Inbound, outbound and on site

From my anti-spam background I have the experience that as long as a spammer remains under the radar of national authorities, e.g. by making sure that he never targets end users in his own country, he is pretty safe. The international cooperation between national authorities is so low, that seldom that something happens in cross border cases. Priorities are mainly given to national cases as cooperation is near existent. (If priority is given to spam fighting at all.)

The same will be the case for the spreading of malware. National authorities focus on things national. Cross border issues are just too much of a hassle and no one was murdered, right?

Of course it is true that if the allegation is right and we are talking about 157 command and control servers for botnets on thousands and thousands if not millions of servers in The Netherlands, the 157 servers is a very low figure. This does not mean that we can ignore this figure if our country is the number 3 spewing malware country in the world. Something needs to happen. Preferably through self-regulation and if not that way, then through regulation.

If it is also true that it is the same few hosting providers that never respond to complaints, it is time to either make them listen or shut them down. There is no excuse for (regulatory) enforcement bodies not to do so. Harm is being done, the economic effects are huge and the name of The Netherlands is mentioned negatively again and again.

In January 2005 at OPTA we were very proud that we had dropped from the number 3 position worldwide for spamming to a position out of the top 20. In six months time! I do not think it is much harder to do so for sending malware.

A suggestion for an action plan

Here's an action plan:

1. Give it priority
2. Start a national awareness campaign
3. Provide a final date to the hosting community
4. Preferably coordinate on 1 to 3 with DHPA (Dutch Hosting Providers Association)
5. Start acting against those that do not mend their ways.

And if anti-botnet infection centre ABUSE-IX starts doing its part on disinfecting end users' devices, The Netherlands may have a winning combination this way.

Of course this can be duplicated in your respective countries also for spam, malware, phishing, cyber crime, etc.

International cooperation

Of course the topics surrounding cyber security calls for international cooperation and coordination. In 2013 it is still virtually impossible to cooperate on cross border cyber crime, spam, the spreading of malware. This needs addressing on EU and world level. National institutions can not afford not to do so. Even if it is hard to give up a little national jurisdiction. There are in between forms, like coordination.

Conclusion

Let's push the boundaries for cyber threats back. It all starts with ambition. Experience shows that (the threat of) enforcement works. This isn't rocket science, it is about political will and insight.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

The internet and borders

People often refer to the internet as borderless and that there is a need to cooperate cross border between police agencies and other agencies regulating or enforcing the internet. This falls under the category "This needs a global solution" or the "this is cross border, we can not do anything!" type of comments.

Breaking down silos goes way beyond this. It is a national, organisational as well as international problem. Specific organisations work within their own remit and have, in some cases extreme, difficulty to reach out to other organisations. Others are not aware of each others capabilities. This discussion is about mental borders as well as legal, organisational and state ones.

The worst example

Usually the police is pointed to as a hard partner to work with. "We never hear anything back" or "We never receive information from them" are often heard comments. It is my impression that police organisations (and prosecutors) could have more understanding of what the capabilities of other enforcement agencies are, in order to coordinate actions in a better way. (What happens when two or three different organisations investigate the same botnet at the same time?!)

Law enforcement is more than enforcing the law from a penal code objective. Other agencies may be better equipped to solve a specific cyber crime than police on the basis of enforcing their "own" law. A "serious" crime could be dealt with through e.g. a Consumer Protection Act also. Or together there is a higher chance at success. These are important lessons. Break down your silos!

Cyber security

Cyber security organisations like Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Services (Csirt) secure and monitor governmental and industry ICT systems, alert and respond to breaches, e.g. like ddos attacks or hacks. They have a lot of information and evidence that could actually assist enforcement agencies in doing their work. At the same time they can act on certain breaches in ways that law enforcement never could.

Cooperation between the two is not something which comes easily. For dozens of reasons. Hence the need to break down silos and create understanding.

Industry

And what about industry? What is the information it has on cyber crimes? If industry does not see the incentive to report all, let's say relevant, breaches to the proper authority, enforcement and security will never get the priority it deserves. Hence another reason to break down silos.

Who needs to act?

In the report of De Natris Consult (click here to view) called "National cyber crime and online threats reporting centres. A study into national and international cooperation." it is clearly shown that for an individual organisation it is nearly impossible to break a silo down. Simply because it's to difficult and not a part of the organisations primary task. So despite the fact that it is in the direct interest of a single organisation to be able to cooperate, it is nearly impossible to break through on your own when no one hears you knocking. It is important however to report your impossibilities to those who can make a difference. How will people who can actually make a difference ever know otherwise? Start breaking down your own silo in the right places.

So who needs to act then?

There are a few options. (My apologies for non-EU readers. I'm a bit EU-centric here, but please allow your imagination to run to your corner of the world and the options it provides.)

1. National government
This would help at national level. E.g. in a national strategy on cyber security a national coordinating body is foreseen and instituted by the national government. E.g. The Netherlands created the National Cyber Security Centre. It is very interesting to see the developments going on. Embedded officers from different agencies, industry and vital infrastructure work part time within the centre.

Some questions could be asked that can make a difference over time. How does the centre change knowledge and perceptions with time? Does it make a solid inventory of skills, complementary powers and different possibilities that different laws supply to fight cyber crimes? Does it take a closer look at whether present laws supply the needed powers to fight the different forms of cyber crime?

2. International bodies
ENISA currently plays a role in bringing CERTs and police agencies together. Could it play that role in a broader sense? So for other LEAs and police and CERTS?

EC3 could open itself to more enforcement entities, e.g. by providing common trainings, coordinate cyber actions, etc. It does not so at present, but it would be a good thing if EC3 looked into this option in the very near future. Who invites them to break down their silo?

Fill in your option here .....

3. International projects
What will a project like ACDC (Advanced Cyber Defense Centre) do to international cooperation? In this case it is about fighting botnets. From disinfecting end users computers to gathering, analysing and sharing data on botnets, botnet traffic and command and control servers in and through the central clearing house. What will aggregated data do in the fight against cyber crime and more so, what will it do for cooperation and understanding between different entities both public and private?

Conclusion

Why are all these questions so relevant? Because my bet is that all these agencies, from the military to secret services and from police to consumer fraud, spam and privacy agencies are all looking for the same people who make the internet not a very safe place to do business and pleasure today. There is, well there should be, a strong need to cooperate and coordinate.

Breaking down silos will not come easy. For many a reason. Still, if people responsible for this task are to make serious business with it, it is important to start asking the right questions. Let's do so at NLIGF this June, in Bali in October (I will do so here as moderator) and Vilnius in November and in all places where you think it is possible and necessary to do so. I'm always happy to discuss further or help out creating strategies or programs. The time seems right.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

The link directs users to a webpage that includes iframes that load content from several YouTube videos plus content from an attacker-controlled site. Reports indicate the attacker-controlled sites host malicious .jar files that can compromise vulnerable machines.

On April 17th, a second botnet began using a similar spam campaign. Instead of simply providing a link, the spam messages contained graphical HTML content claiming to be breaking news alerts from CNN.

Cisco became aware of a range of threats forming on April 15th when hundreds of domains related to the Boston tragedy were quickly registered. Regarding the botnet spam-specific threat – from a volume perspective – peaks approach 40% of all spam being sent. (Source: Cisco)

Al Iverson over at Spamresource has a great round-up of the news, if you haven't managed to catch the news, go check it out, then come on back, we'll wait ...

Of course, bad guys are always mad at Spamhaus, and so they had a pretty robust set-up to begin with, but whoever was behind this attack was able to muster some huge resources, heretofore never seen in intensity, and it had some impact, on the Spamhaus website, and to a limited degree, on the behind-the-scenes services that Spamhaus uses to distribute their data to their customers.

Some reasonable criticism, was aimed at the New York Times, and Cloudflare for being a little hyperbolic in their headlines and so on, and sure, it was a bit 'Chicken Little'-like, the sky wasn't falling and the Internet didn't collapse.

But, don't let the critics fools you, this was a bullet we all dodged.

For one, were Spamhaus to be taken offline, their effectiveness in filtering spam and malware would rapidly decay, due to the rate at which their blocklists need to be updated. The CBL anti-botnet feed and the SBL list both have many additions and deletions every day. These services are used to protect mail servers and networks against the most malicious criminal traffic. If they go down, a lot of major sites would have trouble staying up, or become massively infected with malware.

There are also a ton of small email systems that use the Spamhaus lists as a key part of their mail filtering (for free as it turns out). Were those lookups prevented, or tampered with, those systems would buckle under the load of spam that they dispense with easily thanks to Spamhaus.

To put it into perspective, somewhere between 80% & 90% of all email is spam, and that's the stuff Spamhaus helps filter. So it doesn't take a Rocket Scientist to figure out that if filters go out, so do the email systems, in short order. AOL's Postmaster famously said, at an FTC Spam Summit a decade ago, before the inception of massive botnets, that were their filtering to be taken offline, it'd be 10 minutes before their email systems crashed.

Due to some poorly researched media reports (hello, Wolf Blitzer!), there is a perception that this is a fight between two legitimate entities, Spamhaus and Stophaus; some press outlets and bloggers have given equal time to the criminals (we use that word advisedly, there is an ongoing investigation by law enforcement in at least five countries to bring these people to justice). Nothing could be further from the truth. The attackers are a group of organized criminals, end of story. There is nothing to be celebrated in Spamhaus taking it on the chin, unless you want email systems and networks on the Internet to stop working.

So yeah, it was a big deal.

Written by Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE

Coordinated Vulnerability Disclosure refers to “a reporting methodology where a party (‘reporter’) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (‘affected party’) and allows the affected party time to investigate the claim, and identify and test a remedy or recourse before coordinating the release of a public disclosure of the vulnerability with the reporter.”

Illustration of a Coordinated Disclosure Process – The roles and relationships of parties typically involved in a coordinated disclosure. Source: ICANN (Click to Enlarge)

There are three broad steps any organization can take with respect to security and reliability to get a handle on their current security posture, whether internal (corporate or "inside the firewall") or external (Internet or "outside the firewall"). These include a series of in-depth assessments that include network, vulnerability and penetration testing.

• Network Assessment – Network assessment is a broad term that might encompass a holistic view of an organization's Internet security posture both internally and externally. A network assessment can be tailored to specific security requirements for any organization, but ultimately the assessment will provide a baseline gap analysis and remediation steps to fill those gaps.

• Vulnerability Assessment – Once your baseline network assessment is completed, an organization may wish to perform periodic vulnerability assessments. Whether internal or external, vulnerability assessments can uncover critical gaps in security that may lead to credential leaks, intellectual property theft, or denial of service to employees or customers. A well-planned and well-executed vulnerability assessment should eliminate false positives, but it can never give an organization 100 percent confidence that a specific vulnerability cannot be exploited. Vulnerability assessments should be executed on at least a quarterly basis, but it's not uncommon for larger organizations to execute them monthly.

• Penetration Testing – The next and final step in assessing your organization's security and reliability is penetration testing. While I typically say that vulnerability assessments give you a "95 percent confidence level" that a vulnerability exists, penetration testing can give you 100 percent confidence that a specific vulnerability exists as well as show you how it can be exploited by attackers.

Now that we are all caught up, let's dive in to penetration testing.

What is a penetration test?

A penetration test typically follows a full vulnerability assessment, after you have identified systems with known or suspected vulnerabilities. The existence of vulnerabilities may be obvious, or may require exploitation to validate. By definition, penetration testing involves exploiting a vulnerability to prove its existence or to expose other previously unknown vulnerabilities, or even additional systems, not previously known or tested.

Once you've completed a vulnerability assessment, you must build an attack profile for penetration testing and then execute your attacks.

Step One: Attack Profile

In the attack profiling phase, you must conduct research on your vulnerabilities to determine the best tools to use to attempt exploitation. There are a plethora of commercial, free and open source penetration testing toolkits, including:

• CANVAS
• Metasploit (free and commercial versions)
• Core Impact
• Nikto (web applications)
• Burp Suite (web applications)

There are many more scripts and toolkits you might use for both vulnerability assessments and penetration testing, such as wireless discovery applications, packet capture applications, port scanners, etc. We'll cover some of the more common tools in future articles.

There are too many details to cover in this overview, but suffice it to say a penetration test engineer must understand the underlying operating systems, applications and protocols for the vulnerabilities they are trying to exploit.

Exploits may be common to a given application regardless of the platform (operating system and protocols), but they may also be a very specific combination of hardware platform, operating system, application, protocols, and even network elements to include routers, switches and firewalls.

The commercial toolkits listed above provide a good framework and automation for running exploits, but they all have many configuration parameters, variables and scripts related to very specific vulnerabilities that one must understand in order to execute and effective penetration test. To paraphrase a famous line from the movie Caddyshack, "be the exploit!"

Step Two: Attack Execution

Now, the real work begins. You may understand the vulnerability, you may have your tools and scripts ready to execute and exploit the vulnerability, but inevitably things won't go as planned. As with vulnerability assessments, you may have to adapt your profile because you find that a firewall or network ACL (access control list) is blocking communication in one direction or a given vulnerability cannot be exploited for unknown reasons, or operating system/application fingerprinting was inaccurate. There are many scenarios that may cause you to alter course and change tools or methods to attempt exploitation.

In Summary

Penetration testing (and security on the whole) can be as much art as science, but hopefully this article rounds out our series on security and reliability and gives you some insight on the importance of including this as part of your organization's processes. Ultimately, you will gain confidence in assessing risks and determining which vulnerabilities should be considered real, requiring mitigation. This is the very best way to be prepared for real-time risks and attacks.

Written by Brett Watson, Senior Manager, Professional Services at Neustar

Public attention to the secretive world of cyber espionage has risen to a new level in the wake of the APT1: Exposing One of China's Cyber Espionage Units report by security company Mandiant. By specifically naming China as the culprit and linking cyber espionage efforts to the People's Liberation Army, Mandiant has taken steps that few policymakers have been willing to take publicly, given the significant diplomatic implications. The report has brought to the forefront US-China disagreements over cyberspace, igniting a furious response from the Chinese government.

Also cast in stark relief by this incident, however, are the priorities of the United States in securing the cyber domain: threats to critical infrastructure, and the theft of intellectual property, trade secrets and confidential strategy documents from key industry players and Fortune 500 companies. General Keith Alexander, the head of US Cyber Command and the National Security Agency, raised the profile of the theft issue last year in asserting that widescale cyber espionage had resulted in "the greatest transfer of wealth in history." The issue was highlighted again in the newly-released Administration Strategy on Mitigating the Theft of U.S. Trade Secrets.

Certainly, threats against critical infrastructure and theft of intellectual property and trade secrets are important. However, they are not the only targets of cyber intrusion and espionage that should merit public attention and government concern.

An often-overlooked dimension of cyber espionage is the targeting of civil society actors. NGOs, exile organizations, political movements, and other public interest coalitions have for many years encountered serious and persistent cyber assaults. Such threats — politically motivated and often with strong links to authoritarian regimes — include website defacements, denial-of-service attacks, targeted malware attacks, and cyber espionage. For every Fortune 500 company that's breached, for every blueprint or confidential trade secret stolen, it's a safe bet that at least one NGO or activist has been compromised in a similar fashion, with highly sensitive information such as networks of contacts exfiltrated. Yet civil society entities typically lack the resources of large industry players to defend against or mitigate such threats; you won't see them hiring information security companies like Mandiant to conduct expensive investigations. Nor will you likely see Mandiant paying much attention to their concerns, either: if antivirus companies do encounter attacks related to civil society groups, they may simply discard that information as there is no revenue in it.

While cyber espionage against a company may result in the loss of a blueprint, an attack on an NGO could result in a loss of individual life or liberty. Yet civil society is largely on its own as it goes about its work to advance human rights and other public policy goals while struggling to stay ahead of debilitating cyber threats.

In Citizen Lab's research on cyber espionage against civil society, going back to the Tracking GhostNet and Shadows in the Cloud reports, we've routinely encountered the very same malware families, social engineering tactics, and advanced persistent threats experienced by the private sector, governments, and international organizations. Our research indicates that the important details uncovered by Mandiant are just one slice of a much bigger picture of cyber espionage linked to China. For example, Citizen Lab's Seth Hardy has found that certain malware targeting a Tibetan organization incorporates much of the same code and uses one of the same command-and-control servers as the APT1 attacks documented by Mandiant. This suggests that APT1 is also targeting civil society groups alongside the "higher profile" companies and organizations on its roster.

Our findings confirm there's more to China's motivations than just industrial and government espionage. The Chinese government appears to view cyber espionage as a component of much broader efforts to defend against and control the influence of a variety of "foreign hostile forces" — considered to include not only Western government entities, but also foreign media and civil society — that could undermine the grip of the Communist Party of China.

The solutions presented by US policymakers, however, have left civil society out of the equation altogether, focusing on industry and government only, as if these are all that matter. Notably, a February 12, 2013 executive order on improving cybersecurity provides that US policy is to "increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats." No similar initiative exists for outreach and information sharing with civil society. Without these considerations, we leave civil society hung out to dry and lose sight of that which we are aiming to protect in the first place — a vibrant democratic society.

As we consider what to do about mitigating cyber attacks, and the bleeding of our industrial base from unabashed cyber espionage, we would do well to remind ourselves of a fact that may be easily overlooked: China's domestic problems in the human rights arena are a major factor driving cyber insecurity abroad. China's aggressive targeting of "foreign hostile forces" in cyberspace includes groups simply exercising their basic human rights. We may well soften China's malfeasance around corporate and diplomatic espionage, but without dealing with the often-overlooked civil society dimension, we will not eradicate it entirely.

Written by Ron Deibert, Director, The Citizen Lab, Munk School of Global Affairs, University of Toronto

Nominum researches and continually discovers botnet C&C domains. Nominum offers the Network Protection Service, which provides a proprietary feed of botnet related and other malicious command and control (C&C) domains. To produce the industry's best network protection feed, Nominum has established a dedicated security research team that is responsible for data collection, correlation and analysis and implementation of network protection algorithms. By virtue of Nominum's global footprint, processing more than one trillion queries daily, Nominum is in a unique position to offer a truly real-time, adaptive, global feed of C&C domains. The security team uses this data and a variety of techniques and inputs, such as traffic pattern analysis, malware reverse engineering and nameserver reputation, to derive the this feed. This feed is pushed to Nominum's Vantio Caching DNS engine residing in-network, which then uses the feed to block and monitor C&C domains.

Recently, we introduced our Security Intelligence application, which provides in-network reporting on the monitoring and blocking efforts of the Network Protection service feed. Some of the benefits of this new application include:

• In-network threat reporting that doesn't require sending data off the customer's network;
• Visibility into the most prevalent and highest priority threats on a network helps prioritize security operations' workload;
• Ability to search for infected users by IP address or network range helps identify and assist infected subscribers and businesses;
• Detailed threat information for all infected users helps identify the risks to subscribers and aids remediation efforts;
• Effective security monitoring while being unobtrusive on network resources.

If you would like to learn more about the Network Protection service and the Security Intelligence application, contact us at sales@nominum.com.

As DNS is the first touch point in any Internet transaction, using it to identify infected customers is both lightweight and cost effective since it only has to deal with relatively small DNS packets. If you have a list of known botnet command and control domains, you can determine which clients (including BYOD clients) are infected on your network by comparing that list to your DNS logs. You can also use this list to configure your DNS server to block any queries to these domains, which denies the bots the instructions they need in order to conduct their malicious activity.

Using this DNS-based technique, Nominum recently reported on the top 5 mobile malware threats which has been published by Network World. These Android infections could be lurking on your network's wi-fi as BYOD. If you want to quickly try out this DNS-based technique for yourself to see what might be lurking on your network, you can try out one of the lists of known botnet C&C domains maintained by The Shadowserver Foundation.

BYOD is a great thing, but it can be scary for those folks responsible for the security of an enterprise. Using DNS-based techniques for security intelligence can stem the risk of BYOD, which is good since revoking BYOD would likely sow the seeds aof revolt.

Written by Pat Barnes, Product Manager of Security Solutions at Nominum

The official program

What I liked about the opening, was that it was modest. Nothing beyond this is who we are and this is what we try to achieve in the near future. And practical. On stage a Memorandum of Understanding on cooperation was signed with the US counterpart.

The following focal points were chosen by EC3 to start its work on fighting cybercrime:

1. That (is) committed by organised groups to generate large criminal profits such as online fraud;
2. That ... causes serious harm to the victim such as online child sexual exploitation;
3. That ... affects critical infrastructure and information systems in the EU.

Next to that,

"the Centre will also facilitate research and development and ensure capacity building among law enforcement, judges and prosecutors and will produce threat assessments, including trend analyses, forecasts and early warnings."

In this EC3 has made clear choices on what it will pursue. Choices that are well defensible, as online child sexual exploitation is a major concern for society as a whole, that always has the interest of the public eye. While major fraud and online incidents involving critical infrastructure are destabilising for the economy and the (trust in the) Internet itself. Next to financially hurting those that were attacked, phished, hacked or misled.

Starting modest

To start "small" is not a disadvantage. Expectations, although they are high for EC3, are tempered somewhat. When the centre proves it merit with first successes in 2013, interest grows. People like to be associated with success, so a grow in budget may well become possible soon after.

Challenges

From the sideline I see a few challenges for EC3. It needs the best data available in order to pursue its goals. What are the chances to engage with industry in order to receive data from multiple sources? Will EC3 be able to participate in some way in the botnet mitigation centres that have been and will be erected around Europe (and perhaps beyond) over the coming years? Will the relevant organisations in the Member States and beyond be willing to share relevant data with EC3? In what way are the new privacy rules of the EU a hindrance to successful cooperation? Concerns on this topic are regularly uttered, especially from the U.S. (a close partner, as we have seen!).

Will Member States allow EC3 some forms of cooperation or/and coordination between organisations from the Member States? This seems pivotal to me in order to tackle cross-border cases, which nearly all Internet crimes are.

Questions that are to be answered over the coming months and years, but will determine whether EC3 is able to really make a difference. Whether it will live up to its potential.

Opportunities

CERTs and EC3 are already working on a program run by ENISA to establish forms of cooperation. How about cooperation with other law enforcement agencies around the EU? Whether telecommunication, privacy, consumer, customs, anti-spam and malware, etc., all have complementary powers to the police. Having an overview of these powers could actually bring a broader spectrum of enforcement powers to the fore.

The police is there to arrest criminals, but this does not stop all perpetrations on the Internet. There is a world to win if the police world recognises other powers on hand and learns to exchange data with other entities if the police is not the first or perhaps not the best equipped party to act.

The EC3 could play this role in recognising other entities available to cooperate with, whether industry initiatives such as botnet centres and self-regulatory initiatives, national online threat or security centres and other law enforcement capabilities. From this a better overview of opportunities becomes available, capacity building is broadened and the overall exchange of meta data grows, enlarging the analysing and enforcement capabilities of all concerned.

Conclusion

The EC3 has opened and many challenges lay in front of it. It is a good thing the Centre has opened and an important step towards the much needed cross-border cooperation that is very much in demand to fight cybercrime in all its facets successfully. I wish EC3 the best of luck and many successes!

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Top Ten Featured Blogs from the community in 2012:

#1		DNS Changerby Paul Vixie | Mar 27, 2012 | Viewed 66,094 times
#2		Trademarking .generics - the .bank Fiasco!by Konstantinos Komaitis | Jan 18, 2012 | Viewed 17,124 times
#3		Refusing REFUSEDby Paul Vixie | Jan 11, 2012 | Viewed 11,860 times
#4		MegaBust's MegaQuestions Cloud the Net's Futureby Philip S Corwin | Feb 13, 2012 | Viewed 10,430 times
#5		Anonymous Plans to Go After DNS Root Servers. What Will Be the US's Response?by Terry Zink | Feb 15, 2012 | Viewed 9,813 times
#6		Why the Dot Com Kingdom Will Continue to Rule Post New gTLDsby Naseem Javed | Jul 24, 2012 | Viewed 9,771 times
#7		Fake Bank Site, Fake Registrarby Garth Bruen | Mar 27, 2012 | Viewed 8,977 times
#8		Why Vint Cerf is Wrongby Wout de Natris | Nov 21, 2012 | Viewed 8,891 times
#9		Internet Governance and the Public Interestby Paul Diaz | Mar 19, 2012 | Viewed 8,384 times
#10		IPv6 Subnetting - The Paradigm Shiftby Chris Grundemann | Jul 19, 2012 | Viewed 8,380 times

Top 10 News in 2012:

#1		ISPs Are Not Broadcasters, Says Supreme Court of CanadaFeb 10, 2012 | Viewed 35,128 times
#2		Iran Blocks HTTPS, 30 Million Reported Losing Email AccessFeb 11, 2012 | Viewed 11,016 times
#3		Vint Cerf: The Launch of a New Larger InternetJun 05, 2012 | Viewed 8,257 times
#4		The Digital Marketing & gTLD Strategy Congress Announces Keynote, Speakers, Initial PartnershipsJan 08, 2013 | Viewed 7,841 times
#5		Akamai Reports 460 Times Increase in IPv6 Requests Over Its Platform Since Last YearOct 22, 2012 | Viewed 6,976 times
#6		Saudi Arabia Objects to Certain Proposed New gTLD Strings Such as .Gay and .WineAug 15, 2012 | Viewed 6,764 times
#7		Department of Commerce Cancels IANA Contract RFPMar 09, 2012 | Viewed 6,343 times
#8		SPECIAL: Updates from the ICANN Meetings in TorontoOct 17, 2012 | Viewed 5,802 times
#9		Most U.S. Agencies Expected to Miss IPv6 DeadlineSep 28, 2012 | Viewed 5,411 times
#10		Websites Go Dark Protesting SOPA and PIPA, Senators Change CourseJan 18, 2012 | Viewed 5,299 times

Top 10 Industry News in 2012 (sponsored posts):

#1		MarkMonitor Offers New gTLD Application Databaseby MarkMonitor | Jun 15, 2012 | Viewed 6,992 times
#2		DotConnectAfrica Participates in ICANN-45 Toronto, Unveils New IBCA Initiative at ICANN Public Forumby DotConnectAfrica | Oct 23, 2012 | Viewed 6,822 times
#3		ICANN 45: New gTLDs Not Far Away Nowby Afilias | Oct 25, 2012 | Viewed 5,676 times
#4		MarkMonitor to Exhibit at Internet Tech Policy Exhibition and Reception to be Held on Capitol Hillby MarkMonitor | Jan 24, 2012 | Viewed 5,355 times
#5		CentralNic and REG.RU Confirm Strategic Partnershipby CentralNic | Jul 30, 2012 | Viewed 5,244 times
#6		MarkMonitor Fraud Intelligence Report, Q4 2011by MarkMonitor | Feb 17, 2012 | Viewed 5,037 times
#7		Afilias Participates in Global Test of Multilingual IDN Emailby Afilias | Jun 28, 2012 | Viewed 4,857 times
#8		Implementing a Cyber-Security Code of Conduct: Real-Life Lessons From Australia (Webinar)by Nominum | Apr 30, 2012 | Viewed 4,665 times
#9		Top-Level Domain Survey Findings Not Surprising, But Still Concerningby MarkMonitor | Sep 05, 2012 | Viewed 4,509 times
#10		Public Interest Registry Releases Results of Bi-Annual Domain Name Reportby PIR | Aug 14, 2012 | Viewed 4,462 times

Additionally, you can also check the leaderboards for CircleID's overall top 100 community and industry participants.

Written by CircleID Reporter

The answer in the majority of cases tends to be "it depends on who's buying and what the vulnerability is" regardless of the questions particular phrasing.

On the topic of exploit development, last month I wrote an article for DarkReading covering the business of commercial exploit development, and in that article you'll probably note that I didn't discuss the prices of what the exploits are retailing for. That's because of my elusive answer above… I know of some researchers with their own private repository of zero-day remote exploits for popular operating systems seeking $250,000 per exploit, and I've overheard hushed bar conversations that certain US government agencies will beat any foreign bid by four-times the value.

But that's only the thin-edge of the wedge. The bulk of zero-day (or nearly zero-day) exploit purchases are for popular consumer-level applications — many of which are region-specific. For example, a reliable exploit against Tencent QQ (the most popular instant messenger program in China) may be more valuable than an exploit in Windows 8 to certain US, Taiwanese, Japanese, etc. clandestine government agencies.

More recently some of the conversations about exploit sales and purchases by government agencies have focused in upon the cyberwar angle — in particular, that some governments are trying to build a "cyber weapon" cache and that unlike kinetic weapons these could expire at any time, and that it's all a waste of effort and resources.

National Museum of Nuclear Science & History – Polaris Missile (top), Minuteman missile part? (bottom) Click images to enlargeI must admit, up until a month ago I was leaning a little towards that same opinion. My perspective was that it's a lot of money to be spending for something that'll most likely be sitting on the shelf that will expire in to uselessness before it could be used. And then I happened to visit the National Museum of Nuclear Science & History on a business trip to Albuquerque.

For those of you that have never heard of the place, it's a museum that plots out the history of the nuclear age and the evolution of nuclear weapon technology (and I encourage you to visit!).

Anyhow, as I literally strolled from one (decommissioned) nuclear missile to another — each laying on its side rusting and corroding away, having never been used, it finally hit me — governments have been doing the same thing for the longest time, and cyber weapons really are no different!

Perhaps it's the physical realization of "it's better to have it and not need it, than to need it and not have it", but as you trace the billions (if not trillions) of dollars that have been spent by the US government over the years developing each new nuclear weapon delivery platform, deploying it, manning it, eventually decommissioning it, and replacing it with a new and more efficient system… well, it makes sense and (frankly) it's laughable how little money is actually being spent in the cyber-attack realm.

So what if those zero-day exploits purchased for measly 6-figured wads of cash curdle like last month's milk? That price wouldn't even cover the cost of painting the inside of a decommissioned missile silo.

No, the reality of the situation is that governments are getting a bargain when it comes to constructing and filling their cyber weapon caches. And, more to the point, the expiry of those zero-day exploits is a well understood aspect of managing an arsenal — conventional or otherwise.

Written by Gunter Ollmann, Chief Technology Officer at IOActive

Benefits of the Security Intelligence application include:

• In-network threat reporting that doesn't require sending data off the customer's network;
• Visibility into the most prevalent and highest priority threats on a network helps prioritize security operations' workload;
• Ability to search for infected users by IP address or network range helps identify and assist infected subscribers and businesses;
• Detailed threat information for all infected users helps identify the risks to subscribers and aids remediation efforts;
• Effective security monitoring while being unobtrusive on network resources.

Enabled by the Nominum N2 Platform, the Security Intelligence application is the most-recent milestone in creating the first closed-loop solution for quickly and cost-effectively delivering managed security services for businesses and consumers.

The Nominum N2 Platform is the revolutionary technology that enables network operators to deliver data-rich applications faster, with more functionality and at a lower total cost of ownership.

IGF 2012, Workshop 87

In this workshop on international cooperation and critical (Internet) infrastructure the debate also was on standards. There was a very clear call not to regulate on security standards. For two reasons. The minimum standards will be what everyone adheres to, while at present we try to better ourselves each and every day. As the panellist from Google said:

"If you have a treaty or regulation that sets a bar, typically what businesses will do will think as long as I hit that regulation, I'm fine. Whereas right now, you have people constantly striving to be better and have higher and higher bars..."

It seemed like all in the panel, from very different backgrounds, agreed on this quote.

This may be true for companies like Google, SIDN, Anti-Virus, for CERTs, etc. On the other hand it's quite clear that for companies that are more on the fringes of the Internet, cyber security does not seem to be a priority. At least where the product for the end user is concerned. Whether this has a financial background, stems from ignorance or a naiveté towards the Internet, I do not know. Probably a combination. It doesn't really matter, what does matter is that this behaviour has to alter. How to go about this?

(There is a transcription of workshop 87 on the IGF website on this page (although it is not complete) and the report is on the NLIGF website here.)

First I look at an example of minimum regulation and the effect on the Dutch National Railways (NS) which made me doubt regulation.

Minimum standards. A good thing?

The inspiration for this post I found last night while reading NRC Handelsblad. The National Security Board released a report on a train accident which caused 1 death, 24 severely injured people and an overall 165 injuries. The story is quite telling on two accounts, which, I think, are directly juxtaposable to Internet security, as you will see.

Before giving the facts around this story I have to explain the following. Since the liberalisation of the railways the national company has been split into several companies among whom transport (NS) and rail system (ProRail). This complicates this story a little, but let's pretend it's still one as it does not change the insight I've gained. The report delivers the following facts on the NS:

- new trains meet only the bare minimum of technical standards;
- the decorations in the train were not checked for security;
- chairs are made to clean easily but are dangerous for passengers;
- tables are to thin and caused the death and serious injuries;
- the security system is mainly still based on 1950′s technology;
- during construction work the network is over-used;
- 150x a year a red light is ignored with no emergency brake in place in many cases;

In short NS has cut on the budget of securing its network optimally for years, backed by budgets determined at government level I suppose. Perhaps the discussion whether one major accident a year is allowable is at work here. The other part of the examples is about the interior of the trains. Cleanness over security. Decorations that may not have been tested properly, endangering the passengers/costumers. The NS has not adhered to a duty to care for its customers, one conclusion reads.

The main question however is would the NS have performed better without regulation, without the minimum standard for technical security? At present it seems to stick to the minimum requirements, with the present results on in-car security for the passengers. A point for Google in this discussion it looks like.

Let's go back to the Internet world.

How to engage industry?

More and more devices will connect to the Internet over the next years, "The Internet of things". From coffee machines, to refrigerators, TVs, aircos, perhaps even the dog's leash. Who knows? Every single device will need to have a built in security, securing the end user from harm. Let me give some examples of threats I can think up here.

Expensive TV programs ordered through hacks at high cost to the unsuspecting end user? Fridges that order new stock to other addresses? Garage doors opened through hacks? Cars that could do ...? Game consoles that spy on the use of other devices in the home? Just guessing here from the past examples of sms scams, autodialers, spying webcams, etc.

Often I suspect that the ability to do something technically leads to implementation, while cyber security is only thought of after implementation. Money was saved, processes automated, remote access granted, etc. Leading to high costs to mend things. Again we are on this road, towards the Internet of things. How can we prevent making the same mistakes again? How can high-tech device and appliance companies be engaged in discussions on security before the product is unleashed at the totally unaware public?

What about engaging these companies through an organisation like MAAWG? Awareness raising, trainings, the exchange of useful knowledge that is already available in the Internet industry to prevent further harm? Determine the current best practices together and implement them? It sounds like a plan. But who makes himself available to do the reach out, invitations, program building? Still these are steps that need to be taken to secure the Internet of the future.

Is it an idea to impose a duty to care for the customer where (all) Internet related products are concerned? Not a regulation of minimum standards, but a duty to deliver secure products at ever bettering, competitive standards? And who regulates negligent companies? Consumer Authorities, judges?

What is the way forward?

This is just an idea. There may be other ways. What are your ideas? Let's try and put them together and discuss. Something needs to happen soon and every day lost is a day wasted where cyber security is concerned. I'm looking forward to hear your ideas.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Today I ran into three brand new cyber security threats that were reported on. In one day. So I thought to share them with you.

1. Samsung's smart tv wide open to criminals

Who would have thought. The moment I read about TVs connecting to the Internet, I thought: trouble. Despite the fact that just about everything that connects to the Internet for the first time was hacked before the TV, e.g. printers, digital photo frames, cell phones, Playstations, etc., etc., apparently no one in the TV world thought that a layer of defence might be necessary. Perhaps it's time to work with sanctions or develop some standards before a device is allowed to connect?

What is next? Sorry if I'm a bit sarcastic here.

2. QR codes that lead to malicious sites

QR stands for Quick Response (see Wikipedia). Recently these codes were all over the place, making the life of end users easier to live or that of businesses of course.

In The Netherlands they have found stickers on QR codes in the public domain leading to malicious websites for infections or phishing. So, from now on the public can never trust another QR code again as there's no way of telling if one is false or true. Please check whether it is stickered on, please, before use?

3. Blue tooth devices in skimming

Now the public is more alert for skimming apparently there's a new generation working via blue tooth. Interesting.

Luckily the FBI dismantled a botnet with the help of Facebook, so there is some good news also in the balance.

The moral

Cyber crime is about opportunity and this window of opportunity needs to be closed as soon as possible. That way there is less money to be gained, so most criminals will go elsewhere. In order to achieve this, cooperation is adamant. On which I expect to write more in the near future. But also, it's time and I repeat, to think security through before decisions towards connectivity are made. Don't do something just because you can!!!

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement