentation) by Derek BAMBAUER, Research Fellow, Berkman Center for Internet & Society. The authors of hte paper are Derek BAMBAUER, John PALFREY, Executive Director, and David ABRAMS, Berkman Center for Internet & Society, Harvard Law School, United States. From the introduction to the report: 

The goal of this paper is to help policymakers understand the potential benefits and challenges of model spam legislation as a tool to improve the security of and user confidence in information and communications technology (ICT), as well as the potential that model spam legislation holds for Internet users worldwide. First, it sets forth a framework for understanding spam and identifies key issues confronting regulators. Next, the paper examines the set of options for spam laws based on existing and proposed legislation gathered by the International Telecommunication Union (ITU) Strategy and Policy Unit (SPU). It analyzes the level of consensus among these extant laws and the degree to which a particular component is included in most legislation and in the degree to which provisions addressing this component are similar or harmonized. The paper points towards zones where there is considerable consensus while simultaneously illuminating the most fundamental differences, so that policymakers can tackle the hard issues and choices involved in spam laws. Finally, the paper makes preliminary recommendations for spam law efforts and considers both the potential for and the likely efficacy of a model spam law.

During the same sessions, there were presentations from:

• Panellist: Jonathan KRADEN (biography), Staff Attorney, Federal Trade Commission (FTC), United States
    o  Presentation
• Panellist: Miguel MONTERO (biography), Spam Ruling Administrator, Radiografica Costarricense (RACSA), Costa Rica
    o  Presentation
• Panellist: Liang LIU (biography), Assistant Director, Anti-Spam Coordination Team, Internet Society of China, People’s Republic of China
    o  Presentation
• Presentation: Maria Cristina BUETI (biography), Policy Analyst, Strategy and Policy Unit, ITU
  ”ITU Survey of Anti-Spam Laws and Authorities Worldwide”
    o  Presentation

Luc Mathan from the relatively new Messaging Anti-Abuse Working Group (MAAWG) is giving a presentation on MAAWG's efforts to align the messaging industry stakeholders along three directives: Collaboration, Technology and Policy. The working group will address collaborating on cross-operator communications, best practices and technology to combat messaging abuse, as well as developing a cohesive point of view on public policy.  More information about MAAWG.

MAAWG members are developing a feedback loop mechanisms to deal with spam complaints between ISPs. They are also creating a contact database for service providers to be able to contact the appropriate person to deal with a messaging abuse situation.

Steve Linford of the Spamhaus Project is speaking at the ITU WSIS Thematic Meeting on Cybersecurity on the first day which is concentrating on countering spam. Some of his remarks:

• Spamhaus blocks approximatley 8 billion spam messages per day
• They estimate there are 4 million infected zombie machines which have been compromised with 60-100,000 newly infected per week
• These are used to launch Distributed Denial of Service (DDOS) Attacks
• This is increasingly a criminal activity with "spam supermarkets"
• Mostly American and Russian spammers using Chinese hosting. These are technically smart users who firewall their sites from their hosting companies.
• Spammers in Russia are more criminal than US counterparts. They are involved in
• The largest Russian ISP, Rostelecom says they cannot terminate accounts as Russian law does not permit it.
• Australian spam laws are best in the world, penalties are high enough to make a dent in spam
• Consumer confidence in the Internet is dropping every day
• Spam is a cancer and it is fast killing the Internet

Some of Steve's conclusions include:

• You must ban and not regulate spam
• Governments must give resources to law enforcement agencies
• Make it criminal for ISPs to host spammers
• Require a 24 hour point of contact for all ISPs to terminate problems
• Educate users to not reply to spam

The meeting is also being audiocast live over the Internet. Mr. Linford's talk is the beginning of Session 2.

At the start of the 21st century, our societies are increasingly dependent on information and communications technologies (ICTs) that span the globe. The ITU WSIS Thematic Meeting on Cybersecurity opens today and takes place from 28 June – 1 July 2005 at ITU headquarters in Geneva, Switzerland. This conference will examine the recommendations in the World Summit on the Information Society (WSIS) first phase's Declaration of Principles and Plan of Action that relate to building confidence and security in the use of ICTs and the promotion of a global culture of cybersecurity. Now available on the meeting web site is the agenda (with links to presentations as they are given) and meeting background papers and contributions. The meeting is also being audiocast live over the Internet.

The meeting will specifically consider six broad themes in promoting international cooperative measures among governments, the private sector and other stakeholders, including:

• information sharing of national approaches, good practices and guidelines; 
• developing watch, warning and incident response capabilities;
• harmonizing national legal approaches and international legal coordination;
• technical standards;
• privacy, data and consumer protection;
• developing economies and cybersecurity.

The first day of the meeting will focus on countering spam as follow-up to the ITU WSIS Thematic Meeting on Countering Spam held in July 2004.

In Netwizards Blog: according to the records in the IETF's database (here and here), both SPF and Sender-ID anti-spam proposals were tentatively approved by the IESG (the "approval board" of the IETF) as experimental standards RFCs.

Hong Kong Special Administrative Region plans to enact an anti-spam law next year to crack down on companies that send unsolicited e-mails or make automated telemarketing calls to consumers.

"Au Man-ho, director-general of the Telecommunications Authority, said in a statement Saturday that direct marketing companies using automated calling on an unsolicited basis can be considered a spam problem."

Click here to view the full article.

Communications Minister Helen Coonan has called on Australia's neighbours to join forces to combat threats from spam email and online fraudsters.

"Closer cooperation between such bodies as APEC, the OECD and the ITU (International Telecommunications Union) will also help to develop a strategy to address the threats that spam poses to the integrity and security of the APEC region's communications infrastructure," Senator Coonan said.

Click here to view the full article.

Matthew Fordahl writes in an AP newswire article on Yahoo! News:

Network equipment maker Cisco Systems Inc. and Internet portal Yahoo Inc. are combining their efforts to combat e-mail spam and forgery in a step that's expected to help expand adoption of the technology.

The move, announced Wednesday, combines two techniques that rely on cryptography to help determine whether the sender of an e-mail message is legitimate. Sending messages using a false address is a common tactic of spammers.

[via Fergie's Tech Blog]

In an article from Reuters: A bill for mandatory logging of emails, phone calls and other electronic communications to combat terrorism and fraud will limit data storage to a year at most, the European Commission said on Wednesday.

Viviane Reding, Commissioner for Information Society and Media, said a similar proposal put forward by four member states in 2004 wanted data to be stored for three to four years, which she said would impose a costly burden on phone and internet companies.

[Via Fergie's Tech Blog and Reuters]

In the framework of its Technology Watch activities, ITU-T has recently published a technical paper on radio frequency identification (RFID) and opportunities for its use in mobile telecommunication services. RFID enables data to be transmitted by a tiny portable device, called a tag, which is read by an RFID reader and processed according to the needs of a particular application. It is only recently that the technology has begun to take off in the mass market. Analysts predict that RFID will revolutionize areas of industry, such as supply chain management and the retail business, for example by reducing costs with better stock management. The technical paper presents several ideas for applications of RFID technology in mobile telecommunication services as well as possible areas for standardization efforts. Apart from purely technical concepts, the challenging aspects of security and privacy are discussed. A PowerPoint presentation of the paper is also available.

ITU-T recently set up a correspondence group on RFID in the framework of its Technology Watch and a dedicated e-mail reflector on the matter for initiating studies on the technology. Additionally, ITU-T is to hold a workshop on RFID standardization issues in the first quarter of 2006. [via ITU-T Newslog]

OECD has released a report on Anti-spam Law Enforcement

"Successful enforcement of anti-spam law serves as an economic disincentive to spammers by imposing fines and penalties which undermine their profits, provides a state-sponsored mechanism for protection and redress to victims of spam-related consumer fraud, and vindicates the privacy rights of spam recipients. Ultimately, an increased enforcement presence may help restore trust in e-mail systems that has been eroded by spam."

For the full report (PDF), click here.

The OECD has just published an excellent paper by Suresh RAMASUBRAMANIAN on Spam Issues in Developing Countries (PDF), which is linked to from the OECD antispam toolkit.

At an ITU/EU (ENISA) Regional Seminar on Cybersecurity for CEE, CIS and Baltic States in Riga, Latvia, Robert Shaw of the ITU Strategy and Policy Unit has given a presentation (PDF) on the upcoming ITU WSIS Thematic Meeting on Cybersecurity which will be held June 28-July 1 2005 at ITU headquarters.

Other presentations on available on the event web site, including an update by Pernilla SKANTZ on the establishment of the European Network and Information Security Agency (ENISA).

From SecurityPipeline: The CIA is conducting a war game this week to simulate an unprecedented, Sept. 11-like electronic assault against the United States.

The three-day exercise, known as "Silent Horizon," is meant to test the ability of government and industry to respond to escalating Internet disruptions over many months, according to participants. They spoke on condition of anonymity because the CIA asked them not to disclose details of the sensitive exercise taking place in Charlottesville, Virginia, about two hours southwest of Washington.

The simulated attacks were carried out five years in the future by a fictional new alliance of anti-American organizations that included anti-globalization hackers. The most serious damage was expected to be inflicted in the closing hours of the war game Thursday.

The national security simulation was significant because its premise--a devastating cyberattack that affects government and parts of the economy on the scale of the 2001 suicide hijackings--contradicts assurances by U.S. counterterrorism experts that such effects from a cyberattack are highly unlikely.

Via iwar: GAO: Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, May 26, 2005

While DHS has initiated multiple efforts to fulfill its responsibilities, it has not fully addressed any of the 13 responsibilities, and much work remains ahead. For example, the department established the United States Computer Emergency Readiness Team as a public/private partnership to make cybersecurity a coordinated national effort, and it established forums to build greater trust and information sharing among federal officials with information security responsibilities and law enforcement entities. However, DHS has not yet developed national cyber threat and vulnerability assessments or government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. These key challenges include achieving organizational stability, gaining organizational authority, overcoming hiring and contracting issues, increasing awareness about cybersecurity roles and capabilities, establishing effective partnerships with stakeholders, achieving two-way information sharing with these stakeholders, and demonstrating the value DHS can provide. In its strategic plan for cybersecurity, DHS identifies steps that can begin to address the challenges. However, until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructures.

Complete Report...

A very comprehensive survey site on Computer Forensics from Dave Dittich.

"Anti-spam enforcement authorities in 13 European countries recently agreed to share information and pursue complaints across borders in a joint drive to combat electronic junk mail. The nations will cooperate in investigating complaints about crossborder spam from anywhere within the European Union to make it easier to identify and prosecute spammers anywhere in Europe.The voluntary agreement establishes a common procedure for handling cross-border spam complaints". The participating European countries, including Austria, Belgium, the Czech Republic, Ireland, Italy, Lithuania, the Netherlands, and Spain, will through these initiatives try their best to address complaints from each other.

Spain's data protection authority, Agencia Española de Proteccion de Datos, and the U.S. Federal Trade Commission also recently signed a bilateral memorandum of understanding to promote enhanced cooperation and information sharing on spam enforcement activities. In July 2004, the FTC signed a similar agreement with the United Kingdom and Australia.

"Germany is taking spam control into its own hands. People who send junk e-mail in Germany will face fines of as much as 50,000 euros according to a draft law agreed upon by Germany's ruling coalition of Social Democrats and Greens. The law will also prevent spammers from disguising their name and the nature of the e-mail. German lawmakers hope that the steep fine will make people think twice about sending spam. It has been illegal to send spam in Germany since July 2004, but the ruling coalition hopes the new legislation will help stop the practice."

Click here to view the full article.

The 2005 ASEM Cyber Security Workshop, Seoul will be held in Republic of Korea, hosted by the Ministry of Information and Communication of Korea. The ITU WSIS Thematic Meeting on Cybersecurity will follow shortly afterwards, June 29-July 1 2005 in Geneva, Switzerland.

According to Warren's Washington Internet Daily on 24 May 2005:

Stuck in an "embryonic" stage of sharing cybersecurity information, many European countries look to govt. for encouragement, the head of the European Network & Information Security Agency (ENISA) said in an interview. Despite claims of willingness to work together, a lack of actual cooperation is the chief roadblock to better infrastructure protection, said ENISA Exec. Dir. Andrea Pirotti, adding that many stakeholders want national or European Union authorities to nudge them. ENISA will be the "director of the orchestra" beginning later this year, Pirotti said.

The new agency has created working groups on security awareness-raising, risk analysis and assessment, and computer emergency response teams (CERTs), Pirotti said. The CERT panel will devise an effective way to stimulate cooperation among European nations and to establish as many CERTs as possible, he said. In smaller communities, ENISA may also push for warning, advice and reporting points (WARPs), sometimes called "mini-CERTs." Often set up and run by volunteers, WARPs field network threat information from and report problems to the larger CERTs, Pirotti said. But unlike CERTs they don't provide technical fixes.

ENISA working groups will set best practices with detailed procedures for establishing CERTs and WARPs, Pirotti said. ENISA officials then will take the ideas to national officials and push for their creation. "We shall do our best, but this is just the beginning," he said. Local authorities are keen on the idea but want ENISA to give them a framework and suggestions. Most know the risks of not having CERTS, he said, and are willing to invest in them.

ENISA is beginning to develop a presence, joining the ITU at a June forum on network security in central and east Europe, the former Soviet bloc and the Baltic states (WID May 23 p6). The group also plans a late Sept. information security conference in Budapest.

A permanent ENISA stakeholder group has 30 members from industry, academia and the consumer community, Pirotti said. The group, which first met in March, convenes June 2 to discuss mobile phone security, among other issues.

ENISA's workforce is far from complete -- of 40 workers authorized, 4 have been hired -- but a massive recruiting effort for agency administrative and technical personnel now underway will end in late July, Pirotti said. ENISA will occupy its permanent hq in Heraklion, Greece, in Sept. and start work in earnest in Oct. or Nov. -- Dugie Standeford

From the FTC's Operation Spam Zombies page:

Spammers use home computers to send bulk emails by the millions. They take advantage of security weaknesses to install hidden software that turns consumer computers into mail or proxy servers. They route bulk email through these "spam zombies," obscuring its true origin.

As part of a worldwide effort to prevent these abuses, the FTC announces "Operation Spam Zombies." In partnership with 20 members of the London Action Plan and 16 additional government agencies from around the world, the Commission is sending letters to more than 3000 Internet service providers (ISPs) internationally, encouraging them to take the following zombie-prevention measures:

• block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers.
• apply rate-limiting controls for email relays.
• identify computers that are sending atypical amounts of email, and take steps to determine if the computer is acting as a spam zombie. When necessary, quarantine the affected computer until the source of the problem is removed.
• give your customers plain-language advice on how to prevent their computers from being infected by worms, trojans, or other malware that turn PCs into spam zombies, and provide the appropriate tools and assistance.
• provide, or point your customers to, easy-to-use tools to remove zombie code if their computers have been infected, and provide the appropriate assistance.

In a later phase, the Operation plans to notify Internet providers worldwide that apparent spam zombies were identified on their systems, and urge them to implement measures to prevent that problem.

• Press Release (May 24, 2005)
• List of Participating Agencies

Business Guidance

• Letter to Internet Service Providers [PDF]

Letter text translations (provided by participating agencies):

• Chinese [PDF]
• Japanese [PDF]
• Danish [PDF]
• Lithuanian [PDF]
• Greek [PDF]
• Norwegian [PDF]