Wednesday, July 11, 2007
This year's edition of the World Information Society Report 2007 notes that growth in the global Information Society is not without risks and the Report examines the potential pitfalls of growth in the rise of online fraud, other risks and threats to cybersecurity. The expansion of the Internet is opening up many new opportunities for criminals to exploit online vulnerabilities and commit criminal acts or attack countries' critical infrastructures.
Threats in cyberspace are evolving rapidly and deserve greater attention for several reasons. The evolution of telecommunication networks towards Next-Generation Networks (NGN) with decentralized intelligence at the edges of the network could raise new security issues. The capacity and speed of networks are increasing, accelerating the transmission of malicious software alongside other Internet traffic. Transmission and encryption protocols are also constantly being updated. Meanwhile, convergence offers new opportunities for 'cross-infection', with the problems of one access device feeding into other ICTs.
Viruses, spyware, phishing, identity theft, denial-of-service attacks and zombie botnets are endangering cyberspace and jeopardising the very future of the Internet. According to one source, spam and other exploitation now account for up to 90 per cent of all email traffic over the Internet. Spam has now mutated from a general annoyance to a broader cybersecurity threat, acting as a platform for many other types of scams (see Figure).
Chapter five, "Challenges to building a safe and secure Information Society" of the World Information Society Report 2007 examines these issues.
Thursday, June 21, 2007
The International Telecommunication Union (ITU) and the European Broadcasting Union (EBU) are jointly holding a meeting of high-level experts to identify key trends and to address the new technological and policy challenges in the digital content delivery environment.
To view the ITU/EBU conference via webcam, click here.
More information about this meeting can be found here.
Friday, June 08, 2007
Tuesday, June 05, 2007
A recent article in ComputerWorld Australia reports that a common e-crime reporting format to electronically report fraudulent activities will be fully operational in Australia by July, 2007.
In an interview with with Anti-Phishing Working Group (APWG) Secretary-General, the need for a structured data model to improve incident reporting, share information and allow forensic searches and investigations was highlighted. Secreatry-General Cassidy said that "the first base specification was submitted in June 2005 and the Incident Object Description Exchange Format (IODEF) XML Schema with e-crime relevant extensions will be a recognized IETF standard in about six weeks." This will futhermore be automated with greater ease using a standard schema. He also gave an example to show how it is planned to work: an Asian country CERT (Computer Emergency Response Team) reporting an incident can send it to a European bank, which then can treat the specific request .
The Anti-Phishing Working Group (APWG) is currently talking to ISPs to increase phishing data from the field. Cassidy continues, "Reporting is improving. The average time live for a phishing site is now four days: we should be able to reduce this to a single day. We want to make it harder for organized crime by frustrating them and pulling down the sites as quickly as possible. "We don't want it to be easy for them to make a profit so they have to return to old standbys like extortion and drugs."
Cassidy estimates there are upwards of 50 full-time phishing gangs operating worldwide at any given time. While four days may seem a long time the average was well over a week when the working group was first established. He said it can depend on reaching the right person within an organization. "We have ISPs that can bring down sites in minutes but there are some organizations that have an approval process that has to be cleared by three levels of management; even after 20 faxes and two weeks later nothing is done". "Some organizations just aren't interested".
Access the full ComputerWorld article here.
Wired News in an article reports on the recent Anti-Phishing Working Group's Counter e-Crime Operations Summit which took place in San Francisco, United States. The meeting gathered internet-crime fighters from security companies, law enforcement agencies, banks and e-commerce sites to confer on new tactics in the war on cybercrime. "And while nearly everyone agreed the internet has become an infected and dangerous breeding ground for malware and scams, no one could quite agree on what do."
Proposed solutions included:
- the online fraud problem had become so bad due to the neglect of ISPs, users and private corporations alike that the only recourse was to build government-funded free clinics for infected computers;
- the botnet threat requires some top-down authority to fix the problem, the current remediation model which mostly involves running from one computer to another installing patches cannot keep up with attackers that are now better organized and better funded than the security community;
- the increased use of ingress filtering that prevents one computer from successfully spoofing the internet IP address of another (to be widely adopted by ISPs and router manufacturers);
- etc. see the Anti-Phishing Working Group's Counter e-Crime Operations Summit for further information.
Service providers and everyday users were singled out by meeting panelists and audience members for not taking enough responsibility. Attendees slammed ISPs for not searching for rogue computers on their network or shutting off internet access to compromised PCs reported to them by security companies, charging that ISPs were endangering the internet to avoid support calls from cut off customers.
Is was stated that users don't care about security because the rogue zombie software often only uses minimal computing power, making the background spam-spouting code not their problem. A few audience members argued seriously that computer users should have to take a test to get an internet license, maintain botnet insurance and have their machines inspected for information-super highway worthiness. Others countered that individuals shouldn't have to know how to secure their own computers, the machines should simply be more inherently secure.
In the article a senior researcher for security company RSA, told Wired News that "none of those solutions would work, because new technical specifications for a security score would take years, and the other proposals wouldn't have the international reach needed to make a dent in the global internet infosphere." "The solution? Money. Governments need to provide rewards to ISPs for taking down botnets, the researcher explains."Governments are the only body with money and the incentive to take down botnets. If you are looking at either a carrot or stick approach, I would go carrot. If you are paying ISPs to get rid of the botnets, then it's international. Everyone wants to make money."
Read the full Wired News article here.
MSNBC news reports in a recent article that a new mutation of the old phishing scam surfaced. Like thousands of previous phishing e-mails, this bogus bank notice asks for your personal information. But in a strange and novel twist, it tries to turn your own phone against you.
In an e-mail message from a bank you see text like: "During our regular update and verification we could not verify your current phone number". You are told to confirm your phone number right away or your account will be suspended indefinitely.Then you’re instructed to forward your phone to the number provided. It’s supposedly the phone number for the bank’s security department. "The bank will verify your phone number and will disable call forward within 20 minutes," the e-mail says. However, this e-mail is not from the bank, and the number does not go to their security department. It’s a Skype number that goes straight to the identity thieves who can be anywhere in the world.
If this new approach works, we are likely to see similar messages pretending to be from other financial institutions asking people to forward their phone number. "After an identity thief steals your credit card number, he needs a way to make money with it. He can charge things or sell the number for others to use. In either case, once the charges start piling up on your account, the bank’s computers are likely to flag these abnormal or out of profile transactions and alert the fraud department."
The Anti-Phishing Working Group, a consortium of hundreds of banks, e-tailers, technology companies and government agencies, warns that a growing number of phishing attacks are being designed to steal your personal information by downloading crime-ware onto your computer. They do that when you click the link that’s embedded in the phisher’s e-mail message, the one that’s supposed to take you to the financial institution’s Web site.
For tips on how to protect yourself, and for more information on this new scam, read the full MSNBC article.
Monday, June 04, 2007
The European Association for the Co-ordination of Consumer Representation in Standardisation (ANEC) held its General Assembly on 1 June 2007 in Brussels. For the first time, the group considered issues relating to RFID and digital identity, and in particular the impact that these technologies may have on consumer interests. ITU's Lara Srivastava spoke at the assembly, emphasizing the need for a better understanding of the wide-reaching implications of RFID and the development of global solutions to the digital identity problem. Her presentation is available here.
Thursday, May 31, 2007
Robert Alan Soloway, 27, was indicted this week by a US federal grand jury on 35 counts that include mail fraud, wire fraud, fraud in connection with electronic mail, aggravated identity theft and money laundering. Accused of being one of the Internet's most notorious spammers, he is currently being held without bail.
Soloway is the first spammer in the nation to be charged with aggravated identity theft under the CAN-SPAM Act of 2003.
See the Reuters story here.
Friday, May 25, 2007
The Internet Engineering Task Force (IETF) recently gave its preliminary approval to a powerful technology designed to detect and block fake e-mail messages. It's called DomainKeys Identified Mail (DKIM), and it promises to give Internet users to identify and stop the seemingly endless flow of fraudulent junk e-mail by providing a method for validating an identity that is associated with a message, during the time it is transferred over the Internet. That identity then can then be held accountable for the message.
The draft standard that the Internet Engineering Task Force adopted is a promising solution because it harnesses the power of cryptographically secure digital signatures to thwart online miscreants.
Read the full article on CNET News.
Tuesday, May 22, 2007
The Internet Society of New Zealand (InternetNZ) has recently released the ISP Spam Code of Practice for public consultation. The Code is posted on the InternetNZ website. Four weeks have been allowed for comment to be received, with a deadline of 18 June 2007.
The Code has been prepared by a working group comprising representatives of the Telecommunications Carriers’ Forum, the Marketing Association, and InternetNZ. According to the website, InternetNZ executive director Keith Davidson says the preparation of the Code is an excellent example of how the industry is working together to fight a common enemy. "Spam is clogging up our inboxes, soaking up our bandwidth, and providing vectors for scams and malware." "The ISP Spam Code of Practice recognises that Service Providers can assist in the minimisation of Spam through their technical approach, by being a first port of call for information and complaints from internet users, and by working with law enforcement agencies."
The ISP Spam Code of Practice is complementary to the New Zealand government’s Unsolicited Electronic Messages Act in that it outlines the responsibilities of ISPs under a self-regulatory model. This was anticipated in the passing of the Act. It is planned that the Code will go live on the same date as the Act of 5 September 2007. It is also complementary to the Marketing Association’s Code of Practice for Direct Marketing, the TCF’s SMS Ant-Spam Code and the TCF’s Customer Complaints Code.
See the Internet Society of New Zealand website for further details.
Thursday, May 17, 2007
As part of its mandate given by the World Summit on the Information Society to build confidence in the use of ICT, ITU announces an ambitious two-year plan to curb cybercrime. The announcement was made by ITU Secretary-General Dr Hamadoun Touré at a ceremony to present the 2007 ITU World Information Society Award.
Cybercrime takes several forms, from breaching network security, financial fraud, invasion of privacy and identity theft to virus attacks, spam or online child pornography. With schools, hospitals, and government organizations increasingly dependant on online services, the vulnerability of the system and everyone connected to it becomes frighteningly apparent. As we are only as secure as the weakest link, a global concerted response is needed to ensure there are no safe havens for cybercriminals.
Against this background, ITU Secretary-General Dr Hamadoun Touré set out a comprehensive Global Cybersecurity Agenda to tackle the issue within a framework of international cooperation. "With more than one billion Internet users in the world today, not only is the number of crimes committed in cyberspace increasing at an alarming rate, but the sophistication in the way these crimes are committed keeps evolving," Dr Touré said.
The goal of the Agenda is to foster a common understanding of the importance of cybersecurity and bring together all relevant stakeholders (governments, intergovernmental organizations, the private sector, and civil society) to work on concrete solutions to deal with cybercrime. This is all the more important as criminals use weaknesses wherever they can be found and leverage them internationally. While there are a number of existing frameworks, they are enforceable only within geographical boundaries, either national or regional, thus leaving room for criminals to use loopholes to their advantage and in almost total impunity as they shift their operations to countries where appropriate and enforceable laws are not yet in place. It is vital to work on bringing together these initiatives within a framework of international cooperation and focus on solutions that leverage the broad range of existing expertise and initiatives in order to avoid duplication and make real progress in building confidence and security in the use of ICT.
"Today, the loss is estimated to run into several billion dollars, both from fraud on the Internet and from costs related to fixing networks that have suffered cyberattacks. But with children, students, and senior citizens communicating by Internet or mobile phone, tomorrow’s losses can be devastating. Just one word change on a patient’s medical file in a hospital could kill that patient, and hackers who can thwart sophisticated banking systems have no trouble breaking into a hospital’s network," said Dr Hamadoun Touré, ITU Secretary-General. This is becoming a major concern for public authorities.
The Global Cybersecurity Agenda, which will have a two-year timetable, rests on five pillars:
Finding technical solutions for every environment;
Developing interoperable legislative frameworks;
Building capacity in all the relevant areas;
Establishing appropriate organizational structures;
Adopting effective international cooperation mechanisms.
See the full ITU Press Release here.
Friday, May 04, 2007
According to a recent article in the United Kingdom's The Register, distributed denial of service (DDoS) attacks are falling out of favour with black hat hackers because using compromised machines to send spam is a more lucrative, and less risky, way of making money illicitly.
"Networks of compromised PCs can be used for purposes including relaying junk mail or flooding targeted websites with spurious traffic. Security firm Symantec reckons the noticeable fall in denial of service attacks it witnessed in the second half of 2006 is down to the growing difficulty in launching such attacks, and getting victims to pay up even if these assaults are successful. Stealthier misuse of compromised PCs, such as sending spam", poses far less risk, the security firm argues."
"Symantec recorded an average of 5,213 denial of service (DoS) attacks per day in the second half of 2006, down from 6,110 in the first half of last year. The United States was the target of most DoS attacks accounting for 52 per cent of the worldwide total."
"DoS attacks are loud and risky. Whenever a bot-network owner carries out a denial of service attack they run the risk of losing some of their bots. This could happen either because an attacking computer is identified and disinfected, or if it is simply blocked by its ISP from accessing the network," a Symantec researcher notes in a posting to Symantec's Security Response Weblog.
Furthermore was mentioned that "up-front costs in setting up a botnet before any hope of payment, as well as the possible loss of an entire bot network if a command and control server is identified, also act as a deterrent. It is likely that bot network owners are now moving away from DoS extortion and towards more lucrative ventures like spam. Not surprisingly, we saw a noted increase in spam volumes in the last six months of 2006", the researcher continued.
Read the full article in The Register here.
Tuesday, April 03, 2007
The second edition of the World Information Society Report: Beyond WSIS is going to be launched on the occasion of the World Information Society Day on 16 May 2007.
Published by ITU and UNCTAD, this report looks beyond the World Summit on the Information Society (WSIS, Geneva 2003 - Tunis 2005) to the creation of an inclusive, people-centered and development-oriented Information Society, open to all. Some of the themes covered in the report are: the evolution of the digital divide, trends in the information society, ICT growth strategies, cybersecurity and WSIS implementation. The report tracks progress in digital opportunity for 181 economies over the past few years since the start of the WSIS process and is accompanied by a series of tables providing the latest statistics on the development of Information and Communication Technologies (ICTs) worldwide.
The report has been created by the “Digital Opportunity Platform”, an open multi-stakeholder platform with contributions from governments, private sector, academics and civil society, as well as inter-governmental organizations.
More information on the forthcoming publication will be made available on its website in due course.
Thursday, March 01, 2007
Kaspersky Lab, a developer of secure content management solutions, recently announced its annual report on malware and spam evolution. The report, authored by Kaspersky Lab analysts, surveys the trends of 2006 and looks at what 2007 may bring.
Malware Evolution: 2006. The report provides an overview of the most important incidents in the malware world, highlights the main trends, and examines how the situation will evolve. Particular stress is laid on the continuing increase in the number of Trojan programs, particularly those designed to steal online gaming account data; the first viruses and worms for MacOS; and Trojans for J2ME, which are designed to steal funds from mobile user accounts. The number of new malicious programs was up 41% on 2005. As for the future evolution of malicious programs, Kaspersky Lab virus analysts believe that virus writers and spammers will work ever more closely together; the number of Trojans will continue to increase; and that virus writers will be on the lookout for exploitable vulnerabilities in Vista.
Spam Evolution: 2006. Data provided by the Kaspersky Spam Lab shows that in 2006, between 70% and 80% of mail traffic on the Russian Internet was spam. The majority of spam sent to Russian users originates in Russia, the U.S.A. and China. Spammers actively used graphics in order to evade spam filters. They are also continued to send spam masquerading as personal correspondence in order to get the recipient to read the whole message and then act as the spammers intended, whether by calling a designated number or clicking on a link. The report on spam evolution also highlights how mass mailings differ from each other according to language: most Russian language spam offers education and training, and a wide range of goods ranging from busts of the Russian president to a device which will 'translate' a dog's bark. English language spam, on the other hand, tends to focus on advertising for stocks and shares, viagra and cheap software. The report also notes that spam became increasingly criminalized in 2006, with spammers actively using SMS to spread spam.
The company's analysts believe that technologies currently in use will continue to evolve in 2007, together with further development of graphical spam, and increased criminalization of mass mailings.
Read the executive summaries here: Malware Evolution: 2006 and Spam Evolution: 2006.
The full annual report can be found here.
This news item was accessed through Russia Newswire.
Thursday, February 15, 2007
This summary provides a general discussion of the amended Information Network and Privacy Protection Act (“INPPA”) of Korea. INPPA sets out the minimum procedural requirements for lawful online transmissions in Korea whereby transmissions of advertised materials against recipients’ refusal to accept are strictly prohibited. Although these rules are applicable to unsolicited commercial e-mails via the internet, they were intended to apply to all modes of telecommunication such as cellular phones, facsimiles, etc.
The Korean government has made continuing efforts since 1999 to curb the increase in spam mail and has since been monitoring the effectiveness of the implementation of additional provisions. The new law targets senders of spam mail that are commercial in nature. Consistent with its effort to protect minors from being exposed to obscene and violent materials online, the Korean government has also included a provision in the INPPA that requires senders to label those materials as such.
More information can be found here.
Tuesday, February 13, 2007
Thursday, February 08, 2007
An international conference on the impact of technology on society was held in Geneva, Switzerland, from 7-9 February. LIFT 2007 welcomed more than 40 international speakers, from F. Devouard (Chair, Wikipedia) to Jaewoong Lee (Founder, Daum Communications).
Sessions included, among others: technological overload, digital divide, the social web, post-industrial worlds, from robots to cyborgs, perspectives on ubiquitous computing, technological opportunities for society. In this latter session, ITU's Lara Srivastava gave a presentation on "communication technologies and new forms of social interaction".
Lara Srivastava also participated as a panelist in the session "Digital Divide: Bringing it Home". Her presentation entitled "digital divide, digital disconnect" is available here.
The conference includes a LIFT + feature, a living and creative platform intended to develop new ideas through the active interaction of participants.
More information about LIFT can be found here.
Tuesday, February 06, 2007
Almost 40 countries will participate in the fourth edition of Safer Internet Day (SID) which this year takes place on 6 February.
The event is organised by European Schoolnet, coordinator of Insafe, the European safer internet network. Viviane Reding, EU Commissioner for the Information Society and Media is once again patron of Safer Internet Day, as in the past two years.
The highlight of the day will once again be a worldwide blogathon, which will reach Australia on 6th February and progress westward through the day to finish up in the USA and Canada. Following the huge success encountered in 2006, this year’s blogathon goes one step further to include the voices of hundreds of youngsters.
In the framework of a competition launched in October 2006, more than 200 schools in 25 countries across the globe have been working in pairs, using technology to cross geographical borders, to create internet safety awareness material on one of three themes: e-privacy, netiquette, and power of image. On Safer Internet Day, all of the projects they have produced will be uploaded to the blogathon. The 4 prize-winning teams in the competition will be announced on 6 February when the blogathon opens to well over 100 organisations waiting on the starting block to add their postings on this year’s theme, Crossing borders.
To find out more about young people’s use of the internet and mobile phones, Insafe has been collecting data over the past two months through an online survey. Preliminary results will be made available on Safer Internet Day along with a wealth of other information tailored to the needs of not only media but also parents, teachers and youngsters in an online media room specially set up at www.saferinternet.org to mark the event.
On Safer Internet Day in the Netherlands, HRH Princess Maxima will be the special guest at an event featuring theatre, music and stories. In Slovenia, young people will showcase art projects and Slovenian national television will broadcast internet safety clips.
Across the globe, hundreds of other events will highlight the growing importance of internet safety in the lives of us all.
For further information see the following links:
Insafe
National nodes of Insafe
Safer Internet Day Blogathon
Safer Internet Programme
eTwinning (partner in the Safer Internet Day competition for schools)
In today's interconnected world of networks, threats can now originate anywhere − our collective cybersecurity depends on the security practices of every connected country, business, and citizen. The International Telecommunication Union (ITU), a specialized agency within the United Nations system, would like to draw Safer Internet Day participants' interest to a number of information resources dedicated to cybersecurity and spam.
The ITU Cybersecurity Gateway is an easy-to-use online information resource on national and international cybersecurity related initiatives worldwide. A vast number of resources and links are available and organizations are invited to join in partnership with the ITU and other stakeholders to build confidence and security in the use of information and communication technologies (ICTs).
The StopSpamAlliance is a joint initiative to gather information and resources on combating spam. This initiative was undertaken by Asia-Pacific Economic Cooperation (APEC), the EU's Contact Network of Spam Authorities (CNSA), International Telecommunication Union (ITU), the London Action Plan, Organisation for Economic Co-operation and Development (OECD) and the Seoul-Melbourne Anti-Spam group. The StopSpamAlliance.org website contains an overview about each of these organization’s activities in countering spam and related threats.
The outcome documents from the two phases of the World Summit on the Information Society (WSIS) emphasize that building confidence and security in the use of information and communication technologies (ICTs) is a necessary pillar for building a global information society. ITU has been asked to play the main facilitator role for to assist stakeholders in building confidence and security in the use of ICTs. To stress the importance of the multi-stakeholder implementation of this task, ITU has named this the Partnerships for Global Cybersecurity (PGC) initiative.
In commenting on the Safer Internet initiative, newly elected ITU Secretary-General Hamadoun Toure stressed the need for greater cooperation between regulators, government, security firms, communication service providers, and end users in dealing with the challenges to building a safe and secure information society.
The International Telecommunication Union wishes you all a very successful Safer Internet Day 2007!
Enquiries related to ITU activities in the area of cybersecurity can be directed to cybersecurity@itu.int.
About ITU
The International Telecommunication Union (ITU) is an international organization (specialized agency) within the United Nations System where governments and the private sector coordinate global telecommunication networks and services. Through its standards, development, and policy research activities, ITU has a long-standing track record in security for information and communication systems. There are currently more than seventy ITU recommendations focusing on security.
Friday, February 02, 2007
Two resolutions relating to cybersecurity and defining ITU's activity in that domain were adopted by ITU Member States at its Plenipotentiary Conference in Antalya, Turkey, held in November 2006. These are:
Wednesday, January 31, 2007
14-15 May 2007 The ITU has a new Secretary-General, Dr. Hamadoun Toure, who has indicated in his first public statements and to senior ITU staff that he considers cybersecurity and particularly follow-up to WSIS Action Line C5 to be a key strategic area of focus for future ITU activities.
The next annual facilitation/consultation meeting for WSIS Action Line C5 will be held 14-15 May 2007 at ITU in Geneva in conjunction with a cluster of events to be organized around 17 May (World Telecommunication and Information Society Day). The meeting is open to all participants with an interest in C5 activities. More details concerning the draft agenda and administrative arrangements for the event will be circulated shortly along with a list of other WSIS-related meetings to be held 14-25 May 2005 in Geneva.
Further information will be posted at the WSIS C5: Partnerships for Global Cybersecurity website. Enquiries can be directed to cybersecurity@itu.int.
IDG Sweden has published an interview between a journalist from Computer Sweden Magazine and a person claiming he is the creator of the Haxdoor Trojan, a program used for bank fishing and responsible for the recent phish of an Australian bank as well as the recent phish of Nordea bank. The interview was done over ICQ. With the assistance of someone from Symantec, the interviewer reached the interviewee, who uses the screen name Corpse, by pretending to be interested in buying a handcrafted version of the program for the phish of a particular bank.
In the interview, Corpse indicates that he is clearly aware that his program is used for bank fraud and offers to sell Haxdoor, including support by him, to the journalist for $3000. In their discussion about attacks that have been perpetrated by Haxdoor, Corpse states that security staff at banks try to hide 99% of the actual attacks in an attempt to prevent their customers from being frightened. However, Corpse will not discuss previous customers or the person(s) who may have been behind some of the attacks by Haxdoor that have become public. When the journalist expresses concern about being caught, Corpse offers to make the attack untraceable by providing the journalist with servers in China, the United States, or Europe for $150 per month. Corpse also makes that claim that versions of Haxdoor exist with the ability to hide in the operating system, and therefore, cannot be detected by anti-virus programs. He goes on the talk about the features of Haxdoor, which include a graphical interface allowing attacks to be tailored, rootkit and self-defense functions, support for all versions of Windows from 98 to Vista, and delivery as a rar or zip archive.
For a full version of the interview (in Swedish), please click here.
Tuesday, January 30, 2007
Last week, the Anti-Spyware Coalition released its guides on best practices and conflict resolution. The best practices guide is based on a set of software definitions and the risk-model description created by the Coalition. It is intended to provide insight into the way security firms identify applications, flag behavior, and then distinguish between "unwanted" software and software that provides "real value to users." Included is the "clearest description" that the Coalition has issued of the methodology used by anti-spyware companies in determining what software is "unwanted." The conflict resolution guide addresses the topics of competing anti-spyware software on a system and helping consumers understand the problems that may result in their security applications.
For links to the Anti-Spyware Coalition guides and supporting documentation, please click here.
Monday, January 29, 2007
The European Parliament held an STOA Workshop on "RFID in the everyday life of Europeans: A citizen's perspective on ambient intelligence" on 24 January 2007. The workshop was organized as part of the project "RFID and identity management: Case Studies from the frontline of the development towards ambient intelligence" commissioned by the Scientific Technology Options Assessment (STOA) Panel of the European Parliament, and carried out by the European Technology Assessment Group.
ITU's Lara Srivastava delivered a presentation on the topic "Is our enviroment getting smarter? Are we". Her presentation is available here.
Wednesday, January 24, 2007
The North American Consumer Project on Electronic Commerce (NACPEC) has created a section on its website that provides visitors with relevant and up to date information on spam and phishing.
Although there is no international consensus on the definition of spam, spam has evolved from a minor nuisance to a problem, which is often criminal and fraudulent, for users and computer networks. In addition to the fact that most spam advertises goods or services that are of questionable quality or that contain deceptive or misleading offers, spam is a channel for the propagation of viruses and spyware as well as a way to perpetrate other criminal activities through phishing and pharming techniques. It is a threat to the use and functioning of corporate, public, and academic networks; assists cybercrime; threatens consumer confidence; and undermines the use of email.
Since 2000, the amount of spam circulated has more than doubled, reaching somewhere between 58% to 85% of all email. Spam is the cause for significant economic costs and losses in productivity for service providers, businesses, civil society, academic institutions, and especially consumers. During the World Summit on the Information Society (WSIS) thematic meeting on spam in July 2004, the Chairman reported that spam costs the global economy approximately US$ 10 billion per year, and the European Commission has estimated that spam costs users EUR 10 billion per year. Spam is now no longer only a problem for computer networks, it is also becoming an issue in mobile phones, instant messaging services, weblogs, and wireless networks. Currently, there is no one solution to the problem of spam. It is a complex, cross-border issue requires the adoption of a multi-dimensional and multi-stakeholder approach as recommended by the Anti-Spam Toolkit for the OECD. To curb spam, a combination of solutions will be required.
More information can be found here.
Tuesday, January 23, 2007
In his article "Trench Warfare in the Age of the Laser-guided Missile," Neil Schwartzman gives a brief description of the history of spam and the anti-spam movement, provides a summary of the current state of spam, and makes a series of recommendations concerning what actions the anti-spam community should take.
History of Spam and the Anti-Spam Movement: According to Schwartzman, both spam and the anti-spam movement have steadily evolved since 1995. The anti-spam movement has seen the rise of government groups, NGOs, and industry coalitions as well as anti-virus and spyware technologists and companies working individually to stop spam. Spam, however, has stayed ahead of the anti-spam movement, becoming more and more sophisticated in its ability avoid filters, collaborate with viruses, and reach users.
The Current State of Spam: Schwartzman sums up the current situation as a "blended criminal threat." He examines penny stocks, promoted using 'image-only' payloads. Stock spamming leaves paper trails and this led to some successful prosecutions at the end of 2006. He reaches the conclusion that although currently popular, stock spamming will decline as prosecutions increase. He also looks at phishing, which he feels is far more serious than stock spamming, because "personal information is the currency used by criminals on the net."
Consumer Confidence & Organized Crime: Although online commerce continues to grow, user confidence is e-commerce is decreasing as the number of threats from spam increase. Recent studies show that up to 90% of polled consumers are deeply skeptical about their ability to conduct business safely online. Schwartzman feels that as more users become victims or personally know victims of online fraud, they will cease their online purchasing and return to traditional retail outlet purchasing. One major concern is the possible failure of a major online financial service, which would certainly speed up users return to traditional retail and cause massive damage to the reputations of all online service providers. There is also additional concern as there is now "full integration with the bad-guy technologists and sophisticated groups of computer-aware criminals." The large amount of money that can be made from spam has now attracted organized crime including the Russian mob, the Italian mafia, the Hell's Angels, and the Columbian drug cartels.
The Future: At the inbox level, anti-spam technologies are very effective at blocking spam; however, the resource cost is becoming an issue as "major receiving sites have said privately that their systems are all but overwhelmed by the new levels of spam." The latest spam/malware threat is known as SpamThru. Although not yet being used to its full capacity, it caused an 80% increase of spam on some sites in the last three months of 2006. It also has the capability of avoiding complete deletion by removal programs. Other technologies which are also popular right now are 'Queen bots', which are capable of changing profiles and controlling subservient zombie computers, and 'fast-flux dns', which is a DNS server hosted on an infected machine that resolves human-recognizable URLs to a multitude of similarly infected machines. If spam continues to increase, and there are several ways it can, the result could be the end of e-mail or the Internet itself or virtual attacks on the real world (several of which have already been realized),
What Should Be Done: According to Schwartzman, the anti-spam movement is losing. This can be mostly attributed to the fact that the movement is disjointed and disorganized. Companies often have various groups dealing with different aspects of spam and malware who never communicate or coordinate. This is also seen in the interaction of the various anti-spam groups organized within the industry. Schwartzman believes that active participation and cooperation by all stakeholders is necessary to successfully fight spam and he makes a series of suggestion as to how this can be achieved.
See the complete article here.
Monday, January 22, 2007
In their paper "Spam Works: Evidence from Stock Touts and Corresponding Market Activity," Laura Frieder and Jonahan Zittrain examine the impact of spam that advertises stock upon the trading activity of those stocks, how profitable such spamming might be for the spammer, and how harmful this behavior is to those who follow the advice in stock-touting e-mails. Using a large sample of touted stocks listed on the Pink Sheets quotation system, the authors offer evidence showing that the use of spam is affecting stock prices. In addition to an increase in transaction volume, spammers are acheiving 5% gain on the stock before they dump it. They also suggest that the effectiveness of this practice "calls into question the prevaling models of securities regulation that rely principally on the proper labeling of information and disclosure of conflicts of interest to protect consumers." In response to this, they propose several regulatory and industry interventions.
The paper can be found here.
Thursday, January 18, 2007
Monday, December 18, 2006
Wednesday, December 13, 2006
Monday, December 11, 2006
Monday, December 04, 2006
In conjunction with the Forum at ITU TELECOM WORLD 2006, 4-8 December in Hong Kong, China, ITU is organizing a one day event on 8 December entitled "Countering Spam Cooperation Agenda". Key international and regional organizations involved in the fight against spam will gather to discuss greater collaborative efforts to combat spam and related threats. The event is open to all ITU TELECOM WORLD 2006 participants.
See the full ITU Press Release for the event here.
Thursday, November 30, 2006
Splogs are blogs where the articles are fake and only created for spamming purposes. According to Technorati in its State of the Blogosphere the number of blogs created these past months has diminished largely because "splogs" are now easier to detect. Blog search engines detect and delete most of the "splogs", but according to Technorati, 4% of the "splogs" still manage to get through the filters in place.
Despite "splogs", the blogopsphere continues to grow. At the end of October 2006, 57 million blogs existed, 3 million more than in June 2006, and 55% were considered active (updated at least once in the last 3 months.).
To read the full l'Expansion magazine article in French, click here.
According to the European Commission, EU member states are not doing enough to tackle the problems of spam, spyware and malicious software, despite the existing EU legislation. The implementation by EU members of this legislation is still a problem and Europe continues to suffer from illegal online activities from inside the EU and from third countries.
The Commission is now calling on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software and urging governments and industry to cooperate fully in this fight by applying proper filtering policies and assuring good online commercial practices. The Commission has also called for prosecution of those involved in illegal online activities. Because of the criminal and fraudulent trend in spam, and its cross border aspects, good cooperation and dialogue between the EU and third countries is essential to succeed in this fight. According to Viviane Reding, the Commissioner for Information Society and Media "it is time to turn the repeated political concern about spam into concrete actions to fight spam."
For more information, see the newly released Commission Communication.
Read also the SiliconRepublic article.
Saturday, November 18, 2006
ITU-T Focus Group on Security Baseline for Network Operators has issued a survey which seeks to assess the security preparedness of network operators. The results from the survey will be used in preparation of a new ITU-T Recommendation: "Security Baseline for Network Operators". Participants are asked about their level of preparedness for various security threats.
Once approved the ITU-T Recommendation will show the readiness and ability of operators to collaborate and coordinate counteraction against security threats arising from interconnected networks. The Security Baseline will allow network operators to assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied. It will also identify security Recommendations and standards to support evaluation of operators’ network security and information security.
Commencement of the first draft of the Recommendation will begin towards the end of 2006.
See the online survey which is aimed at network and service providers.
A deadline of 24 November 2006 has been set for survey responses.
Wednesday, November 15, 2006
Researchers and IT managers are confirming that spam levels have been particularly high in the past month and that there are no signs of a decrease. This phenomenon is the result of a new generation of viruses and zombies that infect computers very quickly and are increasingly difficult to get rid of. Image-based spam is also to be blamed. Spammers now know how to represent words in an image that are recognizable only by the human eye tricking anti-spam technologies and further increasing the negative effects of spam.
Read the full PC World article here.
Friday, November 10, 2006
The Asia Pacific Economic Cooperation (APEC), the EU Contact Network for Spam enforcement Authorities (CNSA), the International Telecommunication Union (ITU), the London Action Plan for Spam Enforcement (LAP), the Organisation for Economic Cooperation and Development (OECD), and the Seoul-Melbourne Anti-Spam group, six leading international anti-spam initiatives/organizations, launched at the United Nations Internet Governance Forum (IGF) in Athens, Greece, a new online information resource to assist stakeholders in their fight against spam.
This new website (http://www.stopspamalliance.org/) aims to help coordinate international action against spam more effectively and improve information sharing in this area. It will contain information on anti-spam laws and enforcement activities, consumer and business education, best practices for fighting spam, and international cooperation.
For further information, please visit http://www.stopspamalliance.org/
Read also the
OECD news release for the launch of the StopSpamAlliance website.
Friday, November 03, 2006
Computer World reports of a new kind of spam called "targeted spam or spear phising". This type of spam, currently on the rise, is particularly hard to catch for spam filters because the spammer is able to "spoof" the sending e-mail address to make it look like it's coming from within the organization of the recipient. Unlike traditional spam, spammers send just a few of these messages at the same time, making antispam technology’s job even harder.
These attacks affect essentially large organizations or very well-known brands. Once the company has been alerted, blocking it is pretty easy. But detecting such well-crafted messages is becoming harder as the sophistication level of spam increases.
For more information, read the full Computer World article.
Wednesday, November 01, 2006
According to a recent Forbes article a new kind of spam is rapidly invading users’ e-mail boxes: image spam.
To the human eye, image spam looks like regular junk email, but for anti-spam software, the image spam is very hard to detect. Usually anti-spam programs scan messages for certain key phrases but do not analyze pictures, so the same word saved as an image file goes undetected. Anti-spam technology is trying to adapt to this new phenomenon. However, for now, image spam is on the growth and is consuming much more bandwidth and storage space in consumers’ e-mail boxes.
To read the full Forbes article, please click here.
For more information, see Secure Computing’s Report on Image Spam.
"In a sweeping set of measures, the German Federal Network Agency has ordered more than 80 network operators and service providers not to bill or collect for any phone numbers used illegally. A large number of consumers had complained to the German Federal Network Agency about so-called ping calls and other forms of telephone spamming."
"A ping call is where a call is made to a telephone number and broken off after just one ring. The subscriber’s display shows a “missed call” with an expensive premium-rate number or an 0137 number. In addition to these ping calls, another form of telephone spamming promises prizes where the person called hears a prerecorded message saying that they have won a large amount of money that can be collected by calling an expensive premium-rate number."
"The Federal Network Agency’s stringent measures are a continuation of the intense battle against telephone spam. Since May 2006 alone, the Federal Network Agency has disconnected 237 call numbers on account of ping calls and prize promises. In addition, a ban has been imposed on billing and collecting for 78 call numbers. These bans protect consumers that have called a spam number back, and prevents them from having to pay any charges. The spammer does not receive any payment for the calls initiated."
See the Federal Network Agency's press release here.
Friday, October 27, 2006
"Authentication processes can contribute to the protection of privacy by reducing the risk of unauthorized disclosures, but only if they are appropriately designed given the sensitivity of the information and the risks associated with the information. Overly rigorous authentication process, or requiring individuals to authenticate themselves unnecessarily, can be privacy intrusive."
The Office of the Privacy Commissioner of Canada's recently released new Guidelines for Identification and Authentication. The Guidelines are intended to help organizations develop appropriate identification and authentication processes in ways that respect the fair information practices in the Personal Information Protection and Electronic Documents Act (PIPEDA) and ensure compliance with its security provisions by providing the strongest protection for customers’ personal information. The scope of the document is limited to identification and authentication techniques between organizations and individuals.
These guidelines were released by the Canadian Privacy Comissioner, is a good document discussing both privacy risks and security threats:
See also a more detailed document published by Industry Canada in 2004 named "Principles for Electronic Authentication".
This article was accessed through Schneier's blog: Schneier on Security.
Wednesday, October 25, 2006
On 16 October 2006, Mauritius officially launched their Anti-Spam Awareness Campaign. On this occasion the Minister of IT and Telecommunications also presented a dedicated Anti-Spam Website with resource aimed at raising awareness and sharing information on spam, malwares, etc.
In Mauritius, the spamming problem is gaining in magnitude and there is a need to have a concerted approach to address this issue. Without remedial action to address the problem of spam in Mauritius, the country runs the risk of being seen as a safe haven for spammers and there is the risk that legitimate email traffic from Mauritius to other countries which have anti-spam legislation, could be blocked. In this context, the National Computer Board has set up a National Anti Spam Committee to co-ordinate activities at the national level with regards to combating spam.
The Anti-Spam Co-ordination Committee consists of representatives from the following national organisations: National Computer Board; IT Security Unit, Ministry of IT and Telecommunications; Ministry of Education and Human Resources; Ministry of Industry, Commerce, Small and Medium Enterprises and Cooperatives; Ministry of Foreign Affairs, International Trade and Cooperation Joint Economic Council; Mauritius Chamber of Commerce and Industry (MCCI); State Law Office; ICT Authority; Mauritius IT Industry Association; Internet Society; University of Mauritius (UOM); University of Technology; Telecom Plus/Mauritius Telecom ACT.
For further information see the newly launched Anti-Spam Website and Mauritius' Anti-Spam Action Plan.
Monday, October 23, 2006
The Journal du Net states in a recent article that organized cybercrimes represent a growing risk for internet users. Hackers use new techniques to hide and make their attacks more efficient. Their main goal is not to destroy computers. With the rapid development of e-commerce, hackers want to take over personal data and make as much profit as they can with it.
To achieve this, they use different forms of worms or trojans send from servers hosted in countries where the legislation is less strict. To protect their economic interests, businesses need to include employees in their security policies so they do not become the weak link in the security chain.
See Journal du Net for the full article in French.
Saturday, October 21, 2006
Friday, October 20, 2006
Business Week Online shows in a recent article entitled "Needed: A National Cyber Security Law'" that more and more people have their personal information lost, stolen or compromised. Security breaches are eroding their trust in the capability of the Internet to deal with their private personal information. This growing confidence-deficit represents a serious threat to the economic growth of each country, according to the article. Therefore, it is time for officials to act by passing strong data-security laws. These national laws must aim to both prevent further data breaches and address leaks once they occur.
"To accomplish these goals, lawmakers should establish reasonable security measures, create a consistent and recognizable notification standard, encourage best practices such as encryption, and include effective enforcement capabilities".
See Business Week Online for the full article.
Computer World released an article entitled “Ten security trends worth watching”, based on Bruce Schneier’s speech at last month’s Hack in the Box Security Conference in Kuala Lumpur, Malaysia.
Mr. Schneier identified 10 trends affecting information security today:
- Information is more valuable than ever.
- Networks are critical infrastructure. "If the Net goes down, or part of the Net goes down, it really affects the economy".
- Users do not necessarily control information about themselves. For example, Internet service providers have control over records the Web sites that users visit and email messages they send and receive.
- Hacking is increasingly a criminal profession. More and more, attacks are organized and led by criminals who are driven by a profit motive.
- Complexity is your enemy. "As systems get more complex they get less secure". Mr. Schneier mentioned that the Internet is "the most complex machine ever built".
- Attacks are faster than patches. New vulnerabilities and exploits are being discovered faster than vendors can patch them.
- Worms are more sophisticated than ever.
- The endpoint is the weakest link. "It doesn't matter how good your authentication schemes are if the remote computer isn't trustworthy".
- End users are seen as threats.
- Regulations will drive security audits.
See Computer World for the full article.
Thursday, October 19, 2006
Tuesday, October 17, 2006
Slashdot has an article that says "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."
Tuesday, October 10, 2006
A recent BBC article shows how vulnerable XP Home really is. "Using a computer acting as a so-called 'honeypot' the BBC has been regularly logging how many potential net-borne attacks hit the average Windows PC every day. With a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet."
The majority of the incidents were merely nuisances. "Many were announcements for fake security products that use vulnerabilities in Windows Messenger to make their messages pop-up. Others were made to look like security warnings to trick people into downloading the bogus file." "However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs. Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003. The bugs swamp net connections as they search for fresh victims and make host machines unstable. They have not been wiped out because they scan the net so thoroughly that they can always find another vulnerable machine to leap to and use as a host while they search for new places to visit."
Read the full BBC story.
This article was accessed through Slashdot.
Monday, October 09, 2006
Wired News in an article brings attention to the insecurity of some of the new technologies online. “VOIP and Ajax -- are dangerously insecure, and likely to only get worse as they become more prevalent, according to security researchers presenting their findings at the ToorCon security conference.”
"Voice over internet protocol is going mainstream, available to consumers and increasingly replacing the private phone systems in businesses of all sizes. Like the traditional phone, a VOIP call is broken into two parts, or channels. The first is signaling, which negotiates things like when to start and stop a call, what to do if another call comes in, and what to do if something about the call changes. The second part is media, the bit where we talk. In most VOIP systems neither of these channels is actually encrypted."
"According to Dustin Trammell, VOIP security researcher at Tipping Point, this leaves most VOIP calls vulnerable. Calls can be hijacked without either party's knowledge anywhere along the route over the net that connects the call, and nearly all VOIP systems can fall victim to signal-channel attacks that can fake caller ID, degrade call quality, end calls suddenly, and crash the end device -- either your VOIP phone or computer. Internet telephony can even fall victim to denial-of-service attacks that flood a phone with fake requests to start a call, rendering it useless."
Read the full Wired News article on VOIP and AJAX security issues.
Tuesday, October 03, 2006
The United States National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, aims to educate the public about core security protections this October, during the national cyber security awareness month, with its campaign on 'Cyber Security: Make It A Habit'.
U.S. National Cyber Security Awareness Month is a national campaign designed to increase the public’s awareness of cyber security and crimes issues, so that users can take precautions to avoid these threats on the Internet. The month will feature public relations activities, educational programs, events and initiatives throughout October that targets Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online.
See the
U.S. National Cyber Security Awareness Month 2006 website for further information on this collective effort aimed at protecting the public from internet threats.
PhishTank is a collaborative clearing house for data and information about phishing on the Internet. PhishTank was launched by the people behind OpenDNS and will be used to dynamically block access to phishing sites. For more information, see their FAQ.
Thursday, September 28, 2006
Tuesday, September 19, 2006
In a press release, Gartner, Inc. advises businesses to plan for five increasingly prevalent cyberthreats that have the potential to inflict significant damage on organisations during the next two years. These threats are:
- Targeted threats (Targeted threats are cyber attacks with a financial motivation that are aimed at one company or one industry);
- Identity theft (Identity theft refers to the theft of an individual's personal or financial information for the purpose of stealing money or committing other types of crimes);
- Spyware (Spyware is malicious software that can probe systems, reporting user behaviour to an advertiser or other party without the user’s knowledge);
- Social engineering (Social engineering is the practice of obtaining confidential information by manipulating legitimate users);
- Viruses (Viruses are malicious programmes that use a propagation method to enable widespread distribution.)
According to Amrit Williams, research director at Gartner, "We are seeing an increasingly hostile environment fuelled by financially motivated and targeted cyber attacks. By 2008 we expect that 40 percent of organisations will be targeted by financially motivated cybercrime."
"Cyber attacks are not new, but what is changing is the motivation behind them. They are no longer just executed by hackers for hobby or cybervandilism, but by professionals with a targeted aim at one person, one company or one industry," said Williams.
"For example, we have recently seen several companies hiring private investigators to spy on their competitors. Private investigators used Trojans to install targeted spyware on competitors’ computers to gather confidential information about such things as upcoming bids and customers."
Gartner said that social engineering and viruses will remain an everyday nuisance for chief information security officers through 2009. It warned that in the next two years, at least 50 percent of organisations will experience a social engineering or a virus attack."
Access the full report and Gartner news release here.
Friday, September 15, 2006
Business Communications Review has an article entitled The Botnet Threat reviewing a recent report put out by Arbor Networks, which surveyed ISPs about their biggest security concerns.
"When they surveyed 55 ISPs, McPherson and Labovitz discovered that distributed denial of service attacks, and the related threat of botnets, remain the biggest security problem that ISPs face. Together, these two elements were named as the top threat by 77 percent of respondents. "Brute-force attacks remain the most predominant attack type on the Internet today," the authors write.
The largest sustained attack reported by the survey respondents was a whopping 17 Gbps; a UDP flood of 22 million packets per second (pps) and a SYN flood of 14 million pps have also been reported. "The magnitude of these attacks is incredible when you consider that a 14 Mpps SYN flood can nearly fill an entire OC-192 (10 Gbps) circuit with a minimum packet size," McPherson and Labovitz write. "Any one of these attacks, or even a fraction thereof, can create significant pain for even the largest ISP networks in the world today."
The report also cites what the authors call "a new and disturbing observation" made by one respondent: Not only are botnets highly organized and "uniformly gargantuan," but there's an increasing amount of marketing of these botnets. ("Blast your affiliate numbers overnight!" is a typical pitch they report seeing.)"
Thursday, September 07, 2006
A select committee has recommended a major change to New Zealand's anti-spam bill, suggesting anyone should be able to send unsolicited emails that are of an entirely non-commercial nature and need not desist even if asked to do so by the recipient. The original anti-spam bill said that organisations that sent unsolicited emails to promote their aims or ideals - such as school newsletters and messages from political lobbyists - would fall foul of the spam bill. This is if they did not stop sending messages when asked to do so, by letting recipients "opt-out". The select committee dropped this requirement in amendments it proposed early September 2006.
The proposed amendments also drop the legal requirement that spam be reported to a customer's internet service provider before Internal Affairs could take action. Other proposed amendments eliminate the distinction between emails whose prime purpose is commercial and ones that are primarily promotional, but which contain a commercial element, and lift a ban on possessing or supplying email harvesting software, but bans New Zealanders from using such software to send spam.
This news item was retrieved through the APCAUCE Newslog.
The full article is available at stuff.co.nz.
Tuesday, August 22, 2006
On the 5th of May 2006, France and Japan signed a joint statement within the framework of a coordinated international action in order to fight spam. Both countries especially consider to exchange informations and good practices regarding the field of anti-spam policies and strategies.
The French Direction du Developpement des Medias (DDM) has more information on their website.
See other spam-related articles on the OECD Task Force on Spam website
Friday, August 18, 2006
The Vietnamese Ministry of Trade is drafting a circular governing advertising activities by electronic means, including emails, pop-ups and mobile phone messages.
"Local Internet users have been bombarded with spam mails but most of them are from overseas. Now such a circular is necessary as local spamming activities are on the rise.
The circular has basic requirements for users to fight spams such as opt-out options, genuine sender addresses, sender telephone numbers and obvious headings. But it seems that the draft circular is too lenient towards spammers when it provides them five working days before they have to stop their spams in case recipients choose to opt out. It also allows for the collection of personal data including email addresses and telephone numbers. Even though the circular requires collecting parties to ask for permission first and to keep those data confidential, this provision can be abused and can cause disputes later on.
This is all the more possible because the circular provides two scenarios: A complete ban of sales of email addresses and telephone numbers to advertisers; or allowing such an activity. Unsolicited short mobile messages are now possible because some carriers are selling subscribers’ numbers to various advertising companies. Users are especially frustrated when senders use some automatic message generation device so that they might receive an advertising message in the middle of the night.
The fines provided in the draft circular are from VND5 million to VND20 million, which many say are not heavy enough to prevent harmful violations of personal information."
[via APCAUCE and Viet Nam News]
Friday, August 11, 2006
"As cell phones and PDAs become more technologically advanced, attackers are finding new ways to target victims. By using text messaging or email, an attacker could lure you to a malicious site or convince you to install malicious code on your portable device."
The U.S. CERT (Computer Emergence Readiness Team) recently published a list of tips for users on how they can protect themselves against these increasing threats.
What unique risks do cell phones and PDAs present?
Most current cell phones have the ability to send and receive text messages. Some cell phones and PDAs also offer the ability to connect to the internet. Although these are features that you might find useful and convenient, attackers may try to take advantage of them. As a result, an attacker may be able to accomplish the following:
- Abuse your service;
- Lure you to a malicious web site;
- Use your cell phone or PDA in an attack;
- Gain access to account information.
What can you do to protect yourself?
- Follow general guidelines for protecting portable devices;
- Be careful about posting your cell phone number and email address;
- Do not follow links sent in email or text messages;
- Be wary of downloadable software;
- Evaluate your security settings.
Read the full article on the U.S. CERT website.
Thursday, August 03, 2006
The top three antivirus programs -- from Symantec, McAfee, and Trend Micro -- are less likely to detect new viruses and worms than less popular programs, because virus writers specifically test their work against those programs:
"On Wednesday, the general manager of Australia's Computer Emergency Response Team (AusCERT), Graham Ingram, described how the threat landscape has changed -- along with the skill of malware authors.
"We are getting code of a quality that is probably worthy of software engineers. Not application developers but software engineers," said Ingram.
However, the actual reason why the top selling antivirus applications don't work is because malware authors are specifically testing their Trojans and viruses to make sure they can bypass these applications before releasing them in the wild.
It's interesting to watch the landscape change, as malware becomes less the province of hackers and more the province of criminals. This is one move in a continuous arms race between attacker and defender."
[via Schneier on Security]
In separate reporting on the Black Hat USA conference, experts say that the spyware problem has "gotten so bad that it is unlikely it can ever be solved on a technical level. Instead, the solution will have to come from regulators and law enforcement agencies" .
"It's not technically feasible to stop spyware. You will not be able to stop this technically "This problem lives at the legal-technical boundary. We can't go around arresting people," said Dan Kaminsky, senior security researcher and founder of Seattle-based Doxpara Research, speaking on a spyware panel at the recent Black Hat USA 2006 event. "We need to create standards that clearly delineate legitimate code from illegitimate code where you throw people in jail."
Wednesday, July 26, 2006
"To protect Internet users from online fraudsters and defend the Internet against scammers commandeering network resources, the two most influential global trade associations combating Internet crime have jointly released an explicit new set of Best Practices to combat “phishing,” a major cause of online identify theft and fraud. The recommendations will help Internet Service Providers (ISPs) and mailbox providers better police their own infrastructures and filter traffic traversing their networks."
The Anti-Phishing Working Group (APWG) and the Messaging Anti-Abuse Group (MAAWG) jointly developed the recommendations outlined in "Anti-Phishing Best Practices for ISPs and Mailbox Providers." The paper provides technical and business practices to help ISPs and mailbox providers thwart phishing attacks and other malevolent network abuses and also includes practices to respond constructively when these attacks occur. “Phishing” employs deceptive technology such as spoofing and social engineering to steal consumers' personal identity and financial account data, and has become a major concern."
To download the full recommendations, click here.
Tuesday, July 18, 2006
The Secretary-General of the United Nations has announced the convening of the Internet Governance Forum, to be held in Athens on 30 October - 2 November 2006.
The Secretary-General's message is available in all UN languages: [English] [Français] [中文] [عربي] [Русский] [Español]. The message in English reads:
"The second phase of the World Summit on the Information Society (WSIS), held in Tunis on 13-15 November 2005, invited me to convene a new forum for multi-stakeholder policy dialogue -- called the Internet Governance Forum (IGF). The Summit asked me to convene the Forum by the second quarter of 2006 and to implement this mandate in an open and inclusive process.
The Government of Greece made the generous offer to host the first meeting of the IGF and proposed that it take place in Athens on 30 October - 2 November 2006.
I have asked my Special Adviser for Internet Governance, Mr. Nitin Desai, to assist me in the task of convening the IGF and I have also set up a small secretariat in Geneva to support this process. Two rounds of consultations open to all stakeholders held in Geneva on 16-17 February and 19 May have contributed towards a common understanding with regard to the format and content of the first IGF meeting. I have also appointed an Advisory Group with the task of assisting me in preparing the IGF meeting.
The Advisory Group held a meeting in Geneva on 22 and 23 May 2006 and made recommendations for the agenda and the programme, as well as the structure and format of the first meeting of the IGF in Athens.
As the IGF is about the Internet, it is appropriate to make use of electronic means of communication to convene its inaugural meeting. The document adopted by WSIS -- the Tunis Agenda for the Information Society -- calls on me "to extend invitations to all stakeholders and relevant parties to participate at the inaugural meeting of the IGF". Therefore, it is my pleasure to make use of the World Wide Web to invite all stakeholders -- governments, the private sector and civil society, including the academic and technical communities, to attend the first meeting of the IGF in Athens. The overall theme of the meeting will be "Internet Governance for Development". The agenda will be structured along the following broad themes.
- Openness - Freedom of expression, free flow of information, ideas and knowledge
- Security - Creating trust and confidence through collaboration
- Diversity - Promoting multilingualism and local content
- Access - Internet Connectivity: Policy and Cost
Capacity-building will be a cross-cutting priority.
The meeting will be open for all WSIS accredited entities. Other institutions and persons with proven expertise and experience in matters related to Internet governance may also apply to attend.
In its short life, the Internet has become an agent of dramatic, even revolutionary change and maybe one of today's greatest instruments of progress. It is a marvelous tool to promote and defend freedom and to give access to information and knowledge. WSIS saw the beginning of a dialogue between two different cultures: the non-governmental Internet community, with its traditions of informal, bottom-up decision-making; and the more formal, structured world of governments and intergovernmental organizations. It is my hope that the IGF will deepen this dialogue and contribute to a better understanding of how we can make full use of the potential the Internet has to offer for all people in the world.
(Signed) Kofi A. Annan"
[via the Internet Governance Forum]
Tuesday, July 11, 2006
In a new scam, called vishing, identity thieves use bogus phone numbers instead of Web sites, reports PC World in a recent article featuring phishing scams on VoIP phones.
"Related to phishing scams, the new scheme uses cheaply obtained VoIP numbers as bogus credit card or financial services telephone numbers", the article continues. "With Internet users being warned about clicking on hyperlinks in unsolicited e-mail, the new scam includes a phone number instead". "It's a natural elevation of the art to move it to the telephone. People are getting nervous about clicking on links", the article states.
The articles gives examples of how these new scams take place: "In one vishing case, scammers targeted PayPal users by including a telephone number in a spam e-mail. In the other case, the criminals configured an automatic telephone dialer to dial phone numbers, and when the phone was answered, played an automated recording saying their credit card has had fraudulent activity. The recording asked the telephone customer to call a number with a spoofed caller ID related to the credit card issuer. Once users call, they are asked for personal account information."
VoIP numbers are easy to obtain anonymously, but an industry expert interviewed for the story did not fault VoIP providers for vishing scams. "A larger problem is the ease of obtaining credit online or over the telephone. Consumers are comfortable with obtaining credit online or by dialing automated telephone services to get credit, but if credit-granting businesses required physical contact, phishing and vishing scams would be almost eliminated. In today's environment, it's absurd," the industry stated.
Read the full article on the PC World news website.
Thursday, June 29, 2006
Tuesday, June 27, 2006
Anti–spam legislation for the Cayman Islands is being considered by the Information and Communications Technology Authority.
The ITCA is now seeking input through a public consultation campaign. The goal is to ensure that any anti–spam legislation enacted in Cayman Islands is an effective tool as part of a multi–pronged attack on spam.
More information can be found here.
The Department of Communications, Information Technology and the Arts has conducted a legislative review of the Spam Act.
The review is required by legislation to assess the operation of the Spam Act after two years of its operation. The Department prepared a report based on the submissions received. The Minister tabled the report in Parliament on 22 June 2006.
The Minister’s press release is available here.
More information can be found here.
Friday, June 23, 2006
Ministry of Information Industry (MII), Internet Society of China (ISC) and China Communications Standards Association (CCSA) launched a national anti-spam campaign on June 21, reports Nanfang Daily. An insider at ISC said MII has set up a hotline at 01-12321 for spam-related tip-offs and is preparing to send out one million anti-spam notices.
The report said that professional training will be offered for 1,000 email administrators and that 20,000 anti-spam volunteers will be recruited.
This news item was accessed through
Slashdot Newslog.
Wednesday, June 21, 2006
United Kingdom's Ofcom is currently working on a publication examining various national and international approaches to protecting consumers on the internet.
Coincidening with this publication, the regulator will hold a seminar will that allow stakeholders to examine the results of Ofcom's survey, hear the views of Internet industry stakeholders and discuss what can be done in the future to better protect consumers on the Internet. Ofcom organising such an event is a measure of the challenge posed to both regulator and consumer by the growth of net services and the collision of the highly regulated world of broadcasting with the virtually unregulated world of the internet.
This news item was accessed through Roger Darlington's CommsWatch blog.
Thursday, June 15, 2006
According to a recently released article by CircleID, the United Kingdom today is one of the main attack targets by phishing organized crime groups, globally. Worldwide it is estimated (CircleID) that phishing damages will amount to about two billions USD in 2006 -- not counting risk management measures such as preventative measures, counter-measures, incident response and PR damages.
In most cases, phishing is caused by the fault of the users, either by entering the wrong web page, not keeping their computers secure or falling for cheap scams. Often this is due to lack of awareness or ability in the realm of Internet use rather than incompetence by the users.
For more information see CircleID article on Phishing: Competing on Security.
Tuesday, June 13, 2006
A news release by the Japanese MIC announces the signing of a "Joint Statement between France and Japan, Concerning Cooperation in the Field of Anti-spam Policies and Strategies".
Particular areas of cooperation will include:
- Exchanging information about anti-spam activities such as anti-spam policies and strategies, as well as technical and educational solutions to spam, including mobile spam;
- Encouraging the adoption of effective anti-spam technologies and network management practices by French and Japanese Internet service providers and major business network managers, and further cooperation between government and private sectors;
- Supporting French and Japanese marketers or bulk email senders in adopting spam-free marketing techniques;
- Identifying and promoting user practices and behaviours which can effectively control and limit spam and supporting the development of public relations and awareness campaigns for the multi-stakeholders to foster increased adoption of anti-spam practices and behaviours by end users in France and Japan;
- Cooperating to strengthen anti-spam initiatives being considered in international forum.
More information can be found here.
[Via APCAUCEWiki News]
Microsoft today gave the world a rare - albeit conservative - glimpse of its view on just how bad the virus and bot problem has gotten for Windows users worldwide.
The data comes from 15 months' worth of experience scanning computers with its "malicious-software removal tool," a free component that Microsoft offers Windows XP, Windows 2000 and Windows Server 2003 users when they download security updates from Microsoft.
More information can be found here.
Wednesday, June 07, 2006
Friday, June 02, 2006
Do not panic if your data is hidden by virus writers demanding a ransom. A woman from Greater Manchester has become a victim of an internet scam in which hackers hijack computer files and blackmail owners to get them back.
More information can be found here.
Tuesday, May 30, 2006
Monday, May 22, 2006
The April MessageLabs Intelligence Report includes analysis of the threat landscape during the first quarter of 2006. Overall, threat levels remained largely stable with previous months, with the U.S. continuing to play the role as the largest source of malware, spam and phishing attacks, hosting 18.1 percent of the world’s compromised (zombie) computers in the first quarter of 2006 (down from a high of 44 percent in Q2 05).
More information can be found here.
Use the Internet at home and you have a 1-in-3 chance of suffering computer damage, financial loss, or both because of a computer virus or spyware that sneaks onto your computer. That's one of the unsettling conclusions from the 2005 Consumer Reports State of the Net survey of online consumers.
More information can be found here.
Thursday, May 18, 2006
In a press release today, ITU announced a global opinion survey to assess trust of online transactions and awareness of cybersecurity measures. The survey was conducted by ITU in conjunction with World Telecommunication Day, celebrated on 17 May to commemorate the founding of ITU in 1865. The theme chosen this year — Promoting Global Cybersecurity — aims to highlight the serious challenges of ensuring the safety and security of networked information and communication systems.
The announcement of the results of the survey coincides with the launch of an ITU Cybersecurity Gateway portal. The portal is a global online reference source of national cybersecurity initiatives and websites around the world and provides an integrated platform for sharing cybersecurity related information and resources. Presenting information tailored to four specific audiences: citizens, businesses, governments, and international organizations, the portal also provides information resources on topical cybersecurity concerns such as spam, spyware, phishing, scams and frauds, worms and viruses, denial of service attacks, etc.
With thousands of links to relevant materials, ITU intends to constantly update the portal with information on cybersecurity initiatives and resources gathered from contributors around the globe. For example, a number of countries are now ramping up national critical information infrastructure protection (CIIP) programmes and sharing information on these initiatives through the portal can assist both developed and developing economies in promoting global cybersecurity.
These efforts highlight work being carried out as follow-up to the World Summit on the Information Society (WSIS) Action line C5 dealing with "Building confidence and security in the use of ICT", for which ITU is the facilitator/moderator.
Update: UN Secretary-General Kofi Annan has made the following statement in conjunction with World Telecommunication Day giving his perspectives on promoting global cybersecurity.
The Filipino telecoms watchdog, the National Telecommunications Commission (NTC), says it will revoke the mobile licence of any operator found guilty of breaking its guidelines on unsolicited broadcast messaging via SMS. The amended rules and regulations also require content providers – alleged to have sent out spam promos to subscribers – to register with the NTC.
This will serve as the basis of an application with the Department of Trade and Industry that grants permits to allow companies to advertise promos. Mobile phone operators and content providers risk being blacklisted if found guilty of violating the agency’s rules.
More information can be found here.
The Draft Amendement to the Rules and Regulations on Broadcast Messaging Service is available here.
Tuesday, May 09, 2006
Mobile Industry Outlook 2006, a new 180-page report from Informa Telecoms & Media answers the most significant questions facing today's mobile operators, equipment vendors and handset vendors as they seek to plan their strategy in 2006.
The report is available here.
Friday, May 05, 2006
Singapore’s mobile users – 99.8% of Singapore’s population, according to the Infocomm Development Authority’s (IDA) February 2006 stats – will have more protection against mobile spam in the future. IDA has put its foot down on this issue, warning of “swift enforcement” of penalties should mobile operators continue to fail to resolve mobile spam issues satisfactorily.
A strong warning letter was sent to SingTel, StarHub and M1, the three mobile operators in Singapore. In addition, IDA decided to make an example of errant content operator mTouche in the highly publicized mTouche spam case. Between 30th January to 5th February this year, 300,000 mobile end users were billed S$1 for unsolicited SMSes sent by mTouche through the three telcos.
More information can be found here.
China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law. The new email licensing clause is just a small part of a new anti-spam law formulated by China's Ministry of Information Industry (MII).
The impact on corporate email servers, which are commonly used by companies with more than a handful of employees, appears to have gone unnoticed until now. However, Singapore-based technology consultant, James Seng, who first drew attention to the new email licence requirement, believes the inclusion of the prohibition on mail servers is no accident.
More information can be found here.
Thursday, May 04, 2006
The "Survey on Industry Measures taken to comply with National Measures implementing Provisions of the Regulatory Framework for Electronic Communications relating to the Security of Services" conducted by the Technical Department of ENISA, Section Security Policies is available here.
Monday, May 01, 2006
A new wave of spam could be on the way that tricks recipients by looking like it’s a message sent from their friends' e-mail address. This sort of spam would bypass even those filters that currently weed out 99% of the bad stuff, says John Aycock, an assistant professor of computer science at the University of Calgary.
Aycock and student Nathan Friess conducted research and wrote a paper dubbed "Spam Zombies from Outer Space" to show that generating such customized spam -- such as in the form of e-mail replies -- would not be too difficult, as has been assumed in the past. Spammers have leaned toward bulk e-mail generation that is less customized.
More information can be found here.
Friday, April 28, 2006
In a press release, the European Commission has indicated its views on follow-up to the international policy commitments made at WSIS:
To keep up the momentum of the successful World Summit on Information Society (Tunis, 16-18 November 2005), the European Commission has set out today its priorities for implementing the international policy commitments made at the Summit. These priorities include safeguarding and strengthening human rights, in particular the freedom to receive and access information. Information and communication technologies (ICTs) should be used to contribute to open democratic societies and to economic and social progress worldwide. The Commission calls for continuing international talks to improve Internet governance through the two new processes created by the Summit: the multi-stakeholder Internet Governance Forum and the mechanism of enhanced cooperation that will involve all governments on an equal footing.
The EC has also issued a FAQ on Internet Governance.
Thursday, April 27, 2006
Via Schneier on Security comes news of a Kaspersky Labs report on extortion scams using malware:
We've reported more than once on cases where remote malicious users have moved away from the stealth use of infected computers (stealing data from them, using them as part of zombie networks etc) to direct blackmail, demanding payment from victims. At the moment, this method is used in two main ways: encrypting user data and corrupting system information.
Users quickly understand that something has happened to their data. They are then told that they should send a specific sum to an e-payment account maintained by the remote malicious user, whether it be EGold, Webmoney or whatever. The ransom demanded varies significantly depending on the amount of money available to the victim. We know of cases where the malicious users have demanded $50, and of cases where they have demanded more than $2,000. The first such blackmail case was in 1989, and now this method is again gaining in popularity.
In 2005, the most striking examples of this type of cybercrime were carried out using the Trojans GpCode and Krotten. The first of these encrypts user data; the second restricts itself to making a number of modifications to the victim machine's system registry, causing it to cease functioning.
Monday, April 24, 2006
Looking back, 2005 saw a rise in profit-driven attacks. These were reflected by phishing, which now represents as much as one percent of the global e-mail traffic and is far more effective than spamming.
Viruses, worms, and malicious software are becoming part and parcel of information and communications technology. According to Trend Micro's report, called Virus and Spam Roundup 2005 and Predictions for 2006, this year will see more spy phishing and spear phishing on the Internet.
More information can be found here.
Though the United States is making progress in the war on unsolicited commercial e-mail, or spam, it still generates more than any other nation in the world, according to recent statistics from Sophos, a provider of anti-malware solutions.
Sophos ranked spam outputs of the top 12 countries and top six continents based on messages it received in its “global network of spam traps” between January and March, according to the group’s release.
More information can be found here.
Thursday, April 20, 2006
The Federal Trade Commission (FTC) joined 29 other countries in calling for increased cooperation between nations in combating spam. The FTC signed off on a set of anti-spam recommendations by the Organization for Economic Cooperation and Development (OECD), a coalition of 30 countries organized to promote economic growth and trade.
More information about OECD activities on countering spam can be found here.
Please clik here to read the article.
Wednesday, April 19, 2006
The third edition of the International Critical Information Infrastructure Protection (CIIP) Handbook focuses on key aspects of CIIP related to security policy.
The CIIP Handbook is the product of a joint effort within the Comprehensive Risk Analysis and Management Network (CRN) partner network. The CRN is run by the Center for Security Studies (CSS) at the Swiss Federal Institute of Technology (ETH Zurich) and is a member of the Center for Comparative and International Studies (CIS).
"The first (2002) edition of the CIIP Handbook contained an inventory of protection policies in eight countries (Australia, Canada, Germany, the Netherlands, Norway, Sweden, Switzerland, and the United States) and their methods employed for CII assessment. The second edition (2004) included an update of existing surveys and covered six additional countries (Austria, Finland, France, the United Kingdom, Italy, and New Zealand) as well as international protection efforts."
"The latest version continues the tradition of the past two editions, while its scope has been extended: not only has the country survey section been further expanded with a specific focus on Asia by including India, Japan, the Republic of Korea, Malaysia, Singapore, and Russia, but it is also accompanied by a second volume with in-depth analysis of key issues related to CIIP."
Please click here to read more about the 2006 CIIP Handbook.
Volume 1 of the 2006 CIIP Handbook can be downloaded here.
Volume 2 of the 2006 CIIP Handbook can be downloaded here.
The United States National Science and Technology Council (NSTC), a Cabinet-level Council that coordinates science and technology policies across the Federal Government, on April 17th, 2006, released the Federal Plan for Cyber Security and Information Assurance Research and Development.
"This report sets out a framework for multi-agency coordination of Federal R&D investments in technologies that can better secure the interconnected computing systems, networks, and information that together make up the U.S. information technology (IT) infrastructure."
"This country’s IT infrastructure – which includes not only the public Internet but also the networking and IT systems that control critical infrastructures ranging from power grids to emergency communications systems – is vital not only to our national and homeland security but to our economic security," said John H. Marburger III, Science Adviser to the President and Director of the Office of Science and Technology Policy (OSTP). "This report provides a blueprint for coordination of Federal R&D across agencies that will maximize the impact of investments in this key area of the national interest."
The Plan was prepared by the Interagency Working Group (IWG) on Cyber Security and Information Assurance (CSIA), whose members represent more than 20 government organizations. The CSIA IWG operates under the auspices of the NSTC’s Subcommittee on Infrastructure and Subcommittee on Networking and Information Technology Research and Development (NITRD).
The Federal Plan for Cyber Security and Information Assurance Research and Development is available through the NITRD Program Web site.
Please see the recent Press Release and the Federal Plan for further details on these activities.
Monday, April 03, 2006
China’s Ministry of Information Industry has adopted the Measures for the Administration of Internet E-mails. The regulations, which took effect from 30 March 2006, are designed to apply to email service providers and apply to any person operating an email service for Internet users in Mainland China.
The regulations are as follows:
- A provider is defined as any person in the service supply chain involved in delivering or helping users to receive email;
- Service providers must register with the government and obtain a license before providing email services;
- Violators face warnings or penalties of up to 30,000 yuan (approx. $3,700 US) and risk losing their license;
- Firms are barred from sending unsolicited commercial messages without prior consent from recipients;
- All commercial email must have a subject header of “AD” or the Chinese character for advertisement;
- The rules only apply to email containing commercial advertisements;
- The rules state that providers must stop delivery of any messages containing commercial advertisements even if a recipient first consents, but later changes his or her mind.
A copy of the rules (in Chinese) can be found here.
Friday, March 31, 2006
The Federal Trade Commission and members of the International Consumer Protection and Enforcement Network (ICPEN) are meeting in Jeju, Korea, on March 26-28, to discuss the progress of international efforts to combat cross-border fraud and explore new international initiatives to protect consumers around the world.
The FTC’s participation in ICPEN is one part of the agency’s ongoing effort to combat a rising number of cross-border fraud complaints from American consumers. ICPEN members discussed the results of a recent Internet surf for Web sites that are “hidden traps online.”
Over 30 countries participated in the international surf. In the United States, the focus was on Web sites with fraudulent claims advertising “miracle cures” for diabetes, with the FTC, FDA, and several states Attorneys General offices participating.
The FTC and its partners reviewed over 1,000 Web sites and identified over 150 with potentially misleading diabetes claims. The FTC will follow-up, sending warning letters to Web sites that appear to have deceptive or false claims.
More information can be found here.
Wednesday, March 29, 2006
Activités de l’UIT dans la Lutte contre le SPAM, PDF, Cristina Bueti, ITU Strategy and Policy Unit,21 March 2006, presented at the workshop on "Lutte contre le SPAM"(Rabat, Morocco).
The fight against spam, phishing and e-mail fraud should focus on economic incentives and aiding law enforcement, according to attendees at a conference examining the problem this week. Speakers at MIT's 2006 Spam Conference were notably cognizant of the recent proposals of white lists and AOL's Goodmail, a pay per e-mail service offering preferential treatment in e-mail delivery for marketers.
More information can be found here.
Tuesday, March 28, 2006
World Telecommunication Day (WTD) commemorates the founding of ITU on 17 May 1865. This year, WTD could carry added significance as 17 May has been identified by the Tunis phase of the World Summit on the Information Society as “World Information Society Day”.
While World Information Society Day is yet to be proclaimed, ITU, as the leading ICT agency of the UN system, upholds the idea and looks forward to its members to raise awareness of the role of ICT in achieving the development goals of all people.
For WTD 2006, the ITU Council chose the theme of Promoting Global Cybersecurity to highlight the serious challenges we face in ensuring the safety and security of networked information and communication systems.
In today’s interconnected and increasingly networked world, societies are vulnerable to a wide variety of threats, including deliberate attacks on critical information infrastructures with debilitating effects on our economies and on our societies. In order to safeguard our systems and infrastructure and in order to instill confidence in online trade, commerce, banking, telemedicine, e-government and a host of other applications, we need to strengthen the security practices of each and every networked country, business, and citizen, and develop a global culture of cybersecurity.
The urgency of promoting cybersecurity has been called for by the ITU Plenipotentiary Conference in 2002, the World Telecommunication Standardization Assembly (WTSA-2004) as well as the United Nations General Assembly (resolutions 58/199, 2004, and 57/239, 2002).
Invitations to organize national programmes in the context of promoting the theme Promoting Global Cybersecurity for WTD 2006 were sent to all ITU Member States and ITU Sector Members. Sector Members represent over 647 public and private companies and organizations with an interest in telecommunications. Also in conjunction with WTD 2006, the ITU is conducting a survey of cybersecurity trust and awareness. A list of links to the related materials includes:
Internet service providers could face huge fines if they do not provide spam filtering or impose email sending limits under new rules set down by a communications watchdog. The Australian Communications and Media Authority (ACMA) today registered the world's first legislative code of practice for internet and email service providers.
More information can be found here.
At a technology forum in Brussels hosted by EuroISPA - the European Internet Services Providers Association, and co-sponsored by Interpol, Neil Holloway, president, Microsoft (Europe, Middle East and Africa), inaugurated a global law enforcement campaign targeted at cybercriminals responsible for phishing attacks.
This is part of Microsoft's larger program dubbed - the Global Phishing Enforcement Initiative (GPEI), that aims at co-ordinating and expanding the company's anti-phishing efforts globally.
More information can be found here.
Monday, March 27, 2006
Wednesday, March 22, 2006
Wednesday, March 15, 2006
The « Direction du Développement des Médias (France), l’Agence Nationale de Réglementation des Télécommunications (Morocco), l’Institut Francophone des Nouvelles Technologies de l’Information et de la Formation (Francophonie) et le Service Public Fédéral Economie, PME, Classes moyennes et Energie (Belgium) » are jointly organizing a workshop on the « Fight against Spam ».
The workshop will be held in Rabat (Morocco) from 22 to 23 March 2006.
More information can be found here.
Click here to see the agenda.
Tuesday, March 14, 2006
"The case for promoting a global culture for cybersecurity was strongly emphasized at the World Telecommunication Development Conference (WTDC) during an information session for participants conducted by ITU on Friday.
ITU pointed out that in an increasingly interconnected and networked world our societies are vulnerable to a wide variety of threats, including deliberate attacks on critical information infrastructures with debilitating effects on our economies and on our societies. In order to safeguard our systems and infrastructure, we need to strengthen our collective cybersecurity.
As this depends on the security practices of each and every networked country, business, and citizen, we need to develop a global culture of cybersecurity. According to ITU, cybersecurity is critical in the use and development of ICT. The lack of adequate security is an obstacle for using ICTs that rely on the protection and confidentiality of sensitive data. Unless these security and trust issues are addressed, the benefits of the Information Society to governments, businesses and citizens cannot be fully realized.
The information session was aimed at raising awareness on this very important subject and to contribute to bridging the information and knowledge divide between and within countries.
At that session, ITU launched a new reference guide on Cybersecurity for Developing Countries and informed delegates of ITU’s initiative in Promoting Global Cybersecurity as the theme for World Telecommunication Day on 17 May this year. ITU will also assist developing and least developed countries in increasing cybersecurity and will conduct workshops and seminars to enable countries to exchange ideas and discuss common issues." [Via WTDC 2006 Highlights]
For more information about the World Telecommunication Development Conference (WTDC), please click here.
Thursday, March 09, 2006
Microsoft founder Bill Gates said in 1998 that spam was "an annoying and sometimes destructive use of the Internet's unprecedented efficiency." Gates communicated the problem. The makers of Spam Cube created the solution.
The launch of Spam Cube gives everyday personal computer users a revolutionary new tool in the battle against unwanted email. Working in harmony with every operating system and nearly all email providers, Spam Cube protects up to four home computers with its breakthrough anti-spam technology. A technology spawned by the frustration felt by computer users worldwide, forced to endure invasive junk e-mail campaigns.
For more information, please click here.
Including data from some of the world's largest Internet Service Providers, MAAWG (Messaging Anti-Abuse Working Group) has developed its first metrics report outlining the scope of the problem and validating that approximately 85 percent of Internet traffic today is abusive email.
The report, "MAAWG Email Metrics Program: The Network Operators' Perspective," provides data for the fourth quarter of 2005 and will continue to be updated on a quarterly basis as an objective tool for tracking the industry's efforts at controlling abusive email.
For more information, please click here.
Wednesday, March 08, 2006
Efforts by governments to counter internet spam by tracking down and prosecuting spammers have had limited impact and require far more resources than most countries can muster, the United Nations telecoms agency (ITU) warned on Tuesday.
It says in a report that while all countries need anti-spam legislation so that spammers have nowhere to hide, a more effective approach would be to require the establishment of enforceable codes of conduct by internet service providers (ISPs).
For more information about the article, please click here.
For more information about the report "Stemming the International Tide of Spam", please click here.
Saturday, March 04, 2006
According to a press release from the UN, the UN Secretary-General has decided
to establish a small Secretariat in Geneva to assist in the convening of the
Internet Governance Forum (IGF). The Secretary-General was asked by the World
Summit on the Information Society, held in Tunis in November, to convene such a
Forum for multi-stakeholder policy dialogue.
Nitin Desai, the Secretary-General’s Special Adviser for the Summit, held open consultations on
16 and 17 February in Geneva aimed at reaching a common understanding on how the
Forum should function. Those discussions produced a consensus that the IGF
should have a strong development orientation. It was also felt that the Forum
should be open and inclusive, and allow for the participation of all interested
stakeholders with proven expertise and experience in Internet-related
matters.
The Secretariat will be headed by Markus Kummer, who has been the Executive Coordinator of the Secretariat of the
Working Group on Internet Governance, which was established by the
Secretary-General at the request of the first phase of the Summit, in Geneva in
2003. The first meeting of the Forum is expected to take place later this year
in Athens, Greece from October 30 - November 2 2006.
On a separate issue, the Secretary-General has also decided to ask Mr. Desai to consult informally on how
to start a process aimed at enhancing cooperation on international public policy
issues related to the Internet. The Summit had requested the Secretary-General
to start such a process in paragraphs 69-71 of the WSIS Tunis Agenda for the Information Society.
Thursday, March 02, 2006
Recognising the importance of electronic interdependencies, India and the United States on Thursday agreed for greater cooperation to protect electronic transactions and critical infrastructure from cyber crime.
"The two sides recognised the importance of capacity building in cyber security and greater cooperation to secure their growing electronic interdependencies, including to protect electronic transactions and critical infrastructure from cyber crime, terrorism and other malicious threats," the Indo-US joint statement said.
For more information, please click here.
Soon PC users could be literally stamping out spam instead of hitting the delete key.
"Many information workers spend a majority of their time trapped at their desk dealing with e-mail," said Brian Meyers, from the Step User Interface Project Group who helped develop the prototype.
For more information, please click here.
Wednesday, March 01, 2006
On Tuesday, the anchors of the coalition – the Electronic Freedom Foundation and Free Press -- hosted a national conference call asking for allies to unite to fight AOL's "e-mail tax."
Under the banner of DearAOL.com, a total of fifty organizations, including MoveOn.org, Civic Action, Gun Owners of America, The Association of Cancer Online Resources and Craig Newmark of Craigslist.com joined in to offer up a number of explanations as to why such a "pay-to-send" policy would harm the Internet forever.
For more information, click here.
See also "
The Future of Some Email May Not Use Email".
Symantec launches a new Internet security barometer that gives consumers clues on which online activities are currently safest. But unlike rival security meters, Symantec's new Internet Threat Meter breaks out current risks by activity: e-mail, Web browsing, instant messaging, and file sharing.
For more information, please click here.
Three civil suits were filed under Virginia's new anti-phishing statute, the Federal Lanham Act, marking the first time an ISP has used the new law.
For more information, please click here.
A group of security researchers claims to have found the first virus that can jump to a mobile device after infecting a PC.
"Crossover is the first malware to be able to infect both a Windows desktop computer as well as a PDA running Windows Mobile for Pocket PC," the research group said.
For more information, please click here.
Tuesday, February 28, 2006
APCAUCE's 2006 meeting was organized in Perth, Australia in conjunction with the APRICOT Conference. The Regional Update meeting was on Sunday 26 February 2006, and APCAUCE (Asia Pacific Coalition Against Unsolicited Commercial Email) will also organize an antispam technical conference track as part of APRICOT on 1 March 2006.
For more information, please click here.
This publication,
with a foreword by Nitin Desai, provides an overview of the key debates
on Internet governance. It presents the work of the Open Regional
Dialogue on Internet Governance, an Asia-Pacific Development Information Programme (APDIP) initiative that has collected perspectives from regional experts and end users.
Monday, February 27, 2006
The Japan E-mail Anti-Abuse Group (JEAG), a working group founded by Japan's ISPs and mobile operators to counter spam, has drafted a list of recommendations for the reference of companies and mail server system administrators that are considering counter-spam measures. The recommendations include information on introducing effective technological counter-measures and working policies to eliminate spam.
For more information, please click here.
Sunday, February 26, 2006
Since Yahoo first proposed its DomainKeys authentication standard for email (DKIM), AOL has played coy. That strategy has apparently served the uber-ISP well, as it has been extended indefinitely.
In a standing-room-only webinar courting direct marketers, AOL speaker Nicholas Graham was asked when the firm will get around to adopting DKIM's cryptographic-based technology. Christine Blank of DMNews reports Graham responded, "We will have to wait and see. The facts are still out."
For more information, please click here.
Commtouch has announced spam and computer virus statistics for the month of January 2006. The data is based on information continuously gathered by the Commtouch Detection Center, which analyzed more than 2 billion messages from over 130 countries during the month of January.
For more information, please click here.
Liberal political action group MoveOn.org is organizing a petition drive against America Online's certified email service, whereby advertisers could pay a per-message fee to guarantee their messages will bypass AOL's spam filtering technologies and be delivered directly to AOL users.
Claiming the service amounts to an "email tax" by granting large email senders preferential access to AOL users mailboxes, while leaving other email users (like small businesses, friends, family members, charities, and co-workers) in the dark, wondering if their mail will get through.
For more information, please click here.
Ahmed Bin Ali, Manager Corporate Communications, Etisalat, said: 'We are happy to make this option available to all our valued customers, and we are empowering them to be able to decide what content they receive and from whom. Our customers have shown interest in a service like this, and we have taken all the steps to make this option available at the earliest.'
For more information, please click here.
Programs that fight viruses have become a necessary evil on Windows PCs. Now the antivirus industry is turning its attention to mobile phones, but it's running into reluctance from cell service providers, who aren't so sure that the handset is the best place to handle security.
For more information, click here.
Thursday, February 23, 2006
In line with paragraph 108 and the Annex of the Tunis Agenda for the Information Society, a consultation is being held on 15-16 May 2006, at ITU Headquarters in Geneva, on WSIS Action Line C5: Building Confidence and Security in the use of ICTs. The purpose of the meeting is to discuss the WSIS multi-stakeholder implementation process for Action Line C5.
The meeting is open to all WSIS stakeholders that are interested and involved in the implementation process in the field of building confidence and security in the use of ICTs.
A draft agenda for the consultation on WSIS Action Line C5 Facilitation and the invitation letter to the meeting from ITU Secretary-General Yoshio Utsumi can be viewed on the WSIS C5 Implementation website.
More information on the activities related to WSIS implementation and follow-up can be viewed here.
Wednesday, February 22, 2006
China's Ministry of Information Industry launched its anti-spam center, www.anti-spam.cn, today as part of their net safety efforts. There are ongoing efforts to also enhance its email management sometime between March and April 2006.
Additionally, the Chinese government issued a regulation on the management of emails, which will take effect on 30 March 2006. Sending advertisement emails without the receiver's permission is banned, according to this new regulation.
For more information, click here
Friday, February 17, 2006
At the behest of the GSM Association (GSMA),
fifteen network operators have founded a joint initiative against the
spread of spam via mobile communications networks and published a "Code
of Practice" (PDF file).
The initiative is focusing on spam sent as a text message or MMS,
which has been divided into three categories: first, advertising that
the cell phone user did not request; second, messages that directly or
indirectly lead to calls of expensive premium services; and third,
fraudulent content, such as the spoofs familiar to users of fixed
Internet.
For more information, click here.
Thursday, February 16, 2006
OECD Scoping Study for the Measurement of Trust in the Online Environment:
Creating an online environment which builds on trust
among users of ICT networks is an increasing priority for business,
industry and governments and has been on the OECD agenda since the late
1990s. The aim of this report is to undertake a review of the data
available from official, semi-official and private sources which can
assist in informing developments and progress in this area. There is a
need to be able to use relevant data to assess the effectiveness of
public and private initiatives aimed at building trust among users.
Wednesday, February 15, 2006
Circle ID has an interesting piece entitled Internet Governance: An Antispam Perspective by Meng Wong, who is known for his work on the email authentication mechanism SPF*:
I believe that we must move to a default-deny model for email to solve
phishing; at the same time we must preserve the openness that made email the
killer app in the first place. The tension between these poles creates a
tremendous opportunity for innovation and social good if we get things right,
and for shattering failure if we get things wrong.
* SPF is derived from original concept work by Paul Vixie which is now also the core of Microsoft's
Sender ID.
Friday, February 10, 2006
Bruce Schneier's Schneier
on Security points to a paper dismissing the myth that worms won't be able to propagate under IPv6.
Wednesday, February 08, 2006
Via Schneier
on Security comes a pointer to an interesting paper entitled Introduction to Petname Systems.
Zooko's Triangle [Zooko] argues that names cannot be global, secure, and
memorable, all at the same time. Domain names are an example: they are global,
and memorable, but as the rapid rise of phishing demonstrates, they are not
secure.
For background reading, see Zooko: Names: Decentralized, Secure, Human-Meaningful: Choose Two, Waterken YURL: Naming vs. Pointing and the Petnames Markup Language.
To summarize, you cannot have a namespace which is all three of: 1.
decentralized (which is the same as saying that the namespace spans trust
boundaries), 2. secure in the sense that an attacker cannot cause name lookups
to return incorrect values that violate some universal policy of name ownership,
and 3. using human-memorizable keys.
Monday, February 06, 2006
An article featured in the Technology Review; "A Tangle of Wires", discusses United States’ approach to cybersecurity.
Among other things it states that: "The major problems in Internet security [many of which are detailed in "The Internet Is Broken"], are nowhere close to being addressed at the federal level, and what little is being done is on the wrong track, favoring summits, partnerships, and "information sharing" over the much more necessary but less visible work of long-term research and development.”
The article also points to two reports: ""Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities," a report presented by the U.S. Government Accountability Office to Congress in May 2005. It contends that "While DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cybersecurity-related responsibilities that we identified...and it has much work ahead in order to be able to fully address them.""
And "Cyber Security: A Crisis of Prioritization," "prepared by the President's Information Technology Advisory Committee (PITAC) and delivered to the executive branch in February 2005." This report does, according to the article, "in its way offer a solution to the long-term problem of cybersecurity."
View Technology Review for the full article.
Sunday, February 05, 2006
According to an article in the IHT, companies will soon have to buy the electronic equivalent of a
postage stamp if they want to be certain that their e-mail will be delivered to
many of their customers.
America
Online and Yahoo, two of the world's largest providers of e-mail
accounts, are about to start using a system that gives preferential
treatment to messages from companies that pay from a quarter of a cent
to 1 cent each to have them delivered. The Internet companies say this
will help them identify legitimate mail and cut down on junk e-mail,
identity-theft scams and other scourges of users of their services.
Friday, February 03, 2006
From Bruce Schneier's blog Schneier
on Security comes a pointer to an article about
someone convicted for running a for-profit botnet:
November's 52-page indictment, along with papers filed last week, offer
an unusually detailed glimpse into a shadowy world where hackers, often not old enough
to vote, brag in online chat groups about their prowess in taking over vast numbers
of computers and herding them into large armies of junk mail robots and arsenals for
so-called denial of service attacks on Web sites.
Ancheta one-upped his hacking peers by advertising his network of "bots," short for
robots, on Internet chat channels.
A Web site Ancheta maintained included a schedule of prices he charged people who
wanted to rent out the machines, along with guidelines on how many bots were required
to bring down a particular type of Web site.
In July 2004, he told one chat partner he had more than 40,000 machines available,
"more than I can handle," according to the indictment. A month later, Ancheta told
another person he controlled at least 100,000 bots, and that his network had added
another 10,000 machines in a week and a half.
In a three-month span starting in June 2004, Ancheta rented out or sold bots to at
least 10 "different nefarious computer users," according to the plea agreement. He
pocketed $3,000 in the process by accepting payments through the online PayPal service,
prosecutors said.
Starting in August 2004, Ancheta turned to a new, more lucrative method to profit
from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Fla., whom
prosecutors identified by his Internet nickname "SoBe," Ancheta infected more than
400,000 computers.
Thursday, February 02, 2006
Wednesday, January 25, 2006
Tuesday, January 24, 2006
Friday, December 23, 2005
Tides in Communication Politics? About Shifting Involvements and Technologies of Freedom and the Relevance of Albert Hirschman and Ithiel de Sola Pool for Today’s Communication Studies, by Willem Hulsink, former editor of Trends in Communications.
So like the tides, we can see swings of involvement in shaping the information and communication technologies of the past and the future: initially these technologies are mechanisms of freedom, questioning existing roles and practices, and keeping the hope alive for a better world, but at a later stage, when we realize both their possibilities and complications in real life, these technologies may end in the regulatory domain, provided that they generate perverse effects (e.g. one of Internet’s byproducts, unsolicited mail – spam – is now being addressed by the regulators).
Tuesday, December 20, 2005
The Net's basic flaws cost firms billions, impede innovation, and threaten national security. It's time for a clean-slate approach, says MIT's Dave Clark. This article, the cover story in Technology Review’s December 2005/January 2006 print issue, is divided into three parts: Part 1, Part 2, Part 3. [via James Seng]
Tuesday, November 22, 2005
Friday, November 18, 2005
Today the French Goverment has organized a workshop on Spam at the World Summit on Information Society with the support of the European Presidency and the European Commission. At this occasion, France, Marrocco and the Francofone Institute of New Information and Formation Technologies (INTIF - OIF) have annonced the organisation of the first francofone anti-spam workshop in Rabat to be held at the begining of 2006.
Presentations will be available soon at the ITU/SPU website on Spam.
Wednesday, November 16, 2005
The WSIS Stocktaking Report has been officially launched during the World Summit on the Infrmation Society in Tunis. The report has been prepared on the basis of activities entered to the WSIS Stocktaking Database that by November 2005 contained more then 2500 entries.
For the launch presentation see Stocktaking.pdf (1.47 MB).
For the WSIS Stocktaking Database see here.
Yesterday the Honourable Anne McLellan, Deputy Prime Minister and Minister of Public Safety and Emergency Preparedness, introduced legislation on the lawful interception of communications. The Modernization of Investigative Techniques Act (MITA) will ensure that the law enforcement community and the Canadian Security Intelligence Service (CSIS) maintain their ability to investigate crime and terrorism in the face of rapidly evolving communications technology.
“Currently, under the law, police and CSIS can only intercept communications with authorization. This Act will not change that,” said the Deputy Prime Minister. “However, that authorization may be of no effect if companies do not have the technical ability to intercept new communications technology. This legislation will ensure that criminals can no longer take advantage of new technologies to hide their illegal activities from the law.”
Click here to read more.
The final documents submitted to the second phase of WSIS being held 16-18 November 2005 in Tunis have been posted. They are:
In The Tunis Agenda for the Information Society, paragraphs 3-28 related to Financial Mechanisms for Meeting the Challenges of ICTs for Development, paragraphs 29-82 relate to Internet Governance, and paragraphs 83-122 relate to Implementation and Follow-up.
Friday, November 11, 2005
An article on BBC News discusses the new UNCTAD Information Economy Report 2005 and says the costs of fast net access and linking up to the internet's global infrastructure hits poorer nations much harder than developed countries. Chapters in the report include:
-
ICT indicators for development; Trends and measurement issues
-
International Internet backbone connectivity: Issues for developing countries
-
E-credit information, trade finance and e-finance: Overcoming information asymmetries
-
Taking off: E-tourism opportunities for developing countries
-
Information technology and security: Risk management and policy implications
-
Protecting the information society: Addressing the phenomenon of cybercrime
Wednesday, November 09, 2005
The Belgian Federal Public Service Economy, SMEs, Self-employed and Energy has published a brochure on spam named “Spamming: 24 questions & answers”.
The objective of the brochure is to raise awareness of spam affected persons as to the spamming issue; applicable spamming regulations in Belgium; advice to follow in order to cope with this phenomenon and information on the authorities having competency to receive complaints.
Click below to download the brochure available in four languages: English; French; German; Dutch
Sunday, November 06, 2005
For the upcoming Global Symposium for Regulators (GSR) to be held in Hammamet, Tunisia, 14-15 November 2005, just before the second phase of the World Summit on the Information Society (WSIS), the ITU has released a paper by John Palfrey entitled Stemming the International Tide of Spam: a Draft Model Law, which will be presented at the GSR:
This discussion paper primarily takes up the question of what – beyond coordinating with technologists and other countries’ enforcement teams and educating consumers – legislators and regulators might consider by way of legal mechanisms. First, the paper takes up the elements that might be included in an anti-spam law. Second, the paper explores one alternative legal mechanism which might be built into an anti-spam strategy, the establishment of enforceable codes of conduct for Internet Service Providers (ISPs). Third, this paper also examines a variant of the legal approach where ISPs are formally encouraged by regulators to develop their own code of conduct. ISPs should be encouraged to establish and enforce narrowly-drawn codes of conduct that prohibit their users from using that ISP as a source for spamming and related bad acts, such as spoofing and phishing, and not to enter into peering arrangements with ISPs that do not uphold similar codes of conduct. Rather than continue to rely upon chasing individual spammers, regulators in the most resource-constrained countries in particular would be more likely to succeed by working with and through the ISPs that are closer to the source of the problem, to their customers, and to the technology in question. The regulator’s job would be to ensure that ISPs within their jurisdiction adopt adequate codes of conduct as a condition of their operating license and then to enforce adherence to those codes of conduct. The regulator can also play a role in sharing best practices among ISPs and making consumers aware of the good works of the best ISPs. While effectively just shifting the burden of some of the anti-spam enforcement to ISPs is not without clear drawbacks, and cannot alone succeed in stemming the tide of spam, such a policy has a far higher likelihood of success in the developing countries context than the anti-spam enforcement tactics employed to date.
Friday, November 04, 2005
Virus scanners made moot by new exploit.
Recently, researcher Andrey Bayora revealed that it is possible to fool the scanners into thinking that a file under scan is one kind, when it is in actuality something entirely different. Bayora (of www.securityelf.org), a Russian-born Israeli, has issued an advisory that details how to bypass many popular Windows AV programs.
The London Action Plan of spam enforcement authorities has a new website with news. A spam enforcement workshop is now taking place in London:
The Office of Fair Trading, through the UK presidency of the European Union, has invited members of the London Action Plan (LAP) network and the Contact Network of Spam Authorities (CNSA) to participate in a two-day ‘spam enforcement workshop’. The workshop will be held in London at the Department of Trade and Industry Conference Centre on Thursday 3rd and Friday 4th November 2005.
Friday, October 28, 2005
Wednesday, October 26, 2005
Warren New's Washington Internet Daily is reporting on the recent ITU-T Study Group 17 meeting activities that related to IDN and countering spam:
Facilitating internationalized domain names and new measures to counter spam via technical means are part of an ITU push to meet member states' demands for more security standardization.
Last Oct.'s World Telecom Standardization Assembly in Brazil added 2 work items to the agenda of the group, called ITU-T SG-17: The first is to study IDNs, which raise a major security issue because "some national characters can make a user think he is going to one place, but really going to another place," said Herbert Bertine of Lucent, chmn. of SG-17: "We are looking to make sure that when you use internationalized domain names, the possibility that users can be confused, misdirected," will be reduced.
"The belief is that IDN implementation will contribute to easier and greater use of the Internet in those countries where the native or official languages are not yet represented in ASCII characters," documents said. Andrzej Bartosiewicz, head of the DNS Div. at Poland's NASK has been named the group's reporting member on IDNs. The SG will assess ITU members' needs in light of existing standards, he said.
SG-17 has seen "an enormous increase [of work] in the area of security," said Bertine. SG-17 published 5 security recommendations in the last 4-year study period, which ended late in 2004. Bertine said the SG may produce 15-20 during the next period, but said much of the work is in its infancy.
Countering spam by technical means is a new security area for SG-17. Spam has policy, regulatory, legal and technical aspects, but the SG will address the technical side of spam fighting. "A lot of work has been done by IETF," said Bertine. "There's a lot of [standards] material out there. We don't want to duplicate work. We want to leverage and reference" what's other standards bodies have done and fill gaps, said Bertine, "but we have a lot of countries -- particularly developing countries -- who are really looking for the ITU to provide this information."
How spammers do what they do is under consideration; but more important is that spam is not only unwanted e- mail but now a vehicle for viruses and other malware, said Bertine.
SG 17 is working with the ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission) on new to be designated as the 27,000 series and dealing with information security management systems, officials said. Bertine thinks the new series will result in companies finding that "it's in their best interest to be certified, whether it means better insurance rates, less liability because you can claim conformance... plus the most fundamental, if you've got vulnerabilities, you sure want to catch them because it's going to cost you a pile of money if somebody discovers a major weakness."
"The field of information technology and the field of communications continue to overlap and merge more and more every year. That's why collaboration is so important," said Bertine.
At this meeting it was also decide to adopt OASIS' Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML) into ITU-T standards.
A list of documents from the last meeting of SG-17 is available here.
Friday, October 21, 2005
Wednesday, October 19, 2005
According to BBC News: A third of the UK's top companies are not complying with the European Union's (EU) regulations on unsolicited emails, or spam, a report has alleged.
The Information Commissioner's Office - an independent body appointed by the Crown - said that while it has the power to fine transgressors up to £5,000 it often proves impossible to track them down.
Friday, October 14, 2005
Home Networking is the linking of all types of electronic devices for applications such as entertainment, telecommunication, home automation systems and telemetry (remote control and monitoring systems). And given the wide range of previously unrelated technologies involved, standards that allow for interoperability are seen as key to the successful marketing of the concept.
Now taking place at the ITU is a workshop on Opportunities and Challenges in Home Networking. The event is organized by ITU-T Study Group 9, in cooperation with several other ITU-T study groups and various organizations outside of ITU. It follows the Workshop on Home Networking and Home Services held 17-18 June 2004, Tokyo.
Study Group 9 has been working on standardization in home networking systems for more than four years. It has already approved three ITU-T Recommendations in the field, particularly dealing with IP-based multimedia services over cable networks. A current focus is a new Recommendation that will specify ways to bridge conditional access systems (that ensure payment in pay TV for example) to digital rights management (DRM) systems, an important step toward smooth operation of fully integrated home networking.
This workshop will bring together experts from all over the world who are pushing forward the frontiers of this fast-moving field. It will provide an overview of the technology as well as an examination of standards that address access, services, performance, Quality of Service, electromagnetic interference and security issues. The workshop will deal with current technology and future trends to provide a framework for moving forward standardization work. Attention will be given to both the technology and service aspects of this new technology.
The programme can be found here with links to the presentations. Highlights include:
- Worldwide Status of Home Networking
- Home Network Architecture and Technologies (including an update on UPnP and DLNA)
- Home Networking Services and Business Models
- Security and Digital Rights Management
- Quality of Service in the Home Network
- Electromagnetic Interference in the Home Environment
- The Home Networking Future: Efforts and Challenges
Thursday, October 13, 2005
Countering Spam,
PDF, Cristina Bueti, ITU Strategy and Policy Unit, 11 October 2005, presented to ITU-T Study Group 17 Meeting (Geneva, Switzerland).
Tuesday, October 11, 2005
The WSIS Executive Secretariat has announced that under the Chairmanship of the President of PrepCom of the Tunis phase of WSIS, a Negotiation Group will meet in two consecutive sessions from 24 to 28 October 2005. In its first session, on 24 and 25 October 2005, its objective will be to finalize the negotiation on the Political Chapeau and on the paragraphs remained in brackets of Chapter two of the Operational Part.
In its second session, from 26 to 28 October 2005, the Negotiation Group will aim to finalize the negotiations on Chapters one and four of the Operational Part of the final documents of the Tunis phase. It will be an intergovernmental negotiation process, to be held every day from 10.00 - 13.00 and from 15.00 - 18.00 hours in the Palais de Nations, Room XX, Gate 40. Interpretation in the six UN working languages will be provided. After each session, the President of PrepCom will inform the observers on the advancement of the work. Participants without badges should contact the Executive Secretariat with a completed badge request form by Friday 21 October 2005 at the latest.
The resumed PrepCom-3 will be held back to back to the Tunis Summit. The Prepcom Bureau decided that PrepCom-3 of the Tunis phase of WSIS will be reconvened on 13 November 2005, at 10.00 hours, in Tunis, for a three-day session (13-15 November 2005). Information about the venue will be provided at a later stage. The resumed PrepCom-3 will start with a short organizational Plenary meeting. The modalities of work of the resumed PrepCom-3 will follow the Rules of Procedure of the PrepCom, including the participation of observers in Plenary and Subcommittee meetings. Interpretation in the six UN working languages will be provided.
More information will be made available here.
Monday, October 10, 2005
According to an article in ZDNET UK, User authentication for email "may be worse than useless" at preventing the spread of spam, according to Nick Fitzgerald, security consultant at Computer Virus Consulting.
As an anti-spam measure, SPF is broken before it's implemented, as it's not just breakable, it's trivial to break," Fitzgerald told an audience at the Virus Bulletin conference in Dublin on Friday.
"Knowing a message arrived SPF compliantly tells us nothing about the actual sender and the 'spaminess' of the message," Fitzgerald added, claiming that SPF has been "widely hyped" as solving the problem of user authentication.
Fitzgerald's views were challenged by other conference attendees, who insisted that SPF would play a valuable role in fighting unsolicited junk email.
Also see John Levine argues that SPF is losing market mindshare and a related article on ZDNET with more details.
Friday, October 07, 2005
Promoting Global Cybersecurity, PDF, Robert Shaw, ITU Strategy and Policy Unit, 6 October 2005, presented to ITU-T Study Group 17 Meeting (Geneva, Switzerland)
The October 2005 English edition of ITU News is now available. Headlines include:
- ITU at a Glance
- ITU's Connect the World Initiatives
- Eye on development
- SPAM
- Pioneers Page
- In Brief
- Industry Watch
Thursday, October 06, 2005
Links to documents from WSIS Prepcom-3 (19-30 September 2005) Sub-Committee A, which dealt with the topic of Internet Governance, can be found on the WSIS website. The key documents from Prepcom-3 include:
According to the Report of the Work of Sub-Committee A, in order to complete the work in time for the Summit, document DT/10 Rev. 4 is offered as basis for further negotiations. The following documents elaborated during PrepCom-3 are offered as a further input to future negotiations:
Monday, September 26, 2005
To further encourage the development of a ubiquitous network society, the ITU Strategy and Policy Unit, the Italian Ministry of Communications, the Ugo Bordoni Foundation and the Aosta Valley are hosting a Workshop on "Tomorrow's Network Today" that will be held in Saint-Vincent (Aosta), Italy on 7-8 October 2005.
This Workshop will discuss specific measures to help overcome potential challenges and determine possible future actions.
One session will be dedicated to Next Generation Networks (NGN) as a framework to harmonize the worldwide technical and functional basis needed to extend the use of integrated ICTs to as many users as possible.
During the workshop there will be an Exhibition which will bring together a wide range of leading industry participants as well as high-level representatives from government and regulators.
Click here for more information about the event.
Sunday, September 25, 2005
John Levine in his blog describes how, on September 22 2005, Robert Braver, an Oklahoma ISP owner who is a long time activist against both spam and junk faxes, received a default judgement of over $10 million against high profile spammer Robert Soloway and his company Newport Internet Marketing. Soloway has frequently been cited as one of the ten largest spammers in the world.
Details of the case including a copy of the decision and other documents are available on a website that Braver set up.
Friday, September 23, 2005
Highlights from the discussions at WSIS Prepcom-3 19-21 September 2005 can be found here.
Wednesday, September 21, 2005
The video archives (Real Video) of yesterday's (20 September 2005) opening discussions on Internet governance in WSIS Prepcom-3 Sub-Committee A which is handling Internet Governance have been made available. They are available in English and in the original language from the Floor.
Access to the all real-time Prepcom-3 streams and archives can be found here.
Update: The archives of the 21 September 2005 discussions on Internet Governance in Sub-Committee A can be found here in English and in the original language from the Floor.
Monday, September 19, 2005
Symantec has released its bi-annual Internet Security Threat Report in September 2005:
The Symantec Internet Security Threat Report is an analysis and discussion of Internet security activity over the past six months. It covers Internet attacks, vulnerabilities, malicious code, and future trends. This edition of the Threat Report, covering the first six months of 2005, marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Unlike traditional attack activity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud.
Top Problems of the Internet and How to Help Solve Them (PDF) by Kim Claffy: Top engineering and operational problems, why they persistently resist solution, how different communities are auspiciously reacting to the above, and implications for research, policy, and builders. Presented as invited keynote at AUSCERT 2005. An older version of this slideset was presented as a keynote address at the CENIC 2005 conference held March 7-9, 2005.
Tuesday, September 13, 2005
Roger Darlington has a note about a new UK cybersecurity initiative to be launched soon called Get Safe Online.
"I spent yesterday at a conference with the title eConfidence - Spam, Scams And Security and posted a short report. I mentioned that a major awareness campaign is due to be launched at the end of next month. It has been nine months in conception and creation and was planned under the name "Project Endurance", but it is being launched under the banner Get Safe Online. At yesterday's event, Tony Neate of the National Hi-Tech Crime Unit described the content as "outstanding", but so far the only public presence is one page on the web. As you can see from this page, eight companies have joined the Home Office and the National Hi-Tech Crime Unit to sponsor the campaign, but more sponsors are sought. I understand that the Netherlands and Norway have run similar campaigns against spam, scams and viruses. Anyone out there got any relevant information? I welcome this initiative. My concern is that there are now a variety of web sites and organisations providing advice on different forms of Internet content and activity - with some major gaps, such as harmful and offensive content -and what the consumer needs is a 'one stop shop' linking all these resources in a high-profile, user-friendly manner."
The recent Asia Pacific Telecommunity (APT) Symposium on Network Security and SPAM presented background information, detailed the current situation, new developments and steps ahead on network security and fighting spam in the Asia-Pacific region.
TSB presented highlights of ITU-T work on security, also detailing the level of participation of the AP region in Study Group 17, the ITU-T group that looks at security issues. Mr Jianyong Chen (ITU-T SG 17 Vice Chair from China ) also attended the event and made a detailed presentation on current SG 17 work. He also chaired two sessions.
In addition TSB presented the results of the ITU WSIS Thematic Meeting on Cybersecurity held in Geneva , 28 June – 1 July 2005. The meeting was organized in three full-day sessions and was attended by some 70 representatives from the Asia-Pacific area. The first day was dedicated to cybersecurity, the second to countering spam, and the third to cooperation initiatives.
The complete set of presentations given at the APT meeting can be downloaded here. The meeting invited AP countries to step-up their capability building initiatives and encouraged APT to increase its collaboration on network security and spam with international organizations working in the area.
For more information, see the ITU-T Newslog.
The ITU Secretary-General, Yoshio Utsumi has presented a report to the ITU Council 2005 on ITU activities on Countering Spam.
"During the Geneva phase of the World Summit on the Information Society (WSIS), spam was identified as a potential threat to the full utilization of the Internet and e-mail. Accordingly, WSIS participants recognized that spam is a "significant and growing problem for users, networks and the Internet as a whole" (WSIS Declaration, paragraph 37) and that, in order to build confidence and security in the use of ICTs, there is a need to "take appropriate action at both national and international levels" (WSIS Plan of Action, paragraph C5, d).
The acknowledgement that spam is a problem at the global level, contributed to the fostering of various activities in the field. Countries became aware of the need to take action on this issue, and recognized the fundamental importance of international cooperation and coordination."
For the full report click here.
Monday, September 12, 2005
The Infocomm Development Authority of Singapore (IDA), in collaboration with the Attorney-General's Chambers of Singapore (AGC), has issued a second public consultation paper on the proposed Spam Control Bill in Singapore. The proposed Spam Control Bill includes, in addition to email spam, legal measures to manage mobile spam in Singapore. The Bill also proposes that anyone who suffers damages or loss arising from spam be given the right to initiate legal action against non-compliant spammers. The draft Bill also proposes that if found guilty, non-compliant spammers can be directed by the court to stop their spamming activities or pay damages to the affected parties.
Details on the proposed Spam Control Bill can be found on the IDA website.
This information was accessed through James Seng's blog.
Friday, August 05, 2005
The Chairman's report (PDF) from the ITU WSIS Thematic Meeting on Cybersecurity held June 28 - July 1 2005 has been released.
The event was organized in the framework of the implementation of the Declaration of Principles and Plan of Action adopted on 12 December 2003, at the first phase of the World Summit on the Information Society (WSIS) and in preparation for the Tunis phase of WSIS, to be held from 16 to 18 November, 2005. The event website provides links to the final agenda, all background papers, presentations, electronic contributions, the Chairman’s Report and audio archives.
The four-day meeting was structured to consider and debate six broad themes in promoting international dialogue and cooperative measures among governments, the private sector and other stakeholders as well as promotion of a global culture of cybersecurity. These include information sharing of national and regional approaches, good practices and guidelines; developing watch, warning and incident response capabilities; technical standards and industry solutions; harmonizing national legal approaches and international legal coordination; privacy, data and consumer protection; and developing countries and cybersecurity.
The first day of the meeting focused on countering spam as follow-up to the ITU WSIS Thematic Meeting on Countering Spam, held in July 2004.
Thursday, August 04, 2005
The Korean Ministry of Information and Communication announced yesterday it will adopt new measures in December to reduce the circulation of spam e-mail. The ministry's plan is designed to prevent the delivery of spam messages with fake sender information. Under the ministry's Sender Policy Framework, participating portal sites will share e-mail server information.
For the full article click here.
Wednesday, August 03, 2005
Net criminals 'customise' attacks: Criminal gangs have become more astute in phishing attacks. Net criminals and hackers are increasingly targeting their attacks at specific organisations, research shows. Worse hit, according to a worldwide survey by IBM, are government departments, financial services, manufacturing and healthcare. Of the 237 million security attacks in the first half of 2005, 137 million were aimed at these four areas. Spam is becoming less attractive as criminals focus on fraud, identity theft and extortion. This has meant a decrease in the ratio of spam to legitimate e-mail from 83% in January to 67% in June.
From BBC News, IBM press release - Global Business Security Index via Ewan Sutherland's weblog.
Alex Shipp, Senior Anti-Virus Technologist at MessageLabs comments:
"The banking system in South American countries has a higher take-up of internet banking than the banking experience we're used to in the US or Europe. This makes online banks a prime target for the high-tech gangs operating in the region who can get rich quick by selectively targeting local economic interests."
For the full article click here.
In a survey to test whether top e-tailers are allowing consumers to opt out of receiving promotional or marketing messages, the FTC has determined that 89 percent of the online merchants it tested are honoring requests to halt future mailings.
The study showed a high rate of compliance with the CAN-SPAM opt-out provisions. All of the e-tailers who sent e-mail to the FTC accounts provided clear notice of recipients’ right to opt out of receiving future mail and provided recipients with an opt-out mechanism. Eighty nine percent of the e-tailers honored all three of the opt-out requests made by FTC staff and 93 percent complied with opt-out requests for at least some accounts.
For the full report (PDF), click here.
Phishing emails go formal - New method hides the true web address: Researchers have discovered a new method used by criminals to hide the location of phishing websites in email messages. The technique uses a form that sends the users to phishing websites after they have pushed a button. Traditionally phishers employ a link in the body of the email message, security watchdog, the SANS Internet Storm Centre has warned. Forms are commonly used by websites to allow users to send information back to the sites, for instance to enter user names and passwords for log ins. A phishing email tries to lure the recipient to a website that the message claims is from a trusted organisation like a bank or credit card company. The aim of the message is to steal confidential information such as login names and passwords.
From VNUnet, SANS Internet Storm Center - diary via Ewan Sutherland's weblog.
Tuesday, August 02, 2005
Friday, July 29, 2005
New Zealand's Information Technology Minister David Cunliffe has tabled the Unsolicited Electronic Messages Bill, which will prevent the mass-marketing of emails and text messages to unsubscribed receivers. The Marketing Association's Chief Executive Keith Norris says while they support the bill, it won't change company practice, as they have had a permission-based code for five years.
Norris also says only 10% of spam originates in New Zealand and the bill is aimed at reinforcing international law.
Click here for the full article
"Just weeks after a Nigerian court convicted a woman in a massive e-mail scam case, the African nation will discuss spam and cybercrime solutions at a national seminar on economic crime. The four-day event, which begins Aug. 6, will take place at the Abuja headquarters of the Economic and Financial Crimes Commission, a government-sanctioned agency created in 2003 to "crack down on fraudsters," according to its Web site. Jonathan Rusch, the U.S. Department of Justice's special counsel for fraud prevention, is scheduled to speak on the last day of the conference about transnational "challenges in investigating and prosecuting telemarketing fraud, spamming and identity theft." A panel on cybercrime and national security is slated to follow his remarks."
Article accessed through
fergie's blog.
The final version of a paper commissioned by the ITU entitled A Comparative Analysis of Spam Laws: The Quest for a Model Law (PDF) has been released. The paper was authored by Derek E. Bambauer, John G. Palfrey, Jr., and David E. Abrams, Berkman Center for Internet & Society, Harvard Law School, for the ITU WSIS Thematic Meeting on Cybersecurity held in Geneva, 28 June - 1 July 2005.
Executive Summary
Spam presents a significant challenge to users, Internet service providers, states, and legal systems worldwide. The costs of spam are significant and growing, and the increasing volume of spam threatens to destroy the utility of electronic mail communications.
The Chairman’s Report from the ITU WSIS Thematic Meeting on Countering Spam in July 2004 emphasized the importance of a multi-faceted approach to solving the problem of spam and named legal governance as one of the necessary means. Our paper focuses on the potential nature of the legal regulation of spam, specifically the importance of harmonizing regulations in the form of a model spam law. We agree with the Chairman that the law is only one means towards this end and we urge regulators to incorporate other modes of control into their efforts, including technical methods, market-based means, and norm-based modalities.
Spam uniquely challenges regulation because it easily transverses borders. The sender of a message, the server that transmits it, and the recipient who reads it may be located in three different states, all of which are under unique legal governance. If spam laws are not aligned in these states, enforcement will suffer because the very differences between spam laws may mean that a violation in one state is a permissible action in another. Moreover, spammers have an incentive to locate operations in places with less regulation, and the opportunity to states to create a domestic spam hosting market may engage them in a race to the bottom.
Harmonizing laws that regulate spam offers considerable benefits, insofar as a model law could assist in establishing a framework for cross-border enforcement collaboration. To those enforcing the regulation of spam, harmonization as a model law effort offers: clear guidelines, easy adoption, enhanced enforcement, stronger norms, fewer havens for spammers, and the increased sharing of best practices. If such regulators then agree that harmonization can aid legal regimes intent on curbing spam, they must initially address four critical tasks: defining prohibited content, setting default rules for contacting recipients, harmonizing existing laws, and enforcing such rules effectively. This legal approach must be concurrently matched by efforts that employ other modes of regulation, such as technical measures, user education, and market-based approaches.
Our analysis of existing spam legislation gathered by the ITU Strategy and Policy Unit evaluated these laws’ elements to determine whether they were commonly included or not, and whether provisions were uniformly implemented or varying when present. Our research documents seven instances in which extant laws strongly converge: a focus on commercial content, the mandatory disclosure of sender/advertiser/routing, bans on fraudulent or misleading content, bans on automated collection or generation of recipient addresses, the permission to contact recipients where there is an existing relationship, the requirement to allow recipients to refuse future messages, and a mix of graduated civil and criminal liability. Also documented are five key areas of disagreement which are vital to a harmonized spam law but which have evaded consensus thus far: a prior consent requirement for contacting recipients, a designated enforcer, label requirements for spam messages, the definition of spam (whether it is limited to e-mail communication, or includes other applications, such as SMS), and the jurisdictional reach of the system’s spam laws. Naturally, a harmonization effort must tackle and narrow these zones of divergence in order to succeed.
Spam laws, whether harmonized or not, are at best only part of the solution to the spam problem and must be developed in concert with technical, market, and norms-based tools if the scourge of spam is to be substantially reduced. Efforts to harmonize the legal regulation of spam can serve as one effective means to solving the unique challenges spam presents. A model spam law is possible to develop, despite the many differences among the world’s spam laws.
Announced today on the WSIS web site is that the second Informal Consultation Meeting on Internet Governance (open to all stakeholders) will take place at the United Nations (Palais des Nations), Geneva, on 6 September 2005. Further details will be available in due time here.
Wednesday, July 27, 2005
Israel’s Knesset (or parliament) has passed a law to fight against spam, imposing fines and strict regulations on people who send unsolicited email, junk faxes, and spam text messages.
“State intervention was necessary in order to prevent the continued impingement on the public’s privacy,” said Israeli Communications Minister Dalia Itzik, who initiated the legislation. Unlike the United States’ CAN-SPAM Law, the Israeli law bars the sending of spam unless the recipient gives his or her prior consent".
For the full article click here.
Tuesday, July 26, 2005
The ITU Council has approved that the theme for World Telecommunication Day 2006 (May 17) be Promoting Global Cybersecurity.
Here is the background of this decision as contained in the proposal to ITU Council:
The United Nations General Assembly adopted, in 2002, a resolution entitled UNGA Resolution 57/239: Creation of a global culture of cybersecurity, calling for international organizations to consider measures to foster a global culture of cybersecurity and invited Member States to develop throughout their societies a culture of cybersecurity in the application and use of information technologies. The General Assembly also stressed the necessity to facilitate the transfer of information technology and capacity-building to developing countries, in order to help them to take measures in cybersecurity.
The ITU Plenipotentiary in 2002 adopted Resolution 130: Strengthening the role of ITU in information and communication network security, instructing the Secretary General and the Directors of the Bureaux to intensify work within existing ITU study groups and inviting ITU Member States and Sector Members to participate actively in the ongoing work of the relevant ITU study groups.
In 2004, a second resolution, UNGA Resolution 58/199: Creation of a global culture of cybersecurity and the protection of critical information infrastructure, was adopted by the United Nations on the global culture of cybersecurity and the protection of critical information infrastructure. The General Assembly, through this Resolution, encouraged Member States, regional and international organizations that have developed strategies to deal with cybersecurity and the protection of critical information infrastructures to share their best practices and measures that could assist other Member States in their efforts to facilitate the achievement of cybersecurity; it also stressed the necessity for enhanced efforts to close the digital divide, to achieve universal access to information and communication technologies and to protect critical information infrastructures by facilitating the transfer of information technology and capacity-building, in particular to developing countries so that all States may benefit fully from information and communication technologies for their socio-economic development.
In 2004, the World Telecommunication Standardization Assembly (WTSA) adopted Resolution 50 on Cybersecurity, requesting the ITU-T to continue to raise awareness, of the need to defend information and communication systems against the threat of cyberattack, and continue to promote cooperation among appropriate entities in order to enhance exchange of technical information in the field of information and communication network security.
In accordance with PP Resolution 130 and WTSA Resolution 50, it was proposed that ITU should take a lead role in promoting a global cybersecurity campaign. The vehicle of World Telecommunication Day can be used to build an awareness campaign in support of this objective. In implementing this campaign, ITU would work in close cooperation with organizations involved in global cybersecurity issues, including the European Network and Information Security Agency, the Organization for Economic Cooperation and Development as well as other national, regional and international interested entities.
Monday, July 25, 2005
The Anti-Spyware Coalition proposed a standardized definition of "spyware" on July 12, 2005. The definition, which is open for public comment until August 12, is intended to serve as the foundation for a more unified approach to tackling the spyware problem. In addition to defining spyware, the coalition's first public document also offers uniform definitions of other commonly used terms like "adware" and "cookie," and offers tips for users to avoid downloading unwanted programs.
For more information, see the full article.
For comments on the Anti-Spyware Coalition definitions, click here.
Friday, July 22, 2005
Yahoo and Cisco have teamed up in an effort to reduce the amount of junk email reaching users' inboxes.
The firms have announced a specification called DomainKeys Identified Mail (DKIM) that they hope will become a web standard. DKIM combines Yahoo's DomainKeys and Cisco's Identified Internet Mail authentication technologies.
For the full article click here.
Thursday, July 21, 2005
Australia's broadcasting and telecommunications watchdog has won its first injunction against an alleged spammer under anti-spam laws introduced early last year.
The full article can be accessed here.
Wednesday, July 20, 2005
Article in The Register talks about Scott Richter, who has been dropped from an authorative list of known spammers after cleaning up his act. "Richter and his OptInRealBig option were a fixture in Spamhaus's Register of Known Spam Operations (ROKSO) for years. Only hard-core spammers who become the subject of repeated complaints feature on the list."
"Presence in the rogues gallery makes it difficult to obtain internet service from ethical suppliers and problematic to register domain names. Only those who refrain from sending bulk unsolicited email for six months are eligible for removal from ROKSO. Richter switched to a confirmed opt-in mailing list business model that contrasts with his previous business activities. Richter was sued by New York State Attorney General Eliot Spitzer and brought to the brink of bankruptcy by Microsoft over allegations the he used a network of 500 compromised computers to send millions of junk emails to hapless Hotmail users. Richter denied any such wrongdoing in settling the NY lawsuit last July but he was forced to agree to stop sending deceptive emails and generally abide by the US's CAN SPAM Act."
For the full story click here.
Article in The Register was accessed through fergie's blog.
Tuesday, July 19, 2005
Last week Cisco joined Yahoo, Sendmail and PGP Corp. in submitting the DomainKeys Identified Mail (DKIM) specification to the Internet Engineering Task Force (IETF). DKIM results from Cisco and Yahoo merging separate e-mail verification technologies with similar attributes, which both companies had worked on for more than a year.
"Since all this [spam] traffic is running on Cisco networks in large part, many customers often ask, 'Why can't Cisco do something about it?' " says Sanjay Pol, vice president and director of Cisco's Anti-Spam Initiative. "The less trust people have of the Internet, the worse it is for Cisco and our customers."
Click here to view the full article.
Monday, July 18, 2005
From Paul Hoffman's blog:
The IETF has finally emitted the email anti-spoofing documents for the SPF and Sender-ID protocols. The most important thing is that the two protocols are issues as experimental RFCs, not standards. There is a huge difference, and the IESG tried to make that as clear as possible:
"The following documents (draft-schlitt-spf-classic, draft-katz-submitter, draft-lyon-senderid-core, draft-lyon-senderid-pra) are published simultaneously as Experimental RFCs, although there is no general technical consensus and efforts to reconcile the two approaches have failed. As such these documents have not received full IETF review and are published "AS-IS" to document the different approaches as they were considered in the MARID working group.
The IESG takes no position about which approach is to be preferred and cautions the reader that there are serious open issues for each approach and concerns about using them in tandem. The IESG believes that documenting the different approaches does less harm than not documenting them.
The community is invited to observe the success or failure of the two approaches during the two years following publication, in order that a community consensus can be reached in the future."
And, to be clear, neither protocol is directly anti-spam: they simply help the receiver believe that the mail is sent by the organization that claims it sent the message.
Thursday, July 14, 2005
Wednesday, July 13, 2005
The Nigerian Anti-Scam Network is a movement that is composed of Nigerians who are concerned about the bad image that cybercrime and spam has brought to Nigeria. The Nigerian Anti-Scam Network is an online youth network consisting of young Nigerian professionals who are concerned about the situation and are willing to take actions for change. They aim to expose the supporters and perpetrators of online crimes on their online message boards so that people have a place where they can do spot-checks and thus hopefully avoid being spammed. The Network expresses its concern that foreign parties have anti-scam sites that are little more than anti-Nigeria sites. They believe that the activities of the Nigerian Anti-Scam Network can give a more balanced opinion.
The Network realizes that; "throughout the world, cyber crime is a very serious topic and a very contentious one at that. A lot of countries are losing a lot of money due to the activities of cyber 419s. Nigeria have been touted as the major breeding ground for most of these online scams. Nigeria's ranking in the corruption index have been very discouraging for the past three years and we know that this is not only as a result of Government officials' corruptness, but also as a result of activities of online scammers. To be better prepared to fight these menace and bring back our lost reputation, some young Nigerian professionals started the Nigerian Anti-Scam network and have been doing extensive research on the activities of these scammers and ways of salvaging the country's image."
For more information visit the Nigerian Anti-Scan Network website and online forum.
Wednesday, July 06, 2005
Following months of discussions, China has agreed to sign up to the London Action Plan, which will mean greater cooperation between countries in analyzing spam campaigns, investigating their origin and encouraging ISPs around the world to take appropriate measures to defend innocent users.
Click here to view the full article.
Thursday, June 30, 2005
According to a CNET article, computer security and software companies are urging the U.S. Senate to approve the world's first treaty targeting cybercrime.
A letter from the groups, including the Business Software Alliance, VeriSign, InfraGard and the Cyber Security Industry Alliance, called on senators to ratify the controversial document, which was the subject of a brief flurry of attention last year before it expired without a floor vote.
"The cybercrime convention will serve as an important tool in the global fight against those who seek to disrupt computer networks, misuse private or sensitive information, or commit traditional crimes utilizing Internet-enabled technologies," said the letter, which was sent Tuesday. "It requires countries to adopt similar criminal laws against hacking, infringements of copyrights, computer-facilitated fraud, child pornography and other illicit cyberactivities."
Today's WSIS Thematic Meeting on Cybersecurity Sessions 13 and 14 includes discussion of the Convention on Cybercrime.
Wednesday, June 29, 2005
From the Seattle Times: Calls increasing for safer, more-secure Internet
Built by academics when everyone online was assumed to be a "good citizen," the Internet today is buckling under the weight of what is estimated to be nearly a billion diverse users surfing, racing and tripping all over the network.
Hackers, viruses, worms, spam, spyware and phishing sites have proliferated to the point where it's nearly impossible for most computer users to go online without falling victim to them.
Yesterday, at the ITU WSIS Thematic Meeting on Cybersecurity, during the day focused on spam, a session was dedicated to discussing national policies and legislative approaches to spam. As part of this session, a Background Paper commissioned by ITU, entitled A Comparative Analysis of Spam Laws: the Quest for Model Law, was presented (presentation) by Derek BAMBAUER, Research Fellow, Berkman Center for Internet & Society. The authors of hte paper are Derek BAMBAUER, John PALFREY, Executive Director, and David ABRAMS, Berkman Center for Internet & Society, Harvard Law School, United States. From the introduction to the report:
The goal of this paper is to help policymakers understand the potential benefits and challenges of model spam legislation as a tool to improve the security of and user confidence in information and communications technology (ICT), as well as the potential that model spam legislation holds for Internet users worldwide. First, it sets forth a framework for understanding spam and identifies key issues confronting regulators. Next, the paper examines the set of options for spam laws based on existing and proposed legislation gathered by the International Telecommunication Union (ITU) Strategy and Policy Unit (SPU). It analyzes the level of consensus among these extant laws and the degree to which a particular component is included in most legislation and in the degree to which provisions addressing this component are similar or harmonized. The paper points towards zones where there is considerable consensus while simultaneously illuminating the most fundamental differences, so that policymakers can tackle the hard issues and choices involved in spam laws. Finally, the paper makes preliminary recommendations for spam law efforts and considers both the potential for and the likely efficacy of a model spam law.
During the same sessions, there were presentations from:
- Panellist: Jonathan KRADEN (biography), Staff Attorney, Federal Trade Commission (FTC), United States
o Presentation 
- Panellist: Miguel MONTERO (biography), Spam Ruling Administrator, Radiografica Costarricense (RACSA), Costa Rica
o Presentation
- Panellist: Liang LIU (biography), Assistant Director, Anti-Spam Coordination Team, Internet Society of China, People’s Republic of China
o Presentation
- Presentation: Maria Cristina BUETI (biography), Policy Analyst, Strategy and Policy Unit, ITU
”ITU Survey of Anti-Spam Laws and Authorities Worldwide”
o Presentation
Tuesday, June 28, 2005
Luc Mathan from the relatively new Messaging Anti-Abuse Working Group (MAAWG) is giving a presentation on MAAWG's efforts to align the messaging industry stakeholders along three directives: Collaboration, Technology and Policy. The working group will address collaborating on cross-operator communications, best practices and technology to combat messaging abuse, as well as developing a cohesive point of view on public policy. More information about MAAWG.
MAAWG members are developing a feedback loop mechanisms to deal with spam complaints between ISPs. They are also creating a contact database for service providers to be able to contact the appropriate person to deal with a messaging abuse situation.
Steve Linford of the Spamhaus Project is speaking at the ITU WSIS Thematic Meeting on Cybersecurity on the first day which is concentrating on countering spam. Some of his remarks:
- Spamhaus blocks approximatley 8 billion spam messages per day
- They estimate there are 4 million infected zombie machines which have been compromised with 60-100,000 newly infected per week
- These are used to launch Distributed Denial of Service (DDOS) Attacks
- This is increasingly a criminal activity with "spam supermarkets"
- Mostly American and Russian spammers using Chinese hosting. These are technically smart users who firewall their sites from their hosting companies.
- Spammers in Russia are more criminal than US counterparts. They are involved in
- The largest Russian ISP, Rostelecom says they cannot terminate accounts as Russian law does not permit it.
- Australian spam laws are best in the world, penalties are high enough to make a dent in spam
- Consumer confidence in the Internet is dropping every day
- Spam is a cancer and it is fast killing the Internet
Some of Steve's conclusions include:
- You must ban and not regulate spam
- Governments must give resources to law enforcement agencies
- Make it criminal for ISPs to host spammers
- Require a 24 hour point of contact for all ISPs to terminate problems
- Educate users to not reply to spam
The meeting is also being audiocast live over the Internet. Mr. Linford's talk is the beginning of Session 2.
At the start of the 21st century, our societies are increasingly dependent on information and communications technologies (ICTs) that span the globe. The ITU WSIS Thematic Meeting on Cybersecurity opens today and takes place from 28 June – 1 July 2005 at ITU headquarters in Geneva, Switzerland. This conference will examine the recommendations in the World Summit on the Information Society (WSIS) first phase's Declaration of Principles and Plan of Action that relate to building confidence and security in the use of ICTs and the promotion of a global culture of cybersecurity. Now available on the meeting web site is the agenda (with links to presentations as they are given) and meeting background papers and contributions. The meeting is also being audiocast live over the Internet.
The meeting will specifically consider six broad themes in promoting international cooperative measures among governments, the private sector and other stakeholders, including:
- information sharing of national approaches, good practices and guidelines;
- developing watch, warning and incident response capabilities;
- harmonizing national legal approaches and international legal coordination;
- technical standards;
- privacy, data and consumer protection;
- developing economies and cybersecurity.
The first day of the meeting will focus on countering spam as follow-up to the ITU WSIS Thematic Meeting on Countering Spam held in July 2004.
Monday, June 27, 2005
In Netwizards Blog: according to the records in the IETF's database (here and here), both SPF and Sender-ID anti-spam proposals were tentatively approved by the IESG (the "approval board" of the IETF) as experimental standards RFCs.
Sunday, June 12, 2005
Hong Kong Special Administrative Region plans to enact an anti-spam law next year to crack down on companies that send unsolicited e-mails or make automated telemarketing calls to consumers.
"Au Man-ho, director-general of the Telecommunications Authority, said in a statement Saturday that direct marketing companies using automated calling on an unsolicited basis can be considered a spam problem."
Click here to view the full article.
Monday, June 06, 2005
Communications Minister Helen Coonan has called on Australia's neighbours to join forces to combat threats from spam email and online fraudsters.
"Closer cooperation between such bodies as APEC, the OECD and the ITU (International Telecommunications Union) will also help to develop a strategy to address the threats that spam poses to the integrity and security of the APEC region's communications infrastructure," Senator Coonan said.
Click here to view the full article.
Friday, June 03, 2005
Matthew Fordahl writes in an AP newswire article on Yahoo! News:
Network equipment maker Cisco Systems Inc. and Internet portal Yahoo Inc. are combining their efforts to combat e-mail spam and forgery in a step that's expected to help expand adoption of the technology.
The move, announced Wednesday, combines two techniques that rely on cryptography to help determine whether the sender of an e-mail message is legitimate. Sending messages using a false address is a common tactic of spammers.
[via Fergie's Tech Blog]
Tuesday, May 31, 2005
OECD has released a report on Anti-spam Law Enforcement
"Successful enforcement of anti-spam law serves as an economic disincentive to spammers by imposing fines and penalties which undermine their profits, provides a state-sponsored mechanism for protection and redress to victims of spam-related consumer fraud, and vindicates the privacy rights of spam recipients. Ultimately, an increased enforcement presence may help restore trust in e-mail systems that has been eroded by spam."
For the full report (PDF), click here.
Friday, May 27, 2005
Wednesday, May 25, 2005
"Anti-spam enforcement authorities in 13 European countries recently agreed to share information and pursue complaints across borders in a joint drive to combat electronic junk mail. The nations will cooperate in investigating complaints about crossborder spam from anywhere within the European Union to make it easier to identify and prosecute spammers anywhere in Europe.The voluntary agreement establishes a common procedure for handling cross-border spam complaints". The participating European countries, including Austria, Belgium, the Czech Republic, Ireland, Italy, Lithuania, the Netherlands, and Spain, will through these initiatives try their best to address complaints from each other.
Spain's data protection authority, Agencia Española de Proteccion de Datos, and the U.S. Federal Trade Commission also recently signed a bilateral memorandum of understanding to promote enhanced cooperation and information sharing on spam enforcement activities. In July 2004, the FTC signed a similar agreement with the United Kingdom and Australia.
"Germany is taking spam control into its own hands. People who send junk e-mail in Germany will face fines of as much as 50,000 euros according to a draft law agreed upon by Germany's ruling coalition of Social Democrats and Greens. The law will also prevent spammers from disguising their name and the nature of the e-mail. German lawmakers hope that the steep fine will make people think twice about sending spam. It has been illegal to send spam in Germany since July 2004, but the ruling coalition hopes the new legislation will help stop the practice."
Click here to view the full article.
From the FTC's Operation Spam Zombies page:
Spammers use home computers to send bulk emails by the millions. They take advantage of security weaknesses to install hidden software that turns consumer computers into mail or proxy servers. They route bulk email through these "spam zombies," obscuring its true origin.
As part of a worldwide effort to prevent these abuses, the FTC announces "Operation Spam Zombies." In partnership with 20 members of the London Action Plan and 16 additional government agencies from around the world, the Commission is sending letters to more than 3000 Internet service providers (ISPs) internationally, encouraging them to take the following zombie-prevention measures:
- block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers.
- apply rate-limiting controls for email relays.
- identify computers that are sending atypical amounts of email, and take steps to determine if the computer is acting as a spam zombie. When necessary, quarantine the affected computer until the source of the problem is removed.
- give your customers plain-language advice on how to prevent their computers from being infected by worms, trojans, or other malware that turn PCs into spam zombies, and provide the appropriate tools and assistance.
- provide, or point your customers to, easy-to-use tools to remove zombie code if their computers have been infected, and provide the appropriate assistance.
In a later phase, the Operation plans to notify Internet providers worldwide that apparent spam zombies were identified on their systems, and urge them to implement measures to prevent that problem.
Business Guidance
Letter text translations (provided by participating agencies):
Monday, May 23, 2005
Gregg Keizer writes on TechWeb: Spammers and phishers are using new kinds of attacks to build wide-ranging profiles of online users -- everything from their political views to their sexual preference -- a security firm said Monday.
[via Fergie's Tech Blog]
Declan McCullagh writes on C|Net News:
Remote-controlled "zombie" networks operated by bottom-feeding spammers have become a serious problem that requires more industry action, the Federal Trade Commission is expected to announce on Tuesday.
The FTC and more than 30 of its counterparts abroad are planning to contact Internet service providers and urge them to pay more attention to what their customers are doing online. Among the requests: identifying customers with suspicious e-mailing patterns, quarantining those computers and offering help in cleaning the zombie code off the hapless PCs.
To be sure, computers infected by zombie programs and used to churn out spam are a real threat to the future of e-mail. One report by security firm Sophos found that compromised PCs are responsible for 40 percent of the world's spam--and that number seems to be heading up, not down.
But government pressure--even well-intentioned--on Internet providers to monitor their users raises some important questions.
[via Fergie's Tech Blog]
Sunday, May 22, 2005
OPTA, the Independent Dutch Post and Telecommunications Authority, has released their annual Vision of the Market report.
"The vision of the markets reflect the commission’s view on important trends and competition developments in the markets, as well as on the position of the end-user. In the annual report, OPTA accounts for its activities and results in the year 2004. The annual accounts give insight into OPTA’s financial house-keeping."
Each year OPTA publishes its Vision of the Market. The publication contains OPTA’s ideas regarding developments on the markets for post and electronic communication. The report furthermore recognizes that:
"The landscape in the communications sector is changing. Convergence is now reality: technological developments have made it possible to offer the same services using the same technology (the internet) via multiple types of networks. This is evident in the introduction of voice and television services via the internet. The communications sector is also broadening through integration with the IT, media and entertainment sectors. Convergence has as consequence that companies that did not compete in certain services in the past now do so. The competition potential is increasing, but the problem areas will not immediately disappear because network owners are still able to create entry barriers for competing parties. OPTA will intervene if and when providers abuse their dominant position."
For the full report, please click here.
[Via my weblog]
Saturday, May 21, 2005
From NetWizard's Blog:
While email authentication is no longer such hot topic as it was last year, nevertheless the two main proposals (SPF and Sender-ID) are moving slowly through the IETF process to become experimental protocols. Both just published new drafts (spf and sender-id [1], [2] and [3]). At the same time it is interesting to note that Sender-ID has been placed on the next telechat agenda for the IESG. While SPF has not been put on the IESG telechat, it will probably follow shortly.
What does this mean in simple non-IETF-speak terms? These two proposals may finally be approved by the IETF for experimental use - a long path that started way back in the ASRG two years ago. It still remains to be seen whether either one will be deployed and widely used, especially considering the pending patent applications that Microsoft has on Sender-ID and their GPL-incompatible license.
Thursday, May 19, 2005
Japan's Vodafone K.K. announced today (PDF) new anti-spam measures to make its Vodafone live! mobile internet service more dependable for customers. As a measure to prevent nuisance mails, the number of SMS that can be sent to from a Vodafone K.K. 3G handset within one day will be limited to 500 starting 31 May 2005. Handsets that exceed this limit will not be able to send additional SMS for the following 20 days.
From Slashdot: Canada's National Task Force on Spam released its final report today. Despite prior spam actions on privacy grounds in Canada, the task force is calling for a tough new anti-spam law including penalties for failure to obtain appropriate opt-in consents before sending commercial email as well as private right of action to encourage Canadian lawsuits against spammers. Professor Michael Geist, who headed up the legal aspects of the task force, provides a good summary of the recommendations.
Wednesday, May 18, 2005
Paul F. Roberts writes over on eWeek: The U.S. Department of Defense is soliciting bids for a massive anti-spyware software contract that will protect systems across the military. The deal could be a major opportunity for anti-spyware startups to score a victory against established anti-virus vendors. [via Fergie's Tech Blog]
Tuesday, May 17, 2005
The US Federal Trade Commission is seeking public comment on certain definitions and substantive provisions under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM).
In this Notice of Proposed Rulemaking (NPRM), the FTC proposes rule provisions on five topics: (1) defining the term “person,” a term used repeatedly throughout the Act but not defined there; (2) modifying the definition of “sender” to make it easier to determine which of multiple parties advertising in a single e-mail message will be responsible for complying with the Act’s “opt-out” requirements; (3) clarifying that Post Office boxes and private mailboxes established pursuant to United States Postal Service regulations constitute "valid physical postal addresses" within the meaning of the Act; (4) shortening from ten days to three the time a sender may take before honoring a recipient's opt-out request; and (5) clarifying that to submit a valid opt-out request, a recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page.
Monday, May 16, 2005
Security researchers are reporting a new brand of phishing attack that attempts to use stolen consumer data to rip off individual account holders at specific banks.
"Phishing is a form of online fraud that has exploded in frequency over the last several years. Typically using large-volume e-mail campaigns, phishers try to trick people into sharing personal information that the thieves then sell or use to commit identity theft. The new breed of attack, however, could have a higher success rate because the e-mails present unsuspecting recipients with accurate information in a document that looks like legitimate bank correspondence."
The news article brings forward that "The attacks take advantage of poor technological defenses and continued consumer vulnerability, and evidence the work of an organized group with real research-and-development resources," Furthermore, it states that "So far, the success rates that we've seen are amazing. People are expecting to see a crude attack that tries to steal their information; they're not expecting to see this much real information as part of the attack."
The article also highlights another report on phising trends released by the Anti-Phishing Working Group stating that "attacks are increasingly relying on so-called keystroke loggers, a form of malicious program, to garner consumer information. Rather than trying to direct people to fake Web sites that ask for personal information, keystroke phishers capture login names and passwords for online bank accounts when customers access the accounts via computer. The keystroke logger programs then forward that information to the attackers."
For the full ZDNet news article, click here.
Thursday, May 05, 2005
NetWizard's Blog has a post on the start-up work on a standard mail abuse reporting format:
- Since the initial draft two 1/2 weeks ago, a lot of things took place. First of all, Dave was nice enough to open up a public mailing list for anyone who wants to comment on the draft. I will be putting information on it into the -01 draft which is currently in the works. Second, there is now a small public page called "ARF" or "Abuse Reporting Format" which will hopefully contain all the info on this in one easy to find place. Third, I am working on the next (-01) draft which will hopefully explain things better than the current one and put in place a normal extensibility mechanism (an IANA registry similar to what the SIP folks have).
Wednesday, May 04, 2005
Friday, April 29, 2005
The presentations from last month's ITU-T Cybersecurity II Symposium, hosted by RANS in Moscow, are now available, including presentations from:
- Mr Herbert Bertine, Chairman of ITU-T Study Group 17, presentation
- Mr Igor Faynberg, Technical Manager, NGN Standards, and Technologies and ITU-T FGNGN WG 5 Leader, presentation
- Mr Magnus Nyström, RSA Security, presentation
- Mr Charles Brookson, Head of Technology and Standards, Department of Trade and Industry (DTI), UK, presentation
- Mr Igor Furgel, Common Criteria, T-Systems GEI GmbH, presentation
- Mr Bill McCrum, Deputy Director General, Telecom Engineering, Industry Canada, presentation
- Mr Hyun-Cheol Jeong, Senior Research Staff, Korea Information Security Center of KISA, presentation
- Mr Gary Kondakov, Managing Director, Kaspersky Labs in Russia, CIS and Baltic countries, presentation
- Mr Eliot Lear, Consulting Engineer, Network Security, CISCO, pesentation
- Mr Alexander Pogudin, CEO of Center of Financial Technologies, presentation
- Ms Amal Abdallah, Federal Communications Commission, USA, presentation
- Mr Andrey Chapchaev, Director General, Infotecs, presentation
Thursday, April 28, 2005
ZDNET Australia is reporting that Australian regulators have signed an agreement with Asia-Pacific nations to step up the war against spam.
Twelve Asia-Pacific communications and Internet agencies have joined the Australian Communications Authority in signing a memorandum of understanding -- the Seoul-Melbourne Anti-Spam Agreement --on cooperation in countering spam.
ACA acting chairman Bob Horton said the memorandum was "focused on sharing knowledge, information and intelligence about known sources of spam, network vulnerabilities, methods of spam propagation, and technical, educational and policy solutions to the spam problem".
Other agencies involved include:
- the Internet Society of China;
- Commerce, Industry and Technology Bureau, Hong Kong (CITB);
- Philippines Commission on Information and Communications Technology (CICT);
- Philippines Computer Emergency Response Team (PH-CERT);
- the Malaysian Communications and Multimedia Commission (MCMC);
- the Ministry of Economy, Trade and Industry, Japan (METI);
- Ministry of Internal Affairs and Communications, Japan (MIC);
- New Zealand Ministry of Economic Development (MED);
- Taiwan Computer Emergency Response Team / Coordination Centre (TWCERT/CC) and;
- the Ministry of Information and Communication Technology, Kingdom of Thailand (MICT).
The new document is based on an agreement signed in late 2003 between the ACA, the National Office for the Information Economy (NOIE) -- since renamed the Australian Government Information Management Office (AGIMO) -- and the Korea Information Security Agency.
Furthering cooperation among international initiatives in countering spam will also be discussed at the ITU's upcoming WSIS Thematic Meeting on Cybersecurity which will begin with a countering spam day as a following up to ITU's meeting in July 2004 on countering spam.
Wednesday, April 27, 2005
CAPTEF (Conférence des administrations des postes et des télécommunications d’expression française ) Member States adopted a declaration recognizing the importance of the fight against spam at a meeting held in Paris between the 29th and 30th of April 2005. The main purpose of this meeting on "CAPTEF Internet" was to present the various methodologies adopted by the Member States for securing information systems, fighting spam and managing Internet domain names.
The final declaration emphasizes the collection of national contacts responsible for different areas in the fight against spam, which is to be disseminated to international organizations (OECD, ITU, etc.), and the reinforcement of cooperation and international coordination for sharing information on legislation, specific country needs, and anti-spam technologies.
Nineteen countries are currently members of CAPTEF: Benign, Burkina Faso, Burundi, Cameroun, Central Africa, Congo, Côte.d'ivoire, Djibouti, France, Gabon, Madagascar, Mali, Maurice, Mauritania, Niger, Rwanda, Senegal, Chad, and Togo. Six other countries: Algeria, the Comoros, Guinea, Morocco, Tunisia, and Democratic Republic of Congo take part as observers.
For further details, see Direction du développement des médias.
Tuesday, April 26, 2005
UK laws are failing to deter spam: UK spam laws are failing to stop spammers, say campaigners. According to anti-spam organisation Spamhaus, loopholes in UK law render legislation useless in the fight against spammers. The majority of spam originates from the US but there are a handful of hardcore UK-based spammers. Since the law came into force over a year ago no UK spammers have been fined or prosecuted.
Internet service provider AOL is becoming frustrated by the lack of effective anti-spam laws in the UK. "While the volume of spam originating in the UK may be lower than many countries, strong anti-spam legislation sends the right signal," said a spokesman for AOL. "We would like more legal avenues in the UK to hit spammers where it really hurts - in the pocket," he said.
The problem lies in loopholes which effectively give spammers the right to spam any address in the UK, said Steve Linford, who heads up Spamhaus. "British law allows spammers to spam business addresses and it is up to spammers to determine whether an address is a private one or a business one," he told the BBC News website. "Apparently the Department of Trade and Industry was told that British businesses wanted spam, although we have never heard of any," he said.
The job of enforcing the spam law falls to the Office of the Information Commissioner, which admits that it finds it hard to deal with the problem. "It is hard to prove anything because it is difficult to track spammers down. The power of the Information Commissioner is sadly limited although he is calling for greater powers," said a spokesperson.
Even if the Information Commissioner manages to track a UK-based spammer down, the penalty of fines up to £5,000 is not harsh enough thinks Mr Linford. "Some spammers make that amount in a day," he said. UK spammers account for less than 2% of all junk e-mails with the lion's share of spam coming from the US.
From BBC via [my weblog]
Thursday, April 21, 2005
From The Arizona Republic:
"It's the next Internet scam, and it could be the most menacing.
The reason: Even experienced Internet users can become victims and not know it.
The ploy is called pharming - a play off "phishing," the previous Internet fraud - and it involves highly skilled hackers who secretly redirect users' computers from financial sites to the scammers' fake ones, where they steal passwords and other personal information. Even the Web address looks the same."
More...
Tuesday, April 19, 2005
Thursday, April 14, 2005
Friday, March 04, 2005
In the latest Phishing Activity Trends Report (January 2005) from the Anti-Phishing Working Group, it's reported:
“In January, there were 12,845 new, unique phishing email messages reported to the APWG. This is a substantial increase of 42% over the unique reports for December, and represents an average monthly growth rate of 30% since July (2,625). The number of phishing web sites supporting these attacks rose even more dramatically. In January, there were 2,560 unique sites reported, a jump of 47% over December (1740) and more than double the number reported just three months ago in October (1186).”
Tuesday, March 01, 2005
The ITU Council Working Group on WSIS held a meeting on 13-14 December 2004 discussing ITU activities relevant to the World Summit on the Information Society. The Working Group is to prepare, based on inputs of ITU Member States and Sector Members, as well as those of the Secretary?General and the Directors of the Bureaux and submit to ITU Council proposals on necessary ITU actions to help accomplish the goals and objectives articulated in the WSIS Declaration of Principles and Plan of Action.
Some of the input documents to that meeting relate to Internet governance including:
Thursday, November 18, 2004
Attacks using massive botnets of compromised PCs are becoming more and more sophisticated and organised gangs are more likely than ever to be behind online attacks, according to a new VeriSign report. The trend appears to be towards more sophisticated attacks by more organised groups, VeriSign said in its twice-yearly
Internet Security Intelligence Briefing, released on Tuesday. The criminal groups increasingly rely on massive numbers of compromised home PCs to launch their attacks, said Mark Griffiths, vice-president for VeriSign.
Monday, November 01, 2004
The North American Network Operators Group (NANOG) conference, a gathering of Internet Service Provider (ISP) engineers and vendors convenes three times a year for mostly technical conversation along with social networking. The recent NANOG conference in Reston Virginia saw some
unusually direct talk about Spam and the ISPs that tolerate it from America Online's Postmaster, Charles Stiles. [via
CircleID]
Thursday, March 06, 2003
A Computerworld article says "Two weeks after beefing up its antispam efforts on behalf of its members, America Online Inc. said today that it has blocked as many as 1 billion spam e-mails in a single day, up from the average 780 million spam messages a day it was blocking in mid-February."
Monday, March 03, 2003
Net Gurus Rally Anti-Spam Forces. The Internet Research Task Force forms a new offshoot whose sole goal is to document the magnitude of the junk e-mail problem -- and do what it takes to fix it. By Justin Jaffe. [Wired News]
Tuesday, February 11, 2003
The [US] Federal Trade Commission will host a three-day "Spam Forum" Wednesday, April 30 through Friday, May 2, [2003] to address the proliferation of unsolicited commercial e-mail and to explore the technical, legal, and financial issues associated with it.
Friday, January 24, 2003
The Korean Ministry of Information and Communication announced on January 20, 2003, that it will adopt a set of measure to tighten regulations on those who send unsolicted emails or SPAM.
Thursday, January 23, 2003
Thursday, December 19, 2002
[Wired]: Bye Telemarketing, Hi More Spam? "According to Enrique Salem, CEO of Brightmail, which filters 10 percent of Internet e-mail, eight percent of the mail the company filtered in September 2001 was spam. In November 2002, it was 40 percent."
Tuesday, December 17, 2002
SPAM Conference: Cambridge, MA on January 17, 2003 at the first conference on spam filtering. List of speakers.
- "The scale and effect of the spam epidemic leads us to suggest that spam is no longer simply a nuisance, but is a type of information security problem."
GIP also held a workshop on SPAM in summer 2002 and the presentations can be found here.
Friday, July 05, 2002
Monday, June 24, 2002
Korea has the highest Internet broadband penetration per capita in the world and by a very large margin (the runner-ups are not even close). It's always interesting to look at how technology leaders address policy issues as it indicates where other countries might be heading. For example, as I explained in my earlier mention of "Cyber-Crime and Cyber-Terrorism in Korea", the government is attacking a wide range of hacking and cyber-crime issues. In its latest initiative, this article in the Korea Herald explains how the the Korean Ministry of Information and Communication has now unveiled plans for tough new laws dealing with SPAM.
Friday, May 31, 2002
An article on Slashdot says that the European Union is moving toward legislation requiring specific opt-in to receive commercial email (errr... SPAM). Hooray. There's an increasing amount of legislative activity around the world to deal with SPAM such as the US Can SPAM act which prohibits sending unsolicited commercial e-mail "accompanied by header information that is materially or intentionally false or misleading". Let's hope the legislators eventually get it right and stamp this stuff out just like they did fairly effectively with unsolicited faxes.