Let's consider how it happens. The reality is that it may be cheaper, easier, and faster to send a packet from Vancouver (Canada) to Toronto (Canada) via Seattle (United States) than any all-Canadian route — but that makes the traffic subject to US inspection.

Or, many international connections out of Latin America terminate in Miami, because that provides the most direct link to all other continents. But, that means traffic from Santiago (Chile) to London (UK) may well pass through the US and be subjected to US government inspection/collection.

The first situation can be addressed by building more Internet exchange points (IXPs) to make it economically viable to keep Canadian Internet traffic in Canada. The second is a little harder to address without moving continents closer together, although it is reasonable to expect that some other, non-US location will emerge as a preferred nexus for Latin American inter-continental traffic.

But, before we conclude this is just a messy and expensive question of network operators changing their connections, it's important to take a step back and think about what this means for a resilient, robust Internet.

The Internet was not designed to recognize national boundaries. It's not being rude — it just wasn't relevant. Resiliency^1&2 is achieved through diversity of infrastructure. Having multiple connections and different routes between key points ensures that traffic can "route around" network problems — nodes that are off the air because of technical, physical, or political interference, for example. We've seen instances where countries are impacted by disaster but at least some of that country's websites remain accessible: if the ccTLD has a mirror outside the impacted network, and if the websites are hosted/mirrored elsewhere, they're still accessible. This can be incredibly important when a natural disaster occurs and there is a need to be able to get to local resources.

The more there is a push to retrofit the Internet to align with national borders for the sake of maintaining apparent control over all the resources (as opposed to considered network architectural reasons), the more we run the risk of undermining the diversity that gives the Internet the resiliency it has today. The Internet works through collaboration; making decisions on the assumption of territorial boundaries weakens it at every step.

For certain, there are legitimate concerns that policymakers have about security of their networks and privacy of their citizens. In developing policies to address these concerns, it's important that policymakers bear in mind that resiliency is a key component of security, trust and interoperability. As one of those considerations, the impact on network resiliency should be properly weighed as a negative side effect when proposing the kind of broad scale tracking that the the US is apparently doing.

On the Internet, no nation is an island.

This blog post originally appeared on the Internet Society's Internet Technology Matters blog: http://www.internetsociety.org/blog/tech-matters

¹ https://wiki.ittc.ku.edu/resilinets_wiki/index.php/Definitions#Resilience

² http://www.internetsociety.org/what-we-do/issues/security

Written by Leslie Daigle, Chief Internet Technology Officer

"Integral to creating and maintaining a powerful brand is defending the brand from abuse that might otherwise adversely affect consumers' trust. At MarkMonitor, we believe a holistic approach — encompassing systematic prevention, detection and rapid response across all aspects of online brand abuse — is most effective at defending global brands. We highly value the trust our customers place on our approach to safeguard their brands in digital channels," said Frederick Felman, chief marketing officer, MarkMonitor. "We are honored to be recognized by the Online Trust Alliance for the third year for our commitment towards online safety and consumer trust."

OTA, a nonprofit organization that works collaboratively with industry leaders to enhance online trust, completed comprehensive audits analyzing more than 750 domains and privacy policies, approximately 10,000 web pages and more than 500 million emails for this report. The composite analysis included over a dozen attributes focusing on 1) site & server security, 2) domain, brand, email and consumer protection, and 3) privacy policy and practices. In addition to the in-depth analysis of their web sites, Domain Name Systems (DNS), outbound emails, and public records were analyzed for recent data breach incidents and FTC settlements. Key sectors audited include the Internet Retailer 500, FDIC 100, Top 50 Social Sites as well as OTA members.

"Consumers are trading billions of pieces of personal data in exchange for desired services. They rely on the integrity of the businesses collecting and storing this information to protect them," said Craig Spiezle, president and executive director of the Online Trust Alliance. "We are very pleased with the voluntary level of adoption many consumer-facing websites implemented this year that went above and beyond baseline compliance."

Nearly a third of the companies reviewed made the Honor Roll, including MarkMonitor. The report indicates that company size and/or sales are not true measures of the level of security and privacy a company implements. "All companies are equally evaluated by the same criteria regardless of size. We have seen large e-retailers with significant sales fail to make the Honor Roll; conversely we have seen small to mid-size companies taking top grades," said Spiezle.

Started in 2005 as an effort to drive adoption of best practices, the objectives of the Honor Roll are to 1) recognize leadership and commitment to best practices which aid in the protection of online trust and confidence in online services, 2) Enable businesses to enhance their security, data protection and privacy practices, 3) Move from compliance to stewardship, demonstrating support of meaningful self-regulation, and 4) Promote security & privacy as part of a company's brand promise and value proposition.

Being named to the 2013 Honor Roll is a significant achievement considering the large number of companies that received failing marks for inadequate domain and consumer protection (22%), insecure websites (11%), and inadequate privacy policies or data collection practices (35%).

To review the full 2013 Honor Roll report, please download a free copy at:
https://otalliance.org/2013honorroll.html

Dear U.S. Government:

I was reading some interesting articles the past few weeks:

http://www.reuters.com/article/2013/05/15/...
http://www.networkworld.com/news/2013/...
http://www.securityweek.com/dhs-share-zero-day-intelligence
http://www.csoonline.com/article/733557/...
http://www.dhs.gov/enhanced-cybersecurity-services

and with the understanding that:

• my livelihood right now depends on building tools that facilitate data-sharing and trust relationships
• I'm sure there are misunderstandings in the reporting
• this process requires some level of sustainability to be effective
• this process requires some extra care with respect to sensitivity, legal and ethical constraints (not to mention cultural implications)

The USG is causing a huge disservice to protection and defense in the private sector (80%+ of CIKR¹) by creating an ECS that contains monetary incentive for a few large players to exert undue control over the availability, distribution, and cost of security threat indicators. While there may be a legitimate need for the federal government to share classified indicators to entities for protecting critical infrastructure, the over-classification of indicator data is a widely recognized issue that presents real problems for the private sector. ECS as currently construed creates monetary incentives for continued or even expanded over-classification.

The perception of a paid broker-dealer relationship with the USG sets a very unsettling precedent. Private citizens are already concerned about the relationship between the intelligence community and the private sector and these types of stories do very little to help clear the FUD. Compounded with the lack of transparency about what constitutes classified data, how it protects us and the relationship agreement between the entities sharing the data, this type of program could do much more economic harm than good. Many private sector orgs have indicators that the USG would find useful, but have given up trying to share them. The current flow suggests that we would send data thru competitors to get it to the USG, would never scale well in a free-market based economy.

The network

As with the "PDF sharing programs" of the past (err… present?), it also appears to be a system that adds cost to the intelligence network with the addition of each new node, rather than reducing it. High barriers to entry for any network reduce that network's effectiveness, and in a free market economy, eventually isolates those nodes from the greater network where the barrier to entry is lower. I get it, I understand why certain things are happening, I'm arguing that it's NOT OK. My intent is to widen the dialog a bit to see where we, as an operational community can step up and start doing a better job of leading, instead of allowing the divide between the USG community and the operational community to widen.

Before tackling ECS, the USG should strongly address the over-classification issue. It should establish efficient and effective means for engaging with existing operational information exchanges that are working now in the private sector. Most useful indicators to the non-govt community are not classified, and in my understanding, much of the classified intel is classified due to its "source, method and/or attribution", not the actual threat data. Finding a way to mark the data appropriately and then share it directly with a (closed) community will be a good thing. Washing the data thru a classified pipe does nothing to make the data more useful to the non-classified community. While the exchange of classified intelligence problem still exists, figuring out how to scale it to the unclassified environment will more aggressively help solve scaling it in an classified environment (more players can help solve similar problems across many spaces).

Economics

In my opinion, we should be leveraging existing, trusted security operational fabrics such as the ISC (SIE), TeamCymru, Shadowserver, Arbor networks, Internet Identity, the APWG and the ISAC's (to name a few, based on the most recent industry wide effort, DNS Changer Botnet takedown) that have facilitated great public/private partnerships in the past². Leveraging this existing framework for intelligence exchange would have been a much more valuable investment than what this is perceived to be, or what development has taken place thus far. There are also a number of ISP's² who actively pursue a better, more cleaner internet that have proven to be great partners in this game.

The tools and frameworks for this type of intelligence sharing have existing semi-developed (workable) economic models and more importantly, they consist of those who actually run the internet (ISP's, DNS providers, malware researchers, a/v companies, large internet properties, financial institutions, international law enforcement, policy advisors (ICANN/ARIN/etc) and other sector based CSIRTS). These operational communities have already taken down botnets, put people in jail and in some estimates, saved the economy billions of dollars at a global scale over the last few years. The process has proven to work, scale, and is rapidly maturing.

It is my opinion that a subsection of USG agencies are falling behind in the realm of intelligence exchange with the operations space. The rest of the world is moving towards the full-scale automation of this exchange across political boundaries and entire cultures. All this while finding unique and interesting, market friendly ways of reducing our "exchange costs". As a nation, we're at a crossroads. There are operational folks from within the USG that actively participate in these communities help make the Internet safe and "do the right thing". There are elements within the USG (mainly on the "national security" side) that appear to operate in isolation.

The argument I'm sure to hear is "well, wait, we're working on that!". In my opinion, whatever "that" is, is mostly a re-invention of existing technologies and frameworks that will mostly only ever be adopted by those that get funding in the .gov space to implement it, which still isolates the USG from what the rest of the operational community is already doing. Competition of ideas is good, it encourages innovation and all, but it's something we should be taking a hard look at and asking if it's the best use of our limited resources…

I've been pitched my own ideas from enough belt-way startups that it almost makes me want to scream… almost.

The bigger picture

My concern is that, it's becoming evident that the decision makers for some agencies are making choices that could ultimately isolate their operational folks from the rest of the operational world (whether in terms of principal, or in terms of trust, or fear of legal action, etc). As private industry progresses and parts of the USG fall further and further behind, this can only hurt us as a nation, and as a culture.

My suggestions:

• fix the classification problem with respect to non-attribution type threat intelligence
• parallel to the the classified sharing projects, DHS should be working more aggressively with the rest of industry with as much unclassified intel as possible, figure out where we can bridge the gaps
• encourage participation with things like the NCFTA, SIE, TeamCymru, ArborNetworks, Shadowserver, Internet Identity, the APWG and the ISAC's when working to share intelligence, not through private 3rd parties whom have a noted history as the industry standards for operationalizing and disseminating threat intelligence.
• encourage long term participation with the FBI at NCFTA, take lessons learned from their adventures in intelligence sharing and locking up bad-guys.

If you want to be more successful (reads: we want you to be more successful), don't put so much emphasis on standards or how to disseminate classified information, and more on how to aggressively share unclassified intel with your constituents. We have lots of data we'd like to share with you to help protect our national investments. If the USG can get to that place (without invoking something like CISPA, which makes zero sense in a free market economy), the classified problem will solve itself, while only accounting for .001% of the data being shared (reads: will not be such a distraction).

I know some in the USG understand this and are fighting the good fight, but it's clear that not enough at the higher levels of government do (reads: have you written your elected officials lately?). When you combine this with haphazard style of reporting (terrible at best) and lack of a clear message (reads: translucency), these types of ill perceptions can run rampant and do more economic harm that good to the national process.

I personally will be pushing harder in the coming months in figuring out how we, as the operational community can do more to bring more of USG folks into the fold in terms of building out more sustainable operational relationships. Also, facilitating ways we can share classified intel more aggressively in the future. My goal, is that in the coming year or two, we can change the culture of over-classification while bridging the gap with the rest of the operational industry when it comes to protecting the internet. In order to protect ourselves from economic threats that vastly outweigh our individual business models, there has to be a better solution than the [perceived?] sale of classified intel.

Why we're re-inventing the wheel, why our federal government clamors for "the need to share intel with industry" but appears to not be listening, at-least to the right people, who have a good record of sharing highly sensitive intelligence globally, and operationalizing it ... is beyond me. Washington is a very large echo chamber, and is such a large economy unto itself, that sometimes I feel like the process can sometimes drown out what's going on just a few miles down the road.

Sincerely,

Wes.

¹ http://www.dhs.gov/blog/2009/11/19/cikr

²
http://www.fbi.gov/news/stories/2011/november/malware_110911/...
http://www.dcwg.org/isps/
http://www.dcwg.org/detect/
http://www.nytimes.com/2009/03/19/technology/...
http://krebsonsecurity.com/2012/05/microsoft-to-botmasters-abandon-your-inboxes/...

³ As denoted at the bottom of http://www.dcwg.org/detect:

• AT&T
• Bell Canada
• Century Link
• Comcast
• COX
• Shaw Communications
• Telecom Italia
• Time Warner
• Verizon

Written by Wes Young, Security Architect

Liberty Reserve was designed to make it extremely difficult to figure out who paid what to whom. Accounts were anonymous, identified only by an email address and an unverified birth date. Users could direct LR to move funds from their account to another, optionally (and usually) blinding the transaction so the payee couldn't tell who the payor was. But they couldn't transfer money in or out. LR sold credits in bulk to a handful of exchangers, who handled purchases and sales. So to put money in, you'd contact an exchanger to buy some of their LR credits, which they would then transfer to your account. To take money out, you'd transfer LR credits to an exchanger who would in turn pay you. Nobody kept transaction records, so payments to exchangers couldn't be connected to the LR accounts they funded, there was no record of where the credits in each LR account came from, and outgoing payments from exchangers couldn't be connected to the accounts that funded those payments. This was an ideal setup for drug deals and money laundering, not so much for legitimate commerce.

Bitcoins are not like that. The wallets, analogous to accounts, are nominally anonymous, but the bitcoins aren't. Every wallet and every bitcoin has a serial number, and every transaction is publicly logged. It's as though you did all your buying and selling with $100 bills, but for each transaction the serial number of each bill and the two wallets in each transaction is published with a timestamp for all the world to see. (This is how Bitcoin prevents double spending, by the payee checking the public logs to ensure that the payor minted or received the bitcoins and hasn't paid them to someone else.) This makes truly anonymous transactions very hard.

Multiple transactions from the same wallet are trivially linked, so if the counterparty in any of your transactions knows who you are, all the transactions from that wallet are known to be you. This is roughly the same problem with using a prepaid debit card or throwaway cell phone purchased for cash — if one of the people you buy something from, or one of the people you call knows who you are, your cover is blown. While it's possible to obscure the situation by using multiple wallets, if you transfer bitcoins from one wallet to another, that transaction is public, and a sufficiently determined analyst can likely figure out they're both you. Doing all of your transactions so that the other party can't identify you is very hard, unless you're the kind of person who wears a different ski mask each time he buys groceries.

There have been some widely publicised thefts of large numbers of bitcoins, in one case by installing malware on the owner's PC which was visible on the Internet and using the malware to transfer bitcoins out of his wallet. But the thief hasn't spent the loot and probably never will, because everyone knows the serial numbers of the stolen bitcoins, and nobody will accept them for payment. This is sort of like unsalable stolen famous paintings, except that there's no analogy to the rich collector who'll buy the art and never show it to anyone else, because, frankly, bitcoins aren't much to look at. Again, the bitcoins aren't anonymous.

You could imagine a bitcoin mixmaster, which took in bitcoins from lots of people, mixed them around and sent back a random selection to each, less a small transaction fee, to try and obscure the chain of ownership. But that wouldn't be much of a business for anyone who wanted to live in the civilized world since it would just scream money laundering. (Yeah, we know cyberlibertarians would do it out of principle, but the other 99% of the business would be drug dealers.)

And finally, the only place where you can exchange any significant number of bitcoins for normal money is still MtGox. They are in Japan, and they take money laundering seriously, so you cannot sell more than a handful without providing extensive documentation such as an image of your passport, and your bank account numbers. Maybe there will be other exchanges eventually, but it's not an easy business to get into. MtGox is a broker, arranging sales between its clients, and doesn't keep bitcoins in inventory. For a broker to be successful, it needs enough clients that buyers can successfully find sellers and vice versa, which means that big brokers tend to get bigger, and it's hard to start a new one. You could try to be a broker buying and selling directly to customers, but given how volatile bitcoin prices are, you'd likely go broke when the market turned against you.

Or you could try to arrange a private transaction by finding someone with bitcoins to sell, or looking to buy. That can work for small transactions, but as soon as someone does very much of that, he's in the money transfer business and money laundering laws kick in.

So with all these factors, perfectly logged transactions, a complete public history of every bitcoin so that tainted ones are unusable, and a chokepoint on cashing out, bitcoin makes a great novelty (akin as I have said before to pet rocks) but not a very good medium for large scale money laundering.

Written by John Levine, Author, Consultant & Speaker

Inbound, outbound and on site

From my anti-spam background I have the experience that as long as a spammer remains under the radar of national authorities, e.g. by making sure that he never targets end users in his own country, he is pretty safe. The international cooperation between national authorities is so low, that seldom that something happens in cross border cases. Priorities are mainly given to national cases as cooperation is near existent. (If priority is given to spam fighting at all.)

The same will be the case for the spreading of malware. National authorities focus on things national. Cross border issues are just too much of a hassle and no one was murdered, right?

Of course it is true that if the allegation is right and we are talking about 157 command and control servers for botnets on thousands and thousands if not millions of servers in The Netherlands, the 157 servers is a very low figure. This does not mean that we can ignore this figure if our country is the number 3 spewing malware country in the world. Something needs to happen. Preferably through self-regulation and if not that way, then through regulation.

If it is also true that it is the same few hosting providers that never respond to complaints, it is time to either make them listen or shut them down. There is no excuse for (regulatory) enforcement bodies not to do so. Harm is being done, the economic effects are huge and the name of The Netherlands is mentioned negatively again and again.

In January 2005 at OPTA we were very proud that we had dropped from the number 3 position worldwide for spamming to a position out of the top 20. In six months time! I do not think it is much harder to do so for sending malware.

A suggestion for an action plan

Here's an action plan:

1. Give it priority
2. Start a national awareness campaign
3. Provide a final date to the hosting community
4. Preferably coordinate on 1 to 3 with DHPA (Dutch Hosting Providers Association)
5. Start acting against those that do not mend their ways.

And if anti-botnet infection centre ABUSE-IX starts doing its part on disinfecting end users' devices, The Netherlands may have a winning combination this way.

Of course this can be duplicated in your respective countries also for spam, malware, phishing, cyber crime, etc.

International cooperation

Of course the topics surrounding cyber security calls for international cooperation and coordination. In 2013 it is still virtually impossible to cooperate on cross border cyber crime, spam, the spreading of malware. This needs addressing on EU and world level. National institutions can not afford not to do so. Even if it is hard to give up a little national jurisdiction. There are in between forms, like coordination.

Conclusion

Let's push the boundaries for cyber threats back. It all starts with ambition. Experience shows that (the threat of) enforcement works. This isn't rocket science, it is about political will and insight.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

"In relation to the problem of matching Internet Protocol addresses, my government will bring forward proposals to enable the protection of the public and the investigation of crime in Cyberspace." [on Youtube, 5:45]

As the Guardian pointed out:

The text of the Queen's speech gives the go-ahead to legislation, if needed, to deal with the limited technical problem of there being many more devices including phones and tablets in use than the number of internet protocol (IP) addresses that allow the police to identify who sent an email or made a Skype call at a given time.

What's the problem here?

The perspective of various law enforcement agencies is that the Internet is seen as a space that has been systematically abused, and too many folk are felling prey to various forms of deceit and fraud. If you add to that the undercurrent of concern that the Internet contains a wide range of vulnerabilities from the perspective of what we could generally term "cybersecurity," then it's not surprising to see law enforcement agencies now turning to legislation to assist them in undertaking their role. And part of their desired toolset in undertaking investigations and gathering intelligence is access to records from the public communications networks of exactly who is talking to whom. Such measures are used in many countries, falling under the generic title of "data retention."

In the world of telephony the term "data retention" was used to refer to the capture and storage of call detail records. Such records typically contain the telephone numbers used, time and duration of the call, and may also include ancillary information including location and subscriber details. Obviously such detailed use data is highly susceptible to data mining, and such call records can be used to identify an individual's associates and can be readily used to identify members of a group. Obviously, such data has been of enormous interest to various forms of law enforcement and security agencies over the years, even without the call conversation logs from direct wire tapping of targeted individuals. The regulatory measures designed to protect access to these records vary from country to country, but access is typically made available to agencies on the grounds of national security, law enforcement or even enforcement of taxation conformance.

So if that's what happens in telephony, what happens on the Internet?

Here the story is a continually evolving one, and these days the issues of IPv4 address exhaustion and IPv6 are starting to be very important topics in this area. To see why it is probably worth a looking at how this used to happen and what technical changes have prompted changes to the requirements related to data retention for Internet Service Providers (ISPs).

The original model of the analogous data records for the Internet was the registry of allocated addresses maintained by Internet Network Information Centre, or Internic. This registry did not record any form of packet activity, but was the reference data that shows which entity had been assigned which IP address. So if you wanted to know what entity was using a particular IP address, then you could use a very simple "whois" query tool to interrogate this database:

$ whois -h whois.apnic.net 202.12.29.211

inetnum: 202.12.28.0 - 202.12.29.255
netname: APNIC-AP
descr: Asia Pacific Network Information Centre
descr: Regional Internet Registry for the Asia-Pacific Region
descr: 6 Cordelia Street
descr: PO Box 3646
descr: South Brisbane, QLD 4101
descr: Australia

However, this model of the registry making direct allocations to end user entities stopped in the early 1990's with the advent of the ISP. The early models of ISP service were commonly based on the dial-up model, where a customer would be assigned an IP address for the duration of their call, and the IP address would return to the free pool for subsequent reassignment at the end of the call. The new registry model was that the identity of the service provider was described in the public address registry, and the assignment of individual addresses to each of their dial-up customers was information that was private to the service provider. Now if you wanted to know what entity was using a particular IP address you also had to know the time of day as well, and while a "whois" query could point you in the direction of whom to ask, you now had to ask the ISP for access to their Access, Authentication and Accounting (AAA) records, typically the radius log entries, in order to establish who was using a particular IP address at a given time. Invariably, this provider data is private data, and agencies wanting access to this data had to obtain appropriate authorization or warrants under the prevailing regulatory regime.

This model of traceback has been blurred by the deployment of edge NATs, where a single external IP address is shared across multiple local systems serviced by the NAT. This exercise can therefore trace back to the NAT device, but no further. So with access to this data you can get to understand the interactions on the network at a level of granularity of customer end points, but not at a level of individual devices or users.

We've used this model of Internet address tracking across the wave of cable and DSL deployments. The end customer presents their credentials to the service provider, and is provided with an IPv4 address as part of the session initiation sequence. The time of this transaction, the identity of the customer and the IP address is logged, and when the session is terminated the address is pulled back into the address pool and the release of the address is logged. The implication is that as long as the traceback can start with a query that includes an IP address and a time of day, its highly likely that the end user can be identified from this information.

But, as the Guardian's commentary points out, this is all changing again. IPv4 address exhaustion is prompting some of the large retail service providers to enter the Carrier Grade NAT space, and join what has already become a well established practice in the mobile data service world. The same week of the Queen's speech, BT announced a trial of Carrier Grade NAT use in its basic IP service.

At the heart of the Carrier Grade NAT approach is the concept of sharing a public IP address across multiple customers at the same time. An inevitable casualty of this approach is the concept of traceback in the internet and the associated matter of record keeping rules. It is no longer adequate to front up with an IP address and a time of day. That is just not enough information to uniquely distinguish one customer's use of the network from another's. But what is required is now going to be dependant on the particular NAT technology that is being used by the ISP. If the CGN is a simple port-multiplexing NAT then you need the external IP address and the port number. When combined with the CGN-generated records of NAT's bindings of internal to external address, this can map you back to the internal customer's IP address, and using the ISP's address allocations records, this will lead to identification of the customer.

So traceback is still possible in this context. In a story titled "Individuals can be identified despite IP address sharing, BT says" the newsletter out-law.com (produced by the law firm Pinsent Masons) reports:

BT told Out-Law.com that its CGNAT technology would not prevent the correct perpetrators of illegal online activity from being identified.

"The technology does still allow individual customers to be identified if they are sharing the same IP address, as long as the port the customer is using is also known," a BT spokesperson said in a statement. "Although the IP address is shared, the combination of IP address and port will always be unique and as such these two pieces of information, along with the time of the activity can uniquely identify traffic back to a broadband line. [...] If we subsequently receive a request to identify someone who is using IP address x, and port number y, and time z we can then determine who this is from the logs," the spokesperson said. [...] "If only the IP address and timestamp are provided for a CGNAT customer then we are unable to identify the activity back to a broadband line," they added.

But port-multiplexing NATs are still relatively inefficient in terms of address utilization. A more efficient form of NAT multiplexing uses the complete 5-tuple of the connection signature, so that the NAT's binding table uses a lookup key of the protocol field and the source and destination addresses and port values. This allows the NAT to achieve far higher address sharing ratios, allowing a single external IP address to be shared across a pool of up to thousands of customers.

So what data needs to be collected by the ISP to allow for traceback in this sort of CGN environment? In this case the ISP needs to collect the complete 5-tuple of the external view of the connection, plus the start and stop times at a level of granularity to the millisecond or finer, together with the end-user identification codes. Such a session state log entry takes typically around 512 bytes as a stored data unit.

How many individual CGN bindings, or session states, does each user generate? One report I've seen points to an average of some 33,000 connections per end customer each day. If that's the case then the implication is that each customer will generate some 17Mbytes of log information every day. For a very large service provider, with, say, some 25 million customers, that equates to a daily log file of 425Tbytes. If these CGN records were produced at an unrealistically uniform rate per day, that's a constant log data flow of some 40Gbps. At a more realistic estimate of the busy period peaking at 10 times the average, the peak log data flow rate is some 400Gbps.

That's the daily load, but what about longer term data retention storage demands? The critical questions here is the prevailing data retention period. In some regimes it's 2 years, while in other regimes it's up to 7 years. Continuing with our example, holding this volume of data for 7 years of data will consume 1,085,875 Terrabytes, or 1.0 Exabytes to use the language of excessively large numbers. And that's even before you contemplate backup copies of the data! And yes, that's before you contemplate an Internet that becomes even more pervasive and therefore of course even larger and used more intensively in the coming years.

The questions such a data set can answer also requires a very precisely defined question. It's no longer an option to ask "who used this IP address on this date?" Or even "who used this IP address and this port address in this hour?" A traceback that can penetrate the CGN-generated address overuse fog requires the question to include both the source and destination IP addresses and port numbers, the transport protocol, and the precise time of day, measured in milliseconds. This last requirement, of precise coordinated time records, is a new addition to the problem, as traceback now requires that the incident being tracked be identified in time according to a highly accurate time source running in a known timezone, so that a precise match can be found in the ISP's data logs. It's unclear what it will cost to collect and maintain such massive data sets, but its by no means a low cost incidental activity for any ISP.

No wonder the UK is now contemplating legislation to enforce such record keeping requirements in the light of the forthcoming CGN deployments in large scale service provider networks in that part of the world. Without such a regulatory impost its unlikely that any service provider would, of their own volition, embark on such a massive data collection and long term storage exercise. One comment I've heard is that in some regimes it may well be cheaper not to collect this information and opt to pay the statutory fine instead — it could well be cheaper!

This is starting to look messy. The impact of CGNs on an already massive system is serious, in that it alters the granularity of rudimentary data logging from the level of a connection to the Internet to the need to log each and every individual component conversation that every consumer has. Not only is it every service you use and every site you visit, but its even at the level of every image, every ad you download, everything. Because when we start sharing addresses we now can only distinguish one customer from another at the level of these individual basic transactions. Its starting to look complicated and certainly very messy.

But, in theory in any case, we don't necessarily have to be in such a difficult place for the next decade and beyond.

The hopeful message is that if we ever complete the transitional leap over to an all-IPv6 Internet the data retention capability reverts back to a far simpler model that bears a strong similarity to the very first model of IP address registration. The lack of scarcity pressure in IPv6 addresses allows the ISP to statically assign a unique site prefix to each and every customer, so that the service providers data records can revert to a simple listing of customer identities and the assigned IPv6 prefix. In such an environment the cyber-intelligence community would find that their role could be undertaken with a lot less complexity, and the ISPs may well find that regulatory compliance, in this aspect at least, would be a lot easier and a whole lot cheaper!

Written by Geoff Huston, Author & Chief Scientist at APNIC

Although the idea originally was to hack into untraceable servers that could (most like would) be based abroad, now it appears that the Dutch government has used its imagination some more. Hacking devices, the obligation to cooperate in an investigation against oneself by providing passwords, tapping devices and e.g. Skype, it's all in the concept. Not surprisingly there is a lot of commotion from privacy advocates and organisations.

Anyway, I've had my say in the mentioned blog post and reiterate that this is a very, very sensitive topic, that could cross boundaries that we as society may not want to cross. Let me provide you with some links, so you can study it yourself. Unfortunately everything is in Dutch. Below you find links to the law texts, including explanations/intentions and a link to a blog post by PHD student Jan Jaap Oerlemans of the University of Leiden who provides some excellent observations.

Here's the official government publication on the law with links to the actual texts.

Here's the link to Jan Jaap Oerleman's blog.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Brian Krebs reports: "A 35-year-old Dutchman thought to be responsible for launching what's been called 'the largest publicly announced online attack in the history of the Internet' was arrested in Barcelona on Thursday by Spanish authorities. The man, identified by Dutch prosecutors only as 'SK,' was being held after a European warrant was issued for his arrest in connection with a series of massive online attacks last month against Spamhaus, an anti-spam organization."

The internet and borders

People often refer to the internet as borderless and that there is a need to cooperate cross border between police agencies and other agencies regulating or enforcing the internet. This falls under the category "This needs a global solution" or the "this is cross border, we can not do anything!" type of comments.

Breaking down silos goes way beyond this. It is a national, organisational as well as international problem. Specific organisations work within their own remit and have, in some cases extreme, difficulty to reach out to other organisations. Others are not aware of each others capabilities. This discussion is about mental borders as well as legal, organisational and state ones.

The worst example

Usually the police is pointed to as a hard partner to work with. "We never hear anything back" or "We never receive information from them" are often heard comments. It is my impression that police organisations (and prosecutors) could have more understanding of what the capabilities of other enforcement agencies are, in order to coordinate actions in a better way. (What happens when two or three different organisations investigate the same botnet at the same time?!)

Law enforcement is more than enforcing the law from a penal code objective. Other agencies may be better equipped to solve a specific cyber crime than police on the basis of enforcing their "own" law. A "serious" crime could be dealt with through e.g. a Consumer Protection Act also. Or together there is a higher chance at success. These are important lessons. Break down your silos!

Cyber security

Cyber security organisations like Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Services (Csirt) secure and monitor governmental and industry ICT systems, alert and respond to breaches, e.g. like ddos attacks or hacks. They have a lot of information and evidence that could actually assist enforcement agencies in doing their work. At the same time they can act on certain breaches in ways that law enforcement never could.

Cooperation between the two is not something which comes easily. For dozens of reasons. Hence the need to break down silos and create understanding.

Industry

And what about industry? What is the information it has on cyber crimes? If industry does not see the incentive to report all, let's say relevant, breaches to the proper authority, enforcement and security will never get the priority it deserves. Hence another reason to break down silos.

Who needs to act?

In the report of De Natris Consult (click here to view) called "National cyber crime and online threats reporting centres. A study into national and international cooperation." it is clearly shown that for an individual organisation it is nearly impossible to break a silo down. Simply because it's to difficult and not a part of the organisations primary task. So despite the fact that it is in the direct interest of a single organisation to be able to cooperate, it is nearly impossible to break through on your own when no one hears you knocking. It is important however to report your impossibilities to those who can make a difference. How will people who can actually make a difference ever know otherwise? Start breaking down your own silo in the right places.

So who needs to act then?

There are a few options. (My apologies for non-EU readers. I'm a bit EU-centric here, but please allow your imagination to run to your corner of the world and the options it provides.)

1. National government
This would help at national level. E.g. in a national strategy on cyber security a national coordinating body is foreseen and instituted by the national government. E.g. The Netherlands created the National Cyber Security Centre. It is very interesting to see the developments going on. Embedded officers from different agencies, industry and vital infrastructure work part time within the centre.

Some questions could be asked that can make a difference over time. How does the centre change knowledge and perceptions with time? Does it make a solid inventory of skills, complementary powers and different possibilities that different laws supply to fight cyber crimes? Does it take a closer look at whether present laws supply the needed powers to fight the different forms of cyber crime?

2. International bodies
ENISA currently plays a role in bringing CERTs and police agencies together. Could it play that role in a broader sense? So for other LEAs and police and CERTS?

EC3 could open itself to more enforcement entities, e.g. by providing common trainings, coordinate cyber actions, etc. It does not so at present, but it would be a good thing if EC3 looked into this option in the very near future. Who invites them to break down their silo?

Fill in your option here .....

3. International projects
What will a project like ACDC (Advanced Cyber Defense Centre) do to international cooperation? In this case it is about fighting botnets. From disinfecting end users computers to gathering, analysing and sharing data on botnets, botnet traffic and command and control servers in and through the central clearing house. What will aggregated data do in the fight against cyber crime and more so, what will it do for cooperation and understanding between different entities both public and private?

Conclusion

Why are all these questions so relevant? Because my bet is that all these agencies, from the military to secret services and from police to consumer fraud, spam and privacy agencies are all looking for the same people who make the internet not a very safe place to do business and pleasure today. There is, well there should be, a strong need to cooperate and coordinate.

Breaking down silos will not come easy. For many a reason. Still, if people responsible for this task are to make serious business with it, it is important to start asking the right questions. Let's do so at NLIGF this June, in Bali in October (I will do so here as moderator) and Vilnius in November and in all places where you think it is possible and necessary to do so. I'm always happy to discuss further or help out creating strategies or programs. The time seems right.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

We recently analyzed the reputation of a country's Internet (IPv4) addresses by examining the number of blacklisted IPv4 addresses that geolocate to a given country. We compared this indicator with two qualitative measures of each country's governance. We hypothesized that countries with more transparent, democratic governmental institutions would harbor a smaller fraction of misbehaving (blacklisted) hosts. The available data confirms this hypothesis. A similar correlation exists between perceived corruption and fraction of blacklisted IP addresses.

CAIDA's Country IP Reputation Graphs (Click to Enlarge)
See the interactive graph and analysis on the CAIDA website

For more details of data sources and analysis, see:
http://www.caida.org/research/policy/country-level-ip-reputation/

Written by kc claffy, Director, CAIDA and Adjunct Professor, UC, San Diego

Read full story: Reuters

The next day new malfunction of banks' websites were reported. For the first time it was openly admitted that all our banks' and payment intermediary iDeal's website were down, due to an attack in the form of a DDoS attack, making the website of the respective banks unreachable for regular traffic. The assailants tried to log in also.

This resulted in headlines, Tweets, blogs and opening news items, the one at the 8 o'clock news on the public channel ending with: "in the USA this happens nearly every day". In the following I'd like to take a look at a few related comments, a tweet by a politician, before coming to some questions. The main one reflects the title most: "Who's responsible for cyber security?"

Public outcry

If anything the chaos or perceived chaos in banking transitions led to angry or confused people, famous short fuses and loads of attention from the media. The cyber security world is waiting for years for a major cyber incident. One causing great damages, in the hope governments and companies start moving in the right direction. Some experts are even totally resigned to this way of thinking. This is not that incident. Sure, it shocked end users, led to some reactions from politicians, but in the end nobody seems to have lost money and there are so many other issues calling out for attention.

The news

Tax evasion
In the past week high level tax evasion by multi nationals, top-executives, politicians, etc., let's say the top of societies, was prominent in the news. A conclusion in a column in NRC Handelsblad stated, to this problem decisions at world level are needed. (If I'm cynical, look at the list at the start of this section and ask yourself the following question: Who decides on worldwide solutions?) What struck me, also, is that this is the exact same conclusion that is derived at when talking about Internet governance, international cooperation against cyber crime, spam and malware enforcement, etc., etc. In short, what I recently heard someone call "the glass ceiling of Internet governance". Most discussions stop here. Another variant to this discussion is: "we need to break own silos!". Okay, but who is "we"? Is someone made responsible for this breaking down, silos or ceilings? What are the right questions to ask here? Questions that lead to answers that could take the discussion forward and actually change the outcome? A topic for the upcoming IGF in Bali I'd say.

The near future
The comment in the 8 o'clock news cited above, caught my attention most. "This happens nearly every day in the US". I read somewhere that 267 out 365 days there were problems accessing major banks' websites. In other words this is something we are to expect also? Are there contingency plans? Do governments allow that payments can't be made (parts of) 267 days in the year? The economic impact is gigantic. Does it matter then whether the attacks stem from criminals, free speech advocates, "fun hackers" or state-to-state activities? I'd say not.

How can banks ever guaranty the safety of our money?
...is the question Dutch parliamentarian Kees Verhoeven (D66) asked on Twitter. (This is the Tweet: "Heftig. De storing blijkt nu een #DDoS aanval! De vraag is hoe banken de veiligheid van ons geld kunnen blijven garanderen. #cybersecurity"). I responded to him that this was totally the wrong question to ask. There is nothing banks can do against DDoS attacks, beyond preventive measures. The attackers, the tools they use, the infected PCs and other devices used, the command and control servers hosted anywhere in the world, are all far beyond the control of banks. As long as banks run state of the art security measures (even if they don't), they are victims and not attackers. Perhaps the banks need support from other entities on and around the Internet to solve this problem.

The tools used are infected PCs of end users, companies, governments, industry, etc. and other devices like smart phones, smart TVs, up to a hacked chip in your cat's collar (and this is no joke). There are a million reasons why these devices are infected. From irresponsible use by end users, flawed software, a lack of security by design in anything with "i" in front if it, negative incentives to deal with botnet mitigation or notice and take down requests, a lack of understanding in general, right up to a lack of government regulation, enforcement or incentives. All measures or better a lack of measures, banks have no influence over at all. They have an influence over the quality of the products they buy themselves in the future, over internal policy and security measures and perhaps they can reach out more to discuss Internet governance actively, which I advice them to do, but it stops there.

So, taking this all in, can banks guarantee the safety of our money? Answer this question yourself and continue to ask yourself the question who is responsible for cyber security? A virtual plethora of parties involved and where to start? What I have to conclude is that almost every single decision is to be made in the private sphere. In a competitive world. Where does that leave governments? Where does this leave decisions consciously made with the common good in mind?

So, who's responsible?

I'm not going to answer this question here. Those who follow me on my blog, here on CircleID or read my articles in Virus Bulletin know my points of view. What I'd like to ask you is to think about this question for one minute and share your thoughts with me here on within an(y) other context. It may just get a discussion going.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Al Iverson over at Spamresource has a great round-up of the news, if you haven't managed to catch the news, go check it out, then come on back, we'll wait ...

Of course, bad guys are always mad at Spamhaus, and so they had a pretty robust set-up to begin with, but whoever was behind this attack was able to muster some huge resources, heretofore never seen in intensity, and it had some impact, on the Spamhaus website, and to a limited degree, on the behind-the-scenes services that Spamhaus uses to distribute their data to their customers.

Some reasonable criticism, was aimed at the New York Times, and Cloudflare for being a little hyperbolic in their headlines and so on, and sure, it was a bit 'Chicken Little'-like, the sky wasn't falling and the Internet didn't collapse.

But, don't let the critics fools you, this was a bullet we all dodged.

For one, were Spamhaus to be taken offline, their effectiveness in filtering spam and malware would rapidly decay, due to the rate at which their blocklists need to be updated. The CBL anti-botnet feed and the SBL list both have many additions and deletions every day. These services are used to protect mail servers and networks against the most malicious criminal traffic. If they go down, a lot of major sites would have trouble staying up, or become massively infected with malware.

There are also a ton of small email systems that use the Spamhaus lists as a key part of their mail filtering (for free as it turns out). Were those lookups prevented, or tampered with, those systems would buckle under the load of spam that they dispense with easily thanks to Spamhaus.

To put it into perspective, somewhere between 80% & 90% of all email is spam, and that's the stuff Spamhaus helps filter. So it doesn't take a Rocket Scientist to figure out that if filters go out, so do the email systems, in short order. AOL's Postmaster famously said, at an FTC Spam Summit a decade ago, before the inception of massive botnets, that were their filtering to be taken offline, it'd be 10 minutes before their email systems crashed.

Due to some poorly researched media reports (hello, Wolf Blitzer!), there is a perception that this is a fight between two legitimate entities, Spamhaus and Stophaus; some press outlets and bloggers have given equal time to the criminals (we use that word advisedly, there is an ongoing investigation by law enforcement in at least five countries to bring these people to justice). Nothing could be further from the truth. The attackers are a group of organized criminals, end of story. There is nothing to be celebrated in Spamhaus taking it on the chin, unless you want email systems and networks on the Internet to stop working.

So yeah, it was a big deal.

Written by Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE

Coordinated Vulnerability Disclosure refers to “a reporting methodology where a party (‘reporter’) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (‘affected party’) and allows the affected party time to investigate the claim, and identify and test a remedy or recourse before coordinating the release of a public disclosure of the vulnerability with the reporter.”

Illustration of a Coordinated Disclosure Process – The roles and relationships of parties typically involved in a coordinated disclosure. Source: ICANN (Click to Enlarge)

Read full story: The Guardian