Experience is that marvelous thing that enables you to recognize a mistake when you make it again.
Friday, July 4, 2008
New IT Term of the day
New IT Term of the day
port knocking
A method of establishing a connection to a secured network or computer within a network that does not have an open port. A remote device sends a series of series of connection attempts, in the form of packets, to the computer’s closed ports, and the attempts are silently ignored but logged by the firewall. When the remote device has established the predetermined sequence of port connection attempts, a daemon triggers a port to open, and the network connection is established. This security method is analogous to knowing a “secret knock,” and only people who know the proper knock sequence will be allowed access. An advantage of using a port knocking technique is that a malicious hacker cannot detect if a device is listening for port knocks.
UK most popular destination for 419 scams
By John Oates
1st July 2008
http://www.theregister.co.uk/2008/07/01/spam_survey/
The United Kingdom is the most popular destination for 419 scams - emails which promise huge riches in exchange for up-front arrangement fees.
A worldwide survey of spam found 23 per cent of all Nigerian 419 scams were sent to British surfers. The UK also scored highly for adult spam - coming second, just behind the US.
The research asked 50 people from ten countries to surf the web unprotected and see what spam they picked up. In total they received 104,000 pieces of spam in the course of a month. The five UK respondents got the fifth highest amount of spam - 11,965 emails. The US came top with 23,233 unsolicited emails.
Anti-virus firm McAfee, which sponsored the research, warned that spam shows no signs of slowing down and does present some real dangers beyond the immediate nuisance. Although none of the UK surfers received email containing a virus several were directed to websites which contained malware. Phishing emails - which purport to come from a trusted source in order to get account or password information - made up eight per cent of the UK total.
Phishing emails supposedly from Bank of America, Chase.com, eBay and Wachovia.com were most popular.
Researchers also found an increase in foreign language spam with Germany and France the favourite targets, although these two countries come bottom of the league for total spam. McAfee predicts non-English language spam will continue to grow.
The top four spam categories were advertising, financial, health and medicine, and adult services.
More than 10,000 laptops lost each week at airports
Agam Shah
June 30, 2008
IDG News Service
Keep laptops close at airports, because they have a startling tendency to disappear in the blink of an eye, according to a new survey.
Some of the largest and medium-size U.S. airports report close to 637,000 laptops lost each year, according to a Ponemon Institute survey released today. Laptops are most commonly lost at security checkpoints, according to the survey.
Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65% of those laptops are not reclaimed, the survey said. Around 2,000 laptops are recorded lost at the medium-size airports, and 69% are not reclaimed. The institute conducted field surveys at 106 airports in 46 states and surveyed 864 business travelers.
The five airports with the most missing laptops reported were Los Angeles International, Miami International, John F. Kennedy International, Chicago O'Hare and Newark Liberty International, the study said.
Travelers seem to lack confidence that they will recover lost laptops. About 77% of people surveyed said they had no hope of recovering a lost laptop at the airport, with 16% saying they wouldn't do anything if they lost their laptop during business travel. About 53% said that laptops contain confidential company information, with 65% taking no steps to protect the information.
Airports, along with hotels and parked cars, are places where laptops can be easily stolen, the U.S. Federal Trade Commission said on its Web site. The confusion of going through security checkpoints can make it easy for travelers to lose track of their laptops, making it "fertile ground for theft," the FTC said.
The FTC recommends people treat laptops "like cash." Like a wad of money, a laptop in public view, such as in the back seat of a car or at the airport, could attract unwanted attention. The FTC also recommends using tracking devices such as Absolute Software Corp.'s LoJack, which can help track down a stolen laptop by reporting its location once it is connected to the Internet. Lenovo Group Ltd. last week announced that it would offer the LoJack option in its upcoming ThinkPad SL series of laptops.
Attaching bells and whistles that sound off after detecting laptop motion could also minimize the chances of theft, the FTC says.
Laptop theft is fairly prevalent in the U.S., said Mike Spinney, a spokesman for the Ponemon Institute. In a study conducted by the institute, 76% of companies surveyed reported losing one or more laptops each year, of which 22% were due to theft or other criminal mischief.
Many people are too ashamed to report lost laptops, knowing they left the computers out where they shouldn't have been, Spinney said.
The Ponemon survey was commissioned by Dell Inc., which today announced new security services to commercial customers, including tracking and recovery of lost laptops and data-theft prevention.
Dell's laptop-tracking service uses technology to locate and recover lost laptops, including GPS. The data protection services include the ability to remotely delete data on a hard drive and services to recover data from failed hard drives.
No security threat from BlackBerry services
Economic Times
3 Jul, 2008
NEW DELHI: In a complete about turn from its earlier stance, the department of telecom (DoT) on Wednesday said that there was no threat from BlackBerry services and the government had no objection if an operator wanted to offer these services.
This comes even as India’s security agencies have been insisting that the government force Canada’s RIM, the maker of BlackBerry smartphones, to put a system in place that will allow them to intercept data sent through these handsets as they fear that these services could be exploited by terrorists.
“There is no threat from BlackBerry services,” telecom secretary Siddharth Behura told reporters. When asked if the government would give approval to companies that have applied for starting Blackberry services, he said, “There is no permission needed for starting value-added services. We have not given permission to anybody, we have not disallowed anybody.”
Mr Behura’s statement assumes significance since it implies that the operators such as Tata Teleservices and state-owned telcos, BSNL and MTNL, too can launch BlackBerry services for their customers.
Mr Behura’s has contradicted DoT’s earlier stance that no new operator would be permitted to launch BlackBerry services until all security issues were resolved. Besides, late last year, the Tatas were unable to launch this service for their customers as DoT had failed to grant them the approval on security grounds.
When contacted, leading telecom operators refused to comment on Mr Behura’s statement. Currently, India has over 1,15,000 BlackBerry customers between five operators, Bharti Airtel, Reliance Communications, BPL, Vodafone Essar and Idea Cellular.
The telecom secretary’s comments come just days after security agencies had sent a fresh communication to DoT, demanding the communications ministry ensure that data sent between BlackBerry users in India is not transferred outside the country.
Their demand stemmed from the fact that email communication between BlackBerry users here bypasses networks of Indian mobile operators providing this service.
“There should be a single point of delivery system for the entire BlackBerry traffic in India and the traffic originating and terminating in India should not travel outside,” security agencies had said in their latest note to the DoT.
Death Penalty for Cyber Crimes in Iran
Tehran plans to impose the death penalty on those guilty of cyber crimes
Under a draft bill anyone promoting prostitution or apostasy, i.e. leaving Islam, could be punished by death.
AsiaNews
03 July 2008
http://www.asianews.it/index.php?l=en&art=12671&size=A
Tehran (AsiaNews) – The death penalty for those who promote corruption, prostitution and apostasy on the internet is being considered by Iran’s parliament. A draft bill that would impose the death penalty for cyber crimes is being debated in the Majlis, Iran’s news agency ISNA reported.
The bill aims to "toughen punishment for harming mental security in society,’ Iran’s ISNA news agency said, against those who promote harmful activities, including apostasy, a crime under Islamic law when it involves leaving Islam.
Iran imposes strict restrictions on internet access, blocking thousands of sites which may carry content deemed immoral or religiously and politically inappropriate.
Wednesday, July 2, 2008
Quote of the day
Fear is not in the habit of speaking truth
Publius Cornelius Tacitus
New IT Term of the day
New IT Term of the day
port forwarding
In home networking, port forwarding, also called port mapping or punch-through, enables you to create a permanent translation entry that maps a protocol port on your gateway machine to an IP address and protocol port on your private LAN. It's a transparent process, meaning network clients cannot see that port forwarding is being done. This process enables you to run a public Internet service on a machine that is otherwise hidden from the Internet by your gateway. Port forwarding may also be used to aggregate traffic from an application that uses several ports for transactions and consolidate it into one port for reporting the total traffic identified with that application.
Barclays gives online users free security software
Kaspersky package available to two million online punters
By Julian Goldsmith
01 July 2008
http://www.silicon.com/financialservices/0,3800010322,39254158,00.htm
Barclays Bank is to offer its two million online customers free security software.
The package from Kaspersky protects from adware, spyware, viruses and provides parental control and spam filters. Barclays already offers its online banking customers free antivirus software but has now beefed up the package to protect against other internet security threats.
Barclays has not disclosed the cost of providing the software free to customers but the Kaspersky product usually sells for £51 for an annual subscription. The bank has signed up for two years with the antivirus company, giving the deal a retail value of more than £200m.
The software is available to any customers who have signed up to Barclays' online banking service and can be downloaded from the site. Each participating customer can get a licence that allows the software to be downloaded on three separate PCs.
Barclays director of digital banking Sean Gilchrist said in a statement: "For the last two years we have offered customers free antivirus software but as internet fraudsters become more sophisticated, it is important that customers protect their computers from all threats and not just viruses."
This initiative follows a similar move last year when the bank started to roll out a two-factor authentication system PINsentry. The bank said more than one million PIN readers have been sent out to customers under this programme.
MySpace Users Struggle against Cybervandalism
Jeremy Kirk
IDG News Service
June 30, 2008
One of the first social networking upstarts, MySpace, is facing continuing security problems that threaten to spoil many of the innovative features that make the site useful.
Hackers, spammers and Internet malcontents have turned many of the "group" sites, which are dedicated to interests such as home beer brewing, animal welfare and gay rights issues, into cyber-graffiti walls, filled with offensive comments and photographs.
Those trashing the group profiles are known as trolls, who delight in making a mess and try to one-up each another with aggressive vandalism. They post taunting videos on YouTube.com, egging each other on and making real-world threats.
It has left many MySpace users struggling to maintain order on their groups. They allege that MySpace has been lax in fixing several well-known glitches that persist on the site despite repeated efforts to contact security administrators. MySpace, which would not grant interviews for this story, contends it has beefed up its security department and does its best to patrol the site for misbehavior.
"Over the last two years, I have notified MySpace not only of the problems but given them possible solutions as well, but they have only responded with a thank you, but there never has been any result," said Corey Scott-Walton, of Sacramento, California, who runs a group for craft-beer enthusiasts.
Scott-Walton is one of several MySpace users who became fed-up with trolls and created their own tools for combating abuse.
One of the problems is a glitch that allows vandals to post comments on a group even when they aren't an approved member. Usually, a moderator must approve new people who join a group.
That glitch opens a door to two more. Another is "bombing," where dozens of empty comments can be posted in the group's discussion area using an automated tool. The boxes push down the real comments and create hundreds of empty comment pages, effectively ruining a conversation. Another problem is "pinning" where a new topic on a discussion thread can be pinned on any forum.
Even if the account of the vandal has been deleted, the offending posts are sort of halfway deleted, with no comments visible but page after page of blank space. Scott-Walton wrote a tool in Visual Basic called "Thread Cleaning" that allows moderators to delete those posts.
MySpace's terms of service forbid use of automated tools and scripts, but users say they've been left with no choice.
Another MySpace user who is a Web developer in Connecticut created a tool that will check his group every 20 seconds for spam and delete it. The Web developer, who did not want to be identified for fear of harassment, said he has used the "report abuse" feature hundreds of times.
"I've found that the more people that report an [abusive] account, the faster MySpace makes it go away," he said.
Trolls will often create hundreds of "sock-puppet" profiles that are used merely to harass other users. Once the particular profile has been shut down by MySpace, the troll will simply use another one to continue attacks.
Another moderator who runs a group concerning religion created a tool to "unpin" offensive topics. He said he has had sporadic contact with MySpace security officials but not been satisfied. "This admin has made a ton of empty promises," he said. "I feel like they're not doing anything to try and halt this harassment problem."
That moderator said he's created a fifth group profile now after hackers found a way to delete his other ones. He too fears harassment outside MySpace: "I don't include any friends or family on my site for their safety."
An unofficial group for followers of the U.S. Democratic Party has been hard hit, according to its moderator, who also did not want to be identified. Moving to another social networking platform isn't an option: "We already have a group of over 80,000 members," he said. "There's been such an investment in building this group up, I'd have a hard time just ditching it to start a new one."
MySpace often relies heavily on users to do the heavy lifting in reporting abusive material, said Caroline Dangson, research analyst for new media and entertainment at IDC.
"So far, we have seen MySpace do very little to address the issues of trolling," Dangson said. "Ultimately, it is in MySpace's best interest to find or develop technology that will block this type of abuse, or the social networking site will eventually lose users, maybe even groups of users, as well as advertisers who pay the bills."
The group moderators have several security suggestions for MySpace: First, fix the glitches. Second, implement flooding controls, which would limit the number of postings a person can make within a specific time period. Scott-Walton said he has also found another problem involving PHP scripts that could potentially be used to track users to a geographic region or exploit security vulnerabilities on a PC.
As far as the trolls, a few of the MySpace miscreants haven't done much to stay anonymous. The MySpace Democrats' moderator said he filed a report with the U.S. Federal Bureau of Investigation about a month ago after tracing the attacks to a quite surprising perpetrator: a graduate student at Carnegie Mellon University. Since then, the attacks have subsided, he said.
Another well-known troll has spammed naked photos of himself on profiles, while consistently posting video rants against those who cross him on YouTube. "It's pathetic, really," the MySpace Democrats moderator said. "You really have to wonder about the sanity of a guy who would troll with naked pictures of himself."
There was success in stopping one prolific troll known as "The Punisher" after the teenager left too many bits of personal information scattered around the Internet, said Chris Boyd, security research manager for Facetime Communications, who has extensively researched MySpace abuses. A call to the youth's high school principal prompted the attacks to stop, Boyd said.
MySpace spokeswoman Jamie Schumacher said the company would not grant interviews concerning the security issues discussed in this story.
However, a document from a recent court case where MySpace sued a company for spamming peoples' profiles give some insight into the evolution of its security department.
The case, which went to arbitration, was settled last month. Scott Richter of Westminster, Colorado, was ordered to pay MySpace $4.8 million in damages and $1.2 million in legal fees in relation to an August 2006 spam campaign. Richter was accused of using compromised MySpace accounts to send unsolicited "bulletins" to thousands of MySpace users.
According to a document signed June 12 by arbiter Philip W. Boesch, MySpace as recently as two years ago "only employed two relatively junior staff employees to deal with the [spam] issues throughout the entire network."
Since then, the security staff has been increased to 30 or 40 employees, Boesch wrote. MySpace has also hired high-power leadership in April 2006. The site's chief security officer, Hemanshu Nigam, is a former computer crimes prosecutor with the U.S. Department of Justice.
All of the spam, trolling and other cybervandalism are against the MySpace's "Terms of Use Agreement." But during the Richter trial, MySpace's director of security and enforcement, E. J. Hilbert, highlighted problems in enforcing the document.
"As Mr. Hilbert testified, nobody reads it," Boesch wrote.
Valve Hacker Caught by Dutch Police
by Donnie B
PC Gaming
June 30th, 2008
http://analoghype.com/blog/506/valve-hacker-caught-by-dutch-police/
A man who hacked into a Valve file server and stole the credit card numbers of Steam Cyber Cafe users was caught by police in the Dutch town of Maastricht this Tuesday.
According to the Dutch Ministry of the Interior, the 20 year old hacker had managed to “burn 13 million Euros playing poker online and shopping for notebooks, flat screens and MP3 players” before being caught.
Known by the online handle MaddoxX, the man first made news when he boasted of the Valve hack in April of 2007.
“We also don’t want money from VALVe,” he wrote on the No-Steam forum last year. “We want a simple message on their site.”
MaddoxX then posted an archived file that included unverified credit card numbers, transaction amounts, Valve’s supposed bank balance, and data that reportedly allowed the creation of counterfeit cyber cafe certificates.
Valve quickly responded to the breach of security, creating an email address titled “Catch_A_Thief@valvesoftware.com” to encourage citizens to help the authorities track down MaddoxX.
In addition to the Valve caper, MaddoxX is being charged with hacking his way into an Activision server and subsequently downloading an unfinished version of Enemy Territory: Quake Wars. MaddoxX also stole 50,000 credit card numbers from an English ticketing website, according to the ITExaminer.
The criminal was eventually nabbed by a Dutch police unit called Team High Tech Crime. There is no word on whether members of Team High Tech Crime go by code-names or wear special uniforms
Group formed to replace Password with online ID cards
Information Cards are the digital version of the cards in your wallet
By CRPCC Team
01 July 2008
A steering committee of 9 people is formed from 6 companies to workout an online ID Card identity verification system in place of existing password method, to prove your identity online for various online transactions.
This group has been named as Information Card Foundation (ICF) and formally formed at the Burton Catalyst Conference in San Diego June 23 – 27, 2008 and has representatives from Equifax, Google, Microsoft, Novell, Oracle and PayPal.
As per ICF brochure , the Information Cards are defined as the digital, online equivalents of your physical identification credentials such as a drivers license, passport, credit card, club card, business card or a social greeting card. Users control the distribution of their personal information through each Information Card. Information Cards are stored in a user’s own online wallet (called a “selector”) and “handed out” with a mouse click just like a physical ID card.
Information Cards can be issued to users by organizations for general or specific use. Users can also create their own Information Cards as a shortcut to avoid the endless process of filling out web forms. But more importantly, the infastructure behind the cards allows for trusted sources (a bank, a credit union, a government office, etc.) to verify specific information (“claims”) made by a user. In other words, Information Cards give users the ability to make claims about themselves, verified by qualified 3rd parties, while using the Internet.
The existing common identification system is passwords. Passwords are forgotten frequently. For every usage, you need a different password else if you use the same password for all usage, you run the risk of misuse of your rightful usage; and identity theft, in case, even one place it is compromised.
ICF has set the objective before itself to define open standard for Information cards.
Some of the stated benefits of Information cards are defined as (a) ‘Click-in’ without logging in with username/password; (b) Verifiable credentials for Less phishing and Less fraud; (c) Wield verifiable claims made by others about you to prove you are you; (d) Customer data verification; (e) Claim verification (e.g. address verification); (f) Provide personal information in proper context (by card type); (g) Buying online with Information Cards; (h) Persistent but severable connections; (i) Integrate existing identity systems and standards
The card can also store other information like checking - whether or not the person browsing are over 21 years old. More information can be obtained at http://informationcard.net/.
Monday, June 30, 2008
New IT Term of the day
New IT Term of the day
polymorphic virus
A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program.
Oracle Claim $ 1 Bn Damages in SAP-TN unauthorized download case
Chris Kanaracus
June 26, 2008
IDG News Service
Attorneys representing Oracle Corp. in the company's lawsuit against rival SAP AG and its TomorrowNow subsidiary have for the first time publicly put a dollar figure -- "likely" $1 billion or more -- on the damages they believe the enterprise software maker deserves.
Oracle filed suit against SAP and TomorrowNow last year, charging that TomorrowNow employees illegally downloaded data from an Oracle support Web site and used it to go after Oracle's customers. TomorrowNow provides third-party support for Oracle's PeopleSoft, Siebel and J.D. Edwards software products.
SAP has said TomorrowNow was authorized to download materials from Oracle's Web site on behalf of TomorrowNow's customers, but also acknowledged that "some inappropriate downloads of fixes and support documents occurred at TomorrowNow." That information remained in TomorrowNow's systems, and SAP did not gain access to Oracle's intellectual property, according to SAP.
Oracle's reference to possible damages in the case is embedded in a long court document filed June 24 and signed by SAP and Oracle attorneys. It is related to ongoing discovery proceedings in the case, which has a February 2010 trial date.
Recent activity in the case has seen Oracle and SAP battling over the scope and cost of discovery.
"Because Defendants have not provided Oracle with critical information relevant to liability and resulting damages, Oracle does not yet know its damages with precision.... But, even so, it appears Oracle's damages are, at a minimum, well into the several hundreds of millions of dollars and likely are at least a billion dollars," according to the document.
SAP's attorneys batted away the claim.
"Oracle speculates wildly about the amount of its damages 'claim' in this discovery report, even though more than a year after this case was filed, Oracle still refuses to identify with any precision the nature or amount of its alleged harm or even to provide the theory on which its damages claim is based," they said in the filing. "Oracle wants to substitute public posturing for the hard work of articulating and proving its damages claim (on which Oracle bears the burden of proof)."
In addition, SAP has already produced about 2.3 million pages of documents from 42 custodians, and under its proposed limit of 115 custodians, will turn over another 4 million records, according to the document.
That total does not include an "additional 6 terabytes of data already produced in native form and non-custodian based documents and information to be produced from central repositories and the like," it said. "If Defendants' alleged wrongdoing is as pervasive as Oracle claims, that surely is enough discovery to allow Oracle to present its case."
An Oracle spokeswoman said the company would have no additional comment.
Andy Kendzie, a spokesman for SAP, also called Oracle's damages claims speculative.
"What I would stress is that these are strictly allegations, they haven't been proved," he said. "Our intent is not to litigate this in the press. We have said all along this is going to be the court's decision, and we're going to abide by the courts."
A joint discovery conference for the case is scheduled for July 1, according to the filing.
Malware Creator Cheyenne teen charged
27 Jun 2008
AP
CHEYENNE, Wyo. (AP) Federal prosecutors in Los Angeles have charged a Cheyenne teenager with creating a malicious computer code they say allowed him to take over thousands of computers nationwide to steal credit card information and defraud people.
Jason Michael Milmont, 19, of Cheyenne, has entered a plea agreement with federal prosecutors that calls for him to plead guilty to a single felony charge of accessing protected computers to conduct fraud. He faces up to five years in prison and a fine of up to $250,000 when he's sentenced later by a federal judge in Cheyenne. Milmont also has agreed to pay restitution of more than $73,000.
Milmont's lawyer, Robert Rose, of Cheyenne, did not immediately return calls seeking comment Friday.
According to the plea agreement, Milmont modified ''peer-to-peer'' software the same sort of computer programs that allow people to find and download music and videos on the internet. Prosecutors say he developed a piece of malicious computer code called the Nugache Worm that allowed him to infect other people's computers secretly when they retrieved a peer-to-peer software-sharing program called Limewire on the Internet.
Milmont secretly took over as many as 15,000 computers nationwide, prosecutors said. They said his case is the first in the nation in which a person has been charged with using such ''peer-to-peer'' software to infect other computers.
Wesley L. Hsu, chief of the cyber and intellectual property crimes section in the U.S. Attorney's Office in Los Angeles, said Friday that Milmont is ''certainly a sophisticated defendant, there's no doubt about that.''
Hsu said Milmont isn't necessarily the sole author of the Nugache Worm. He said such computer viruses are commonly developed over time by several programers.
Yet, Hsu said, ''I think that it's fairly clear that the crime was fairly significant.''
Hsu said investigators increasingly are seeing computer criminals taking over the machines of many victims without their knowledge. He said that results in the criminals controlling a ''botnet,'' shorthand for a ''robot network'' of victim computers.
''We try to make our best efforts to contact the victims of these cases,'' Hsu said. ''But when you're talking about thousands of computers at a time, the population of the botnet is constantly changing. So it's very difficult to contact all the victims.''
The FBI investigated the case against Milmont, but Hsu said he couldn't comment on how agents tracked him down. Hsu said he also couldn't comment on what Milmont purchased once he intercepted the credit card numbers of his victims. He said all the restitution Milmont must pay will reimburse fraud victims he reached through the ''botnet'' he created.
Minneapolis-based security analyst Bruce Schneier, chief technologist for BT Counterpane, wrote an analysis of the Nugache Worm last December. He called it and another similar ''botnet'' computer code the ''next step in the evolution of malware,'' or malicious computer software.
In a telephone interview Friday, Schneier said such computer crimes involving secretly commandeering the machines of thousands of unsuspecting victims are becoming more commonplace.
''This is the way hacking is being done today,'' Schneier said. ''This is it more likely it's organized crime than some kid in some town in the United States. This is what we're seeing. The stuff is nasty, it's more than just putting a funny message on your screen, or erasing your hard drive.''
Flint Waters, leader of the Internet Crimes against Children Task Force for the Wyoming Division of Criminal Investigation, has written software that helps law enforcement agencies track down people using ''peer-to-peer'' computer technology to traffic in illegal child pornography.
Waters said people should take precautions with their personal computers to avoid being victimized.
''You never want to open attachments or executables that come from an untrusted host,'' Waters said. ''You just want to make sure that you don't activate these things. There are a lot of those mechanisms. They all basically operate on the assumption that you launch something on your system. You in some way make them welcome.''
EU advisors - Secure ISPs, form "cyber-NATO"
2008-06-26
http://www.securityfocus.com/brief/764
HANOVER, NH -- Academic researchers tasked with making information-security recommendations to the European Union called for rules to force Internet service providers to clean up their networks, for the passage of a comprehensive breach-disclosure law, and for the formation of a group to manage and aid international investigations.
The fifteen recommendations, part of a report prepared by University of Cambridge researchers and funded by the European Network and Information Security Agency (ENISA), could form the basis of future rules governing EU members, said Tyler Moore, a researcher and PhD student at University of Cambridge, who presented the work on Thursday at the Workshop on the Economics of Information Security (WEIS) 2008. The recommendations call for collecting better data by passing comprehensive data-breach disclosure legislation and requiring the reporting of data losses to a central agency. In addition, the researchers proposed that ENISA publicly report the quantity of malicious data and spam flowing out of Internet service providers' networks as well as punish ISPs that do not block compromised machines.
"The good ISPs react very quickly," Moore said. "The bad ones don't, because it is expensive. The desire to clean up their networks is not that strong, so other measures are needed."
The European Union has already requested the aid of Internet service providers in reducing cybercrime. In April, the Council of Europe called for ISPs to share more attack information and speed responses to government data requests. In the United States, the Federal Bureau of Investigation has asked ISPs to retain data for longer periods.
The recommendations called for EU to put pressure on the 15 nations that have not passed the Council of Europe Convention on Cybercrime treaty and to create a law enforcement group -- based on the model of the North Atlantic Treaty Organization (NATO) -- to help expedite investigations into cybercrimes that cross national borders.
Software vendors did not escape scrutiny. The report advised that the government to enforce standards that require network-attached devices to be secure-by-default, to adopt early vulnerability disclosure to force software makers to quickly patch their products, and to mandate that security fixes be distributed for free and not as part of a feature update.
A more in-depth version of the report will be published by ENISA later this year, Moore said.
Download the report at http://weis2008.econinfosec.org/papers/MooreSecurity.pdf
Hackers hijack critical Internet organization sites
Gregg Keizer
Computerworld
June 27, 2008
Turkish hackers yesterday defaced the official sites of the international organizations that oversee the Internet's critical routing infrastructure and regulate domain names, researchers said today.
A group calling itself "NetDevilz" claimed responsibility for the hack, which Thursday morning temporarily redirected visitors to the sites for IANA (Internet Assigned Numbers Authority) and ICANN (Internet Corporation for Assigned Names and Numbers).
Users who tried to reach iana.com, iana-servers.com, icann.com and icann.net were shunted to an illegitimate site, said researchers at zone-h.org, a group that collects evidence of site attacks, including page defacements and redirects. According to a screen capture of the defacement snapped by zone-h.org, the bogus site simply displayed a taunting message: "You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"
IANA, ironically, is the organization responsible for managing the DNS root zone and assigning the DNS operators for the Internet's top-level domains, such as .com and .org. DNS, which translates the domains and URLs -- such as computerworld.com -- into IP addresses, is a critical component of the Web's traffic-guiding infrastructure.
ICANN, which oversees IANA, also allocates IP address space and manages the Web's top-level domain naming system.
Perhaps not coincidental to the defacement, ICANN was in the news yesterday for voting to relax the rules in assigning and managing generic top-level domains.
The hackers redirected IANA and ICANN traffic to the same IP address that they used last week when they broke into Photobucket Inc.'s image-sharing site and pushed its users to a server operated by Atspace.com, a German hosting service, said Bulgarian security researcher Dancho Danchev in a blog post today.
A spokesman for ICANN contacted Friday morning wasn't aware of the hack, and declined comment until he found find out more.
This Day in History
Thanks for your Visit