Mail authentication schemes like DKIM and the new dmarc.org group use cryptographic signatures to help authenticate mail and prove that it really is from who it purports to be from. So, if the mail can authenticate the sender, the phishing problem goes away, right?

Unfortunately not. One huge problem is that even if you have all the crypto stuff so you can be 100% sure that a message really is from, say, BANK-AMERICA.COM, you don't know whether BANK-AMERICA.COM is actually your bank or not.

I've made a little game called Phish or Fair. It shows you a domain name, you guess whether it belongs to Bank of America. Try it out and see how you do.

Then see if you can figure out why a bank would use over a thousand different domains. My example here is Bank of America, but they're no worse than other big banks; I picked them because their name is easy to search for.

If banks were serious about phishing, they'd pick one name, one domain, and use that consistently. But they don't.

PS: BANK-AMERICA.COM belongs to some guy in France.

Written by John Levine, Author, Consultant & Speaker

Remarks by Kroes:

"The Internet does not belong to any one group, but attacks on it affect every group. So let's work together, all sectors, all levels, public and private, national, international and European. So that we can safeguard the security of the systems that increasingly underpin our lives, today and in the future."

"In tomorrow's world, if the Internet is not secured, nothing will be."

Full statement published here.

Why register?

The question to this answer seems simple. To know who has registered with an organisation. This makes it possible to contact the registered person or organisation, to send bills and to discuss policy with the members.

The rationale of unreachable registrations

This one completely goes by me. ICANN distributes IP resources at the highest level that are on principle scarce: domain names and IP addresses and sets policy around the distribution of domain names. So it seems to be in the utmost interest of ICANN to have an accurate database. Over the past years it has been shown over and over again, that accuracy was not a priority of ICANN, even against her existing policies.

There does not seem to be a rationale for this lapses in registration measures. ICANN in the end loses money as she provides a service, but is most likely not paid for this service after registered parties have become unreachable. Next to that it is not good for ICANN's image, as government and LEA reactions have shown over the past years. It could even become a threat to ICANN's very existence.

Cyber crime and enforcement

With the coming of cyber crime, spam and botnets, law enforcement agencies of different back ground became interested in Whois data and were very much frustrated when they found data not to be accurate. (And vetting and revocation mechanisms not being in place.) Whois data is a primary source at the start of investigations. So if these are false this makes investigations harder, not impossible.

Inaccurate data

What can be reasons that data is inaccurate? There can be several reasons. To give a few examples. Someone forgot to change the data after a move of the office, contact person, a merger, bank account, a company stopped its activities, etc. In the meantime the domain names are still used as they were meant to, but from an unknown address.

A second reason could be that free speech advocates want to have a chance to hide their identity behind a so called proxy registration. This way they are safe from prosecution in their home country. Usually this is supported by western governments.

A third reason can be criminal intent. A person or group of persons use domain names for personal gain through illegal activities. They never intended to provide accurate data. From a society point of view this is an activity that preferably is stopped as fast as possible.

What to do about it?

We are discussing unreachable registered companies. It looks quite simple to me. ICANN has many ways to reach out to these companies and does so. Everyone concerned gets one year to alter the data. As soon as someone complies, the data is submitted to the Whois database, after being vetted by ICANN.

All that have not updated their registration on time -and one year is a very lenient time frame- are de-registered by ICANN .

Legit after claims

If ICANN makes sure there's a good procedure to follow for legit claims after the de-registration that come in anyway, I'm sure this procedure will work. Criminals usually do not show up and try to find new ways to proceed their business.

Vetting of all new registrations

When ICANN makes sure new applicants are vetted before being admitted and an ongoing checking procedure of existing members is put in place, I'm convinced that the Internet will become a safer place for all concerned. Also, she becomes an example for policy at lower level, whether domain name or IP address organisations, by setting a standard. It makes one avenue on the Internet harder to reach for criminals.

Update - Feb 7, 2012: Some amendments were made to the post as per comment #4

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

ACMA receives a major compliment

In 2004, when I first entered the anti-spam arena, this was a mantra that I had to hear very often: "Spam is international. We cannot do anything", spoken with a lot of emphasis and some despair. Unfortunately in 2012 this is still true for many countries. Not because of the fact that it is impossible to do something about spam, no, but due to a lack of initiatives. I think that a great compliment to Australia's ACMA (Australian Communications and Media Authority) was published on CircleID in a comment to an article about the impact of Canada's spam law on local businesses. Brett Watson, an Australian internet engineer, writes:

"However, my present (and general) lack of anything to complain about reflects well on the law and its enforcement… Perhaps what's most telling is that I have, for the first time, subscribed to some advertising newsletters in recent years. I don't feel the need to jealously protect my email address any more, or diligently use uniquely tagged addresses when handing them over. I trust ACMA to keep the companies in line, and the trust seems well placed so far."

This proves that fighting spam is effective and that the combination enforcement with filtering by ISPs keeps mailboxes clean. Spam hasn't gone away, but at national level companies are disciplined and mostly act within the law in the few countries with vigorous enforcement bodies.

Who enforces what?

Privacy and spam are closely related. Spam is seen as an invasion of privacy. But it goes way beyond mere privacy. Privacy sensitive data is often used, sold or worse stolen in order to approach people. Whether to sell a(n illegal) product, phish for more (bank)data or industrial espionage, a stolen e-mail address is often the basis of law violations. The patchwork of enforcement agencies, unclear enforcement powers, the lack of understanding of the issues at stake, of resources, training or powers, the unavailability of online reporting of spam or cyber crime, all make that enforcement is far from optimal in most countries.

Standardisation of spam and cyber crime law

Could a standardised law, with a standardised toolkit for enforcement agencies make a difference? Yes, I think that it would. For the public it would mean that there is the certainty that when the law is broken, it is clear who to report to and that it is likely that an investigation follows. That it makes a difference to complain. For senders it also sets clear boundaries. Their business continues, as is proven in e.g. The Netherlands, but in compliance with the law. Next to that it offers this clearness in 27 states.

As spam, e-fraud, phishing, cyber crime and worse are all so closely related and often involves several countries, it makes sense to be more directive from Brussels. At national level there are so many different laws, ministries and enforcement agencies involved, that coordination there is almost utopian. Next to the fact that success without industry participation is clearly unthinkable. Despite the fact that the Dutch National Cyber Security Centre is a promising initiative, it is obvious that for most countries this form of public-private cooperation is hard to attain.

A proposed course of action for the EU Cyber Security Centre

The discussion about the EU Cyber Security Centre is under way. Let me give a pointer on what the centre could do. To my mind it ought, also, to actively collect, analyse and share data with those involved: public and private entities, universities. This gives the centre coordinative powers in matters cross border and across different enforcement organisations as well. Two difficult hurdles taken… should this come to pass. The combination of the overview and oversight with the transparency caused by available, shared data makes all concerned answerable for their (lack of) actions to the centre and each other. I am also convinced that this model will lay the foundation for cooperation with whole new groups of Internet industry partners that are now harder to reach/convince.

Ambition at Commissioner level

If Commissioners Kroes, Malmström and Reding used their powers to harmonise the laws and enforcement in the way Ms. Reding proposes for privacy, i.e. the same law and enforcement tools, standardised enforcement agencies and a point of case handling, the fighting of privacy infringements, spam, malware and cyber crime may actually take a turn for the better. They are so intertwined that another approach is (well, should be) almost unthinkable.

The combination of a pro-active EU Cyber Security Centre with a layer of harmonisation where enforcement is concerned will prove to be a structural step forward from the present situation in many countries. Yes, this is ambitious, but it is clear that the present approach is not going to change much. Everything cyber is still a field day for criminals and a private company, Microsoft, so far is the most successful in fighting botnets. This ought to be different, shouldn't it?

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Lying at the heart of the cycle is the fact that these hot threats have never been particularly new. Within the security community, we tend to talk about the evolution of the threat landscape. If you speak with the relevant experts about a particular threat category you'll uncover that the back story to many of these "hot threats" often goes back a decade or two. Mobile malware threats are certainly no exception.

A history lesson in the evolution of mobile malware is hopefully not required, beyond to say that today's hot threat has evolved over a couple of decades and poses less of a technical challenge than many believe or commonly portray. But as history so often reveals in these cases, when a new threat is similarly labeled and thrust into the limelight for the first time, there's all too often a stampede towards apparently novel and threat-specific solutions.

Solutions (and I use that term very loosely) within the mobile malware threat mitigation arena are increasingly difficult to differentiate from one another. In the confusion of defining a new threat and the nomenclature that accompanies it, the underlying technologies and viability of their approaches can get lost rather easily.

What is the "Mobile Threat"?

When I meet with customers, prospects and journalists, I get a lot of questions about the Mobile Threat. In particular, how should businesses work to defend against it? My immediate response tends to be "what do you define as the mobile threat?"

The term "Mobile Threat" is amorphous — it has become a catch-all to encompass anything not physically tethered to a network and happens to be newish from a technology perspective, and likely subject to some new (previously unencountered) formulation of evilness. That sounds like a kind of wishy-washy definition (and it is), but catch-all's usually are. Instead, I'd rather focus on one aspect of the Mobile Threat — that of the mobile malware threat.

As I described in a blog entry illuminating a handful of security predictions for 2012, mobile malware threats continue to be misunderstood. It's all too easy to dive deep in to the various technologies that expose mobile devices to new forms of attack and vectors of compromise; just as it's rather easy to describe the various built-in technologies that the developers and engineers of the mobile devices have included to prevent many of the "legacy" threat categories we're already all too familiar with.

You could spin a lot of cycles looking into the "what if's" of mobile security threats but, at the end of the day, if you want to determine which threats and attack vectors are going to be the most immediate and protectable concern for your organization you only need to understand two things — how do your employees really use their mobile devices, and how are cybercriminals going to monetize their control of these devices?

For a moment, think about this. While Smartphones and Tablets often share a common operating system and maybe even the same application markets or stores, they are used in different ways, at different times, to accomplish different tasks. For this reason the attack vectors cybercriminals (and espionage-focused agencies) choose to launch against them are different for each category of mobile device. The tools — of which the most commonly encountered category is "malware" — are likely to be transportable between devices, but the vectors for installation and the type of meaningful information that can be extracted via them are quite different.

When it comes to the cybercriminals that target mobile devices (which constitute the core element of the "Mobile Threat"), it is interesting to note that they're pretty much the same entities that have been historically successful in targeting traditional non-mobile devices. That shouldn't really be a surprise to anyone — it's all about monetizing the victims. If a particular cybercriminal group specializes in online banking fraud and a third of their potential target list shifts to tablet-based banking applications, they need to make a business decision — do they target the new platform or optimize their attacks against the traditional devices. As mobile application use increases, there's an increasing driver for cybercriminals to invest in new mobile tool development. Similarly, if employees are wirelessly connecting to corporate systems and assets using mobile devices in preference to other traditional platforms, the attackers are forced to target these new devices and develop the appropriate tools.

It's important to note that, while the end-point device is physically changing and the specifics of the tools the criminals need to develop and install upon the compromised devices is also changing, at the enterprise network and Internet infrastructure level there has been no change in criminal behaviors; nor is any change actually needed by them. The vast majority of C&C communications are HTTP-based regardless of the malware family or compromised device type. By speaking the same language, the cybercriminals can keep their existing infrastructure… business as usual!

Written by Gunter Ollmann, VP of Research at Damballa

2011 has been a significant year for the technology sector globally. Information technology is touching more people in more ways than ever before.

Developed markets will be considering a 2012 in which business innovation, competitiveness, and service differentiation are built on ubiquitous broadband, cloud computing, smarter mobile computing, and an increasing plethora of Internet-connected devices. By contrast, securing the technology future for developing markets demands that attention be placed on more fundamental issues.

Here are five key tech issues for the emerging markets in 2012.

Internet Infrastructure

The build-out of critical Internet infrastructure is critical to economic diversification and sustainable development. Initiatives to improve routing of domestic Internet traffic and provide new, more optimal routes for regional Internet traffic must be accelerated through the build-out of Internet exchange points (IXPs). One top of the exchange points must come expanded terrestrial and mobile broadband networks.

Implications: Internet service providers (ISPs), governments, and businesses must work together for a faster roll-out of national and regional infrastructure. This is the key to unleashing ICT-based innovations and spurring the market for digital content and mobile service delivery.

Incentive Regulation

The agenda for infrastructure development must be guided by informed government policy. This is particularly crucial in smaller economies where market size does not present sufficient incentive for private sector investment. Incentive regulation to improve the current weak frameworks for stimulating growth and protecting consumer interest in the ICT sector will be demanded by the private sector. At the same time, governments will increasingly recognize that national benefits of ICT-enabled growth are too important to leave to the private sector to set the implementation agenda. More stakeholders will call for ICT adoption to be set within a wider context of national development.

Implications: Regulators have to adapt more quickly to technology changes. They must take the lead in ensuring that market forces align to social development objectives. Done well, this can translate to increased business innovation, improved delivery of government services, and greater consumer choice.

Cybersecurity

Cybercrime will increasingly challenge resource-constrained businesses and governments. Businesses, especially those with large, high-value networks, like financial services providers and energy companies, will require greater support cover not just nationally but regionally. A coordinated approach is critical to guiding national action and ensuring consistency and compatibility of action among nations. If regional governments are to secure their information and communications systems, identifying and investing in a central point of coordination for cybersecurity must be a top priority.

Implications: Governments must put aside petty internal and intra-regional differences and cooperate fully to ensure that cybercrime does not disrupt already fragile local economies and markets.

Mobile Phones, Mobile Apps, Mobile Services

Growth in mobile computing uptake and the availability of mobile apps that address local needs will continue. It will be driven by consumer-focused apps, but eventually business apps will catch on. As smartphones proliferate and mobile providers upgrade their networks to provide customers with faster mobile broadband access, software developers will have greater incentive to build apps. The improved user experience resulting from faster mobile data plans means that consumers will also have greater interest and incentive to use mobile apps and services.

Implications: The education sector must evolve to supply the human resources needed to support, not only the creation of digital content, but the development of new, digitally driven innovation and enterprises. This will create opportunity in the private and NGO sectors for training and capacity building beyond the traditional approaches.

Open Data

As governments increasingly recognize the potential of open data, they will move to make their datasets publicly accessible. Progressive administrations will seize the opportunity to demonstrate their commitment to transparency and accountability. Of course, they will also benefit by shortening the timeframe of new service roll-out and shifting the burden to innovators and entrepreneurs.

Implications: A huge opportunity has opened for entrepreneurs, researchers, and society. More public awareness is needed to stimulate innovation, collaboration and, most important, more efficient, personalized services for citizens.

Onward to 2012

There is wide recognition of the value of building knowledge-based economies and of investing in technology-driven systems. These are fundamental to economic and national development. There is also no denying that the technology revolution is exposing antiquated infrastructure and institutional processes; testing the philosophy and approach to education; highlighting the imperative for new approaches to human resource development; and creating new, strategic challenges for business, education, and political leaders alike.

Advances in technology have exacerbated the vulnerability of states to externally developed and controlled intellectual capital. The central role of information and communications technology in modern society amplifies the debate on priority and significance of deliberately cultivating and securing indigenous intellectual capital.
From all indications, 2012 will be a continuation of the positive trends and innovations that gained momentum in 2011. The most forward-thinking, innovative organizations will continue to adopt and deploy technologies to improve efficiencies and better engage customers and citizens.

In 2012, these developments in emerging markets will require strong, ethical leadership to ensure that investment in technology is matched by commitment to equitable social development.

Written by Bevil Wooding, Internet Strategist, Packet Clearing House

Unfortunately, that is changing and changing rapidly due to misguided government intervention. Ever since 2000, when we witnessed the LICRA v. Yahoo! conflict, we have had governments taking actions that move us away from the utopian vision of early netizens towards a dystopic, unrecognizable Internet.

This past month has been incredibly busy in terms of misguided governmental interference. Here is a short list of recent governmental bloopers and why they are deeply flawed;

1. Put out a RFP to run the core names and numbers entity (the IANA) but limit it to US organisations. For over a decade, other governments have complained bitterly that the US "controls the Internet". This move further entrenches that flawed perception but serves no actual purpose since it is nearly inconceivable that any entity other than ICANN (based in California) will get this no fee contract from the Department of Commerce. Serving turkey at Thanksgiving is an American tradition, but this move elevates the term "giving the bird" to new heights. Governments unhappy with this decision have another reason to try to "split the root" or build their own set of nameservers that they can control.

2. Propose a UN Committee for Internet-related policies (CIRP). India has done this in the UN General Assembly. Earlier this year, India, along with Brazil, and South Africa floated their "IBSA Proposal" [PDF] to near universal criticism. Despite this, the Indian delegate at the UN still said that CIRP would, inter alia,

"coordinate and oversee the bodies responsible for technical and operational functioning of the Internet, including global standards setting."

Since this is completely unlike the current situation in which the technical and standards bodies operate independently, developing standards and policies in open to all, bottom-up, transparent and consensus based processes this proposal seems aimed at breaking the "Internet Model" [PDF]. This model, sometimes called the Internet eco-system [PDF] has given us the Goose that lays the Golden Eggs. An excellent description of this is well worth reading, and as one commenter suggested "The model is so important that a threat to the model is a threat to the Internet itself." Because some governments are so angry about US unilateral control over Critical Internet Resources (see #1 above), they are willing to kill the Goose, thus ensuring no one gets the Golden Eggs.

3. Start a new Thanksgiving tradition of censoring websites without due process. Last year the rojadirecta case caused quite a stir in Internet governance circles. It seems that ICE will continue to do this until your lolcatz are replaced with this, only then will we see the public at large up in arms.

The rojadirecta case was striking in that ICE not only asserted authority over content (found to be legal in Spain, where rojadirecta is located) stored on a webserver outside the USA, it censored the website that only carried (allegedly) infringing links, as rojadirecta does not have the actual content that were thought to be infringing. Again, the US government angers the rest of the world. It may also be useful to point out that seizing the domain did not stop rojadirecta, they just moved their website to multiple other domains.

4. Be hypocritical. Proclaim your support of Internet Freedom abroad and actually fund projects that are doing excellent work to protect freedom of speech online with one hand while using the other to restrict those freedoms (see #3 above) not just for your citizens, but for billions of Internet users worldwide.

5. Make pressing a facebook "like" button a criminal act. Well done, Thailand for giving us a humorous interlude in this long, boring post!

6. Issue a court order instructing non-profit public interest organisations outside the USA (and one in Virginia) to take specific actions in the databases they manage. In some cases, these actions may violate contracts the organisations have signed with their members. Once again, a unilateral action by a government actor throws sand in the gears of a well-oiled Internet policy system that has taken decades to evolve.

7. Propose legislation that not only censors Internet content on allegations alone, but that requires ISPs and ANYONE who runs a caching DNS server, a search engine, advertising or payment network to police content. In the USA, there is an intense battle over this SOPA/PROTECT-IP legislation that actually reaches in to DNS servers and mandates filtering by server operators.

As the CDT and many others (including myself as a signatory) have argued, the DNS is not the appropriate place to do this.

DNS name queries should be and accurately translated into DNS name responses regardless of query source or query subject. That's the design of the DNS and it does its job billions of times per day. This legislation would mandate that your DNS server send you a lie when you made specific queries. Internet broken, plain and simple. In addition, our new DNS Security extensions are incompatible with a lying DNS server. The DNS is the wrong focal point to attack this problem.

Besides the breakage, the measure, as originally proposed (and as amended) just wouldn't work to Stop Online Piracy (House bill) or PROTECT-IP (Senate). It's trivial to register a new domain name, or find a new DNS service provider and let's not forget the content "lives" on webserver somewhere that has an IP address, so filtering DNS replies does not remove the content. Of course, one domain name can have many sub-domains, so taking down one domain can affect hundreds of perfectly innocent websites (as happened in last years Thanskgiving ICE takedown).

8. Hold hearings to put pressure on the organisation that manages Internet name and number resources to delay a program that is a result of more than 7 years of bottom-up policy making processes. Two separate House committees put ICANN on the hot seat this week because Congress clearly doesn't understand that they don't get to make these policies, they are just one stakeholder among many. I applaud ICANN for sticking to their agreed upon schedule for adding more gTLDs to the root;

"This process has not been rushed," said Kurt Pritz, SVP of ICANN. "Every issue has been discussed. No new issues have been raised. The people at this table participated in this debate."

Even though I have never been a proponent of new gTLDs, I understand that the Policy Development Process has finished and I accept the result. Whinging to Congress is just bad politics for the ANA and others who testified at the hearings if they ever want to be taken seriously in ICANN policy making going forward.

On the face of it, all of these disjointed legislative, judicial and executive actions would seem to argue for a global set of rules that all governments would abide by. We saw during WSIS however that the US is not about to give up the one lever of control they have over Internet names and numbers, nor are other governments willing to give up sovereignty over what happens in their territories.

If, by some miracle, a deal was reached on a treaty, this would be even more disastrous than individual governments making bad policy decisions. Having nearly 200 UN Member States making Internet policy in a top-down governments only setting would only multiply the badness of the bad ideas listed above. Do we really want China, Burma and Iran (just to mention a few) making decisions on what content we can consume or create?

Governments and Intergovernmental bodies are supposed to serve the public interest. Unfortuantely, they don't grok the Internet and their knee-jerk efforts are a threat to the Internet as we know it. They can best promote the public interest by NOT regulating the Internet.

Written by McTim, Co-Chair of the African Network Information Center Policy Development WG

Making comments and adding any other development you think should be on this list.
Joining us for the webinar discussion on 20 December 2012 at 15.00 (CET).

1. The Internet gets highly political

2011 started with the continuance of the Arab Spring. Although there are very different views on the impact of the Internet on the Arab Spring phenomenon (ranging from minimal to key), one outcome is certain: social media is now perceived as a decisive tool in modern political life. In various ways, the Internet — and its governance — popped up on political radars worldwide this year.

2. Internet governance moves to the premier league of global politics

Internet governance is an increasingly important global issue: its policy relevance is now comparable to topics such as climate change, migration, and food security. This is illustrated by — among other developments — the numerous high-level events on Internet governance this year: the e-G8 Forum, the London Cyberspace Conference, the Vienna Conference on Human Rights and the Internet, and the Hague Conference on Internet and Freedom. In parallel, Internet governance emerged in the mainstream of the UN General Assembly. The main global media (The Economist, IHT, Al Jazeera, BBC) are now following Internet governance developments more closely than ever before.

3. Clearer positioning of the main players

Previous vague national Internet governance approaches have started to crystallise. The USA re-affirmed its support for ICANN. The EU's Digital Agenda is taking clearer international shape (EU's Digital Diplomacy). After an attempt to form a joint approach, IBSA (India, Brazil, South Africa) moved on separately. In October, India submitted a proposal to the UN General Assembly regarding the formation of a UN Committee for Internet-Related Policies. In addition, Russia, China, Tajikistan and Uzbekistan proposed an International Code of Conduct for Information Security to the UN GA.

4. A shift in Internet governance direction, from technology (IT, telecom) to political ministries (diplomacy, prime ministerial cabinets)

Another consequence of the growing political relevance of the Internet is the reconfiguration of national handling of Internet governance. Diplomatic services and the highest political authorities are more involved. Given the complexity of Internet governance issues, the main challenge will be to achieve policy coherence and informed decision-making.

5. Cybersecurity takes centre stage

An increasing number of security incidents and the fear of cyberwar put cybersecurity high on diplomatic agendas. Cross-border cooperation remains one of the main challenges in global cybersecurity cooperation. Some analysts argue that cybersecurity will become the first area where governments will support a global Internet treaty.

6. Online human rights come into focus

Increasing interest in online human rights was triggered by two major developments: the Arab Spring, and concern that the focus on cybersecurity may endanger human rights (e.g. protection of privacy, freedom of expression). This strong interest has been particularly clear in the last few months with the Vienna and Hague conferences focusing exclusively on online human rights. Moreover, following the Swedish proposal, the UN Council on Human Rights will discuss freedom of expression on the Internet in its 2012 meeting.

7. ICANN's soul-searching

Three main developments characterised ICANN in 2011: (1) implementation of management reform; (2) introduction of new generic top-level domains (gTLDs); (3) the resignation of its CEO and the search for a new CEO. Policy discussions in ICANN in 2011 reflected different views and approaches to the way in which the Internet should be governed in the future.

8. Internet blackout in Egypt

On 27 January, Egyptian authorities cut the Internet in a vain hope to stop political protests. This was the first example of a complete country Internet blackout ordered by the government. Previously, even in the case of military conflicts (former Yugoslavia, Iraq) Internet communication was never completely severed.

9. Avalanche of Internet principles

Internet principles were proposed by the OECD, the Council of Europe, the EU, and other players. There are many convergences among these principles which may constitute a future preamble of a global Internet declaration or similar document.

10. SOPA (Stop Online Privacy Act)

US internet governance decisions tend to have global impact. If adopted, SOPA could introduce liability for intermediaries in the control of Internet content. The anti-piracy measures would shift from the final users to Internet service providers (ISPs), search engines, and financial institutions, among others. SOPA could be described as a battle between Hollywood (the entertainment industry) and Silicon Valley (the Internet industry: Google, Facebook, Twitter, etc.).

Originally posted at Diplo's website.

Written by Jovan Kurbalija, Founder & Director of DiploFoundation

I appreciate the candor of his observations and the distinction he made between state-level motivations. In particular, his comment "We steal secrets, you bet. But we steal secrets that are essential for American security and safety. We don't steal secrets for American commerce, for American profit. There are many other countries in the world that do not so self limit."

Perhaps I grew up reading too many spy stories or watched one-too-many James Bond movies, but I've always considered one of the functions of government is to run clandestine operations and uncover threats to their citizens and their economic wellbeing. The fact that Cyber is a significant and fruitful espionage vector shouldn't really be surprising. Granted, it's not as visual as digging a 1476 foot long tunnel under Soviet Berlin during the Cold War (see The Berlin Tunnel Operation GOLD (U.S.) Operation STOPWATCH (U.K.)) or as explosive as the French infiltration and eventual destruction of the Greenpeace Rainbow Warrior in New Zealand, but in today's electronic society cyber espionage is a necessary tool.

Personally, I think you'd struggle to find a country or government anywhere around the world that hasn't invested resources in building out their cyber espionage capabilities in recent years. It's a tool of modern statecraft and policing.

While the media tends to focus upon the term "cyber warfare" and its many faceted security and safety ramifications, I think that we often fail to divorce a governments need (or even expectation) to conduct espionage and what would logically be covered by the articles (and declaration) of war. Granted it all gets a bit fuzzy — just look at the history of the "Cold War". Perhaps a more appropriate name for the current situation and tensions would be "Cyber Realpolitik”.

China is often depicted as the bogeyman — rightly or wrongly — when it comes to cyber espionage. We increasingly find ourselves drawn into a debate of whether attacks which are instigated or traced back to the country are state-sponsored, state-endorsed, socially acceptable, or merely the patriotic duty of appropriately skilled citizens. The fact of the matter though is that there's a disproportionate volume of cyber-attacks and infiltration attempts coming from China, targeting North American and European commercial institutions. You may argue that this is an artifact of China's population but, if that was the case, wouldn't India feature more highly then? India is more populous and arguably has a better developed education system in the field of information technology and software development — and yet they are rarely seen on the totem pole of threat instigators.

Michael Hayden alludes that China (and other countries) is not opposed to using cyber espionage for commercial advancement and profit, and based upon past observations, I would tend to agree with that conclusion. That said though, I don't think that any country is immune to the temptation. Given the hoopla of the recent U.S. congressional insider trading fiasco and French presidential corruption, I'm not sure that "self limit" approaches work in all cases.

Cyber Realpolitik is the world we find ourselves living in and cyber espionage is arguably the latest tool in a government's clandestine toolkit. We could consume a lot of time debating the ethics and outcomes of modern espionage campaigns but, at the end of the day, it's a facet of international politics and governmental needs that have existed for millennium. For those commercial entities being subjected to the cyber campaigns directed at them by foreign governments, I don't believe this threat will be going away anytime in the foreseeable future. Perhaps the noise surrounding the attacks may disappear, but that may just reflect an increase in stealthiness.

Written by Gunter Ollmann, VP of Research at Damballa

The year still has a couple of weeks to rock on before we can comprehensively summarize the events and trends of 2011. I'm sure there will be a bunch of annual threat reports preempting the end of year — extrapolating trends etc. in order to get the jump on reports that use real data. At the highest level of navel gazing you could probably sum up 2011 with one word — "More". The bad guys got richer, more successful, invented a few new attack vectors, and generally grew in numbers; meanwhile the good guys got more efficient at causing the bad guys pain, but continued to be outspent by the bad guys.

But let's put that aside for now. What does 2012 hold in stall for us?

It's easy enough to predict the future when you're merely commenting upon the trends of past years and projecting "more" of the same. While I can offer no shortage of meaningful predictions for 2012 across a broad range of threat and security categories, I thought it would be fun to pick three topics that stole much of the limelight of 2011 — Advanced Persistent Threats (APT's), mobile malware and botnet takedowns.

So, without further ado, here are a handful of predictions for 2012.

APT Bonanza

The volume of persistent attacks directed at large corporations will continue to increase and the victims will continue to feel as though they have been specifically targeted. There will thus be a presumption of sophistication to successful penetrations, which will lead to more organizations concluding that they have been the victim of an APT — which, after more detailed analysis and external input, will increasingly be revealed as false claims.

• More attacks will be labeled as APT's due to misunderstanding by the victims, or because of an implied "get out of jail" tactic when public disclosure of the breach is mandated by law.
• External analysts and security firms will dedicate more time and resources to analyzing breaches that are disclosed as "APT's", and will be more vocal in correcting false claims.
• A growing unease will be attributed to the "cry wolf" mentality of labeling breaches as APT's throughout the year.
• Real APT attacks will increasingly be lost in the noise of falsely-claimed APT's, and the sophisticated attackers will be able to further obfuscate the intent of their attacks.

Mobile Malware threats will continue to be misunderstood

Mobile malware will divide into two streams — Smartphone malware and tablet crimeware. Both mobile malware streams will be similarly unimpressive from a threat sophistication perspective, however their criminal intent will direct their evolutionary changes. Tablet crimeware will develop at a faster pace than Smartphone malware in 2012 as the opportunities to defraud potential victims on tablet systems grow quicker.

• The hype around mobile malware will continue to exceed the threat and the cybercriminals capabilities in 2012 — but the cybercriminals and security researchers will strive to meet that hype.
• As mobile systems become more usable for day-to-day financial transactions and online stores tune their shopping portals for larger-screened mobile devices, cybercriminals will increasingly target these platforms. This crimeware (and injection vectors) will be more "traditional" and a closer facsimile of current generation PC-based crimeware capabilities than many have projected in the past.
• Smartphones, long seen as "the" mobile threat vector and with the longest history of malware abuse (e.g. Symbian-based malware and premium-rate fraud), will technically be susceptible to the same malware as that affecting tablet systems — but will not be the primary target of attack.
• Cybercriminals that develop malware specifically for Smartphones will increasingly target the devices for propagation purposes — seeking to infect other (traditional) corporate systems and to breach corporate VPN's.
• In the corporate realm, the Bring-Your-Own-Device (BYOD) consumerization of IT will entice cybercriminals that target enterprise networks to innovate new attack and propagation vectors. Throughout 2012 new vectors will be theorized and may be developed as proof-of-concept tools, but the hype will be bigger than reality because there are technical hurdles within the operating systems of the mobile devices that have yet to be overcome.
• Security conferences of a Black Hat ilk throughout 2012 will uncover and illustrate new vectors that subvert the underlying mobile device operating systems that will be leveraged in the 2013 timeframe for the targeted propagation of crimeware via BYOD
• The traditional invasive and "scary" mobile malware capabilities (e.g. eavesdropping on the victims calls, tracking the device owner, etc.) will not advance in 2012 and will continue to be potential capabilities rather than primary objectives for attackers.
• The first generation of commercial "DIY" mobile crimeware construction and attack tools will be developed and sold by enterprising cybercriminals
• Large scale botnets will not exist on the mobile platforms in 2012. There will be several "proof-of-concept" botnet implementations and theoretical attacks but, from an overall global threat perspective, they will be insignificant.

Botnet takedowns will be ineffective

Despite a number of public and media-hyped botnet takedowns in 2011, and the prospect of increased takedowns in 2012, the overall impact on cyber-criminal operations will decrease. In response to the 2011 takedowns, cybercriminals will change some of their management tactics, further distribute their command-and-control (C&C) infrastructure, and invest in improved and more diverse infection vector operations.

• Professional criminals who build and monetize botnets will invest in more robust crimeware distribution technologies and services. The capability to infect 10,000+ computers per day will be more important than the marginal loss of 3-year old botnets with only a few hundred thousand infected devices.
• Botnet C&C infrastructure will continue to become more agile — flitting between domain names, IP addresses and physical locations at an increasing pace. In 2011 this agility was measured in weeks; by the end of 2012 it will be measured in hours.
• Botnet operators will add more layers between themselves and their victims. In 2011 cybercriminals increasingly adopted the use of commercial anonymous VPN services to connect to their C&C servers, and deployed C&C proxies between the botnet victims and the real C&C servers. In 2012 we can expect this trend to continue and there is a high probability that multiple layers of C&C proxies will be adopted to further protect the cybercriminals C&C investment.
• Noisy botnets (i.e. Spam botnets and DDoS) will continue to be the focus of legal botnet takedowns. In response, cybercriminals will in most cases reduce the noise of their botnets and will also further segment their botnets to ensure that the entire botnet is not lost in a single takedown operation.
• Botnet takedown attempts will become more "risky" as the takedown entities become more comfortable with the process. Risk will be introduced as the entities pursue remote clean-up and remediation of victim devices.
• "Good guy" botnet remediation services will become a commercial reality in 2012. As multiple security vendors and academic institutions focus upon the botnet menace they will uncover more vulnerabilities lying within the heart of both the botnet malware and the C&C portal software. There will be growing pressure to exploit these vulnerabilities for the purpose of usurping control of the botnet from the cybercriminals hands and to issue appropriate shutdown and uninstall commands directly from the compromised C&C servers.

I wonder how many of these predictions will come to fruition? I guess we'll find out in 380 days.

Written by Gunter Ollmann, VP of Research at Damballa

Loss of privacy sensitive data

No, apparently not. The article was mainly on privacy issues, that people are unaware of the risks they run when not securing their devices. The article gives a summary of content lost this way. Yes, this is a very important issue. We have heard about great loss of privacy sensitive data or military secrets lost on devices (and discs) in the recent past. Cyber awareness and the sense that privacy is a serious issue in cyber space is still at a low ebb with a lot of people.

But what if?

The article gave rise to some reflection on my part.

1. The amount of malware on the usb drives
a. Was this in place when bought or
b. Is this a clear sign of the amount of pcs/laptops infected?

2. Spreading usb drives as source of infections
With the price of usb drives as low as it is, this is a way to infect other devices quickly. Whether through infection from the manufacturer or through distributing some devices on trains and other public places.

Mandatory pre-checks. A solution?

What about issuing, by law, information on how usb devices (external hard disks, etc.) can be checked before use in combination with them not working before the mandatory check? Is this feasible or technically possible? It's worth considering if society wants to be more secure.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

This plan has defined the following as four strategic thrusts:

1. Inducing Change – using game-changing themes to understand the root causes of existing cybersecurity deficiencies with the goal of disrupting the status quo;

2. Developing Scientific Foundations – minimizing future cybersecurity problems by developing the science of security;

3. Maximizing Research Impact – catalyzing coordination, collaboration, and integration of research activities across Federal agencies for maximum effectiveness; and

4. Accelerating Transition to Practice – expediting improvements in cyberspace from research findings through focused transition programs.

Read full story: Krebs on Security