New ICANN Director Snubs EU Calls for Changes
Via the Sofia Echo.
Newly appointed ICANN director Rod Beckstrom did not waste any time in replying to European Union pressure to cut ties between ICANN and the US government.
Technology news broadcaster OSnews.com summed up the message of Besckstrom's first media conference as "the internet works fine, so there's little need for change."
Only weeks before, the European Commission (EC) had called for "an open, independent and accountable governance of the internet," lending support to suggestions from EU commissioner for Information Society and Media Viviane Reding, who, in a video blog on her site, had called for a "globally responsible, privatised ICANN."
Both the EC and Redding called for "multilateral accountability," including the set up of what Redding called "G-12 for Internet Governance." This organisation was to be "a small, independent international tribunal" that would oversee the working of ICANN and that would include two representatives from each North America, South America, Europe and Africa, three representatives from Asia and Australia, as well as the Chairman of ICANN as a non-voting member.
Beckstrom, who is a former director of the US National Cybersecurity Center (NCSC), said that 80 countries were already represented in the Governmental Advisory Committee, an ICANN advisory body.
"Clearly, everyone at ICANN hopes that all the nations in the world will come and participate in that, and it is a vital group that feeds directly into the board, which is the policy decision-making body of ICANN," OSnews.com quoted Beckstrom as saying.
"So there is already a mechanism there for international participation," he said.
Props: Domain News
U.S. and Russia Differ on a Treaty for Cyber Space
John Markoff and Andrew E. Kramer write in The New York Times:
The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet.
Both nations agree that cyberspace is an emerging battleground. The two sides are expected to address the subject when President Obama visits Russia next week and at the General Assembly of the United Nations in November, according to a senior State Department official.
But there the agreement ends.
Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.
The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say.
U.S. Toll in Iraq, Afghanistan
Iraq and Afghanistan statistics via The Boston Globe (AP).
As of Friday, June 26, 2009, at least 4,318 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.
The figure includes nine military civilians killed in action. At least 3,455 military personnel died as a result of hostile action, according to the military's numbers.
The AP count is one fewer than the Defense Department's tally, last updated Friday at 10 a.m. EDT.
As of Friday, June 26, 2009, at least 639 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Friday at 10 a.m. EDT.
Of those, the military reports 473 were killed by hostile action.
And as always, the Iraq Coalition Casualty Count
keeps the grim watch on their website here
.Honor the Fallen
U.S. Intelligence: From the Outside
Josh Kerbel writes on the Foreign Policy "The Argument" Blog:
In the last decade, globalization and interconnectivity have turned the world of information on its head. Every industry -- from journalism to telecommunications -- is hurrying to adapt, hoping to outpace the creep of irrelevance. Every industry, that is, except mine: the intelligence business. Like Nero fiddling while Rome burned, we seem happy believing that our prevailing business model is not defunct -- not a relic of another time. Unless we make fundamental changes in the way we conduct our business, the relevance of intelligence can only decline.
The U.S. intelligence community still largely operates as it did during the Cold War. In general terms, it is a secret collection-centric model. Analysts prize classified information over open-source material, which inevitably leads to compartmentalization. Data availability, rather than analytical requirements, drives their analysis. Because there are no collectable facts about the future, analysts tend to focus on the present (though there is a heavy emphasis on preventing surprises, like the next September 11-style attack). And finally, the intelligence community measures success mostly by the quantity of products it produces, not by the policy outcomes those products help achieve.
This reactive model was built for yesteryear -- a more static world in which it was possible to know exactly where to look (at the Soviet Union) and why (the Cold War), access was severely restricted (secret collection was vital), and warning (especially of military action) was of the upmost importance.
Today's more complex strategic environment offers few, if any, of those characteristics.
Filtering Companies Can’t Be Sued By Blacklisted Firms, Court Rules
David Kravets writes Threat Level:
A federal appeals court, in the first decision of its kind, said Thursday that companies providing malware, spyware and adware blocking services are immunized by the Communications Decency Act of 1996 from lawsuits claiming unfair business practices.
A three-judge panel of the 9th U.S. Circuit Court of Appeals found that the CDA treats security software makers the same as internet service providers when they block material they find objectionable, granting them so-called “good Samaritan” immunity from civil lawsuits. Like an ISP, such companies provide an “interactive computer service” because they pull updates from a central server, the San Francisco-based appeals court said.
“We conclude that a provider of access tools that filter, screen, allow, or disallow content that a provider or user considers obscene, lewd, lascivious, filthy, or excessively violent, harassing or otherwise objectionable is protected from liability,” the court ruled. [.pdf].
The case concerned adware-maker Zango, which provided access to online videos, games, music, tools and utilities to web surfers who agreed to view advertisements while surfing the internet. Among other charges, the Washington State company accused Kaspersky Lab of illegally blocking a toolbar program that displayed links to advertisers.
Blue Chip FTP Logins Found on Cyber Crime Server
John Leyden writes on The Register:
Security researchers have found a treasure chest of FTP passwords, some from high profile sites, on an open cybercrime server.
Jacques Erasmus, CTO at security tools firm Prevx, stumbled across a site where a Trojan is uploading FTP login credentials captured from compromised machines. So far, Erasmus has found logins for ftp.bbc.co.uk, ftp.cisco.com, ftp.amazon.com, ftp.monster.com and, even security sites including ftp.mcafee.com and ftp.symantec.com along the extensive list of more than 68,000.
Other login credentials refer to the Bank of America, one of the few organisations PrevX has had time to notify directly at the time of writing.
Initial investigations suggest the logins were swiped during the last two weeks and that at least some remain valid. The breach therefore opens the door for hackers to upload drive-by download scripts and other nasties onto compromised sites. PrevX is running scans to detect rogue iFrames on potentially vulnerable sites, and is yet to see any evidence that this has actually happened.
Erasmus explained that the FTP login data is getting uploaded by a variant of the zbot Trojan onto a server hosted in China, where they are stored in plain text and thus potentially open to all and sundry to find and abuse. PrevX has filed an abuse complaint against the site with the hosting provider.
Network Shutdown Bill Faces Changes, Aide Says
Grant Gross writes on PC World:
A bill in the U.S. Senate that would allow President Barack Obama to shut down parts of the Internet during a cybersecurity crisis will likely be rewritten and needs input from private businesses, said a congressional staff member associated with the legislation.
The Cybersecurity Act of 2009 [.pdf], introduced in April by Senators Jay Rockefeller, a West Virginia Democrat, and Olympia Snowe, a Maine Republican, contains "imperfect" language, said Ellen Doneski, chief of staff for the Senate Commerce, Science and Transportation Committee.
The bill, among other things, allows the U.S. president to "declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network." The sponsors of the bill are looking for input on that section and other parts of the bill, said Doneski, who works for Rockefeller, the committee chairman.
Mark Fiore: Power Cling!
More Mark Fiore brilliance.
Via The San Francisco Chronicle.
ICANN Hires Former Cyber Security Chief as New CEO
An AP newswire article
by Anick Jesdanun, via SFGate.com
, reports that:
The Internet agency with key oversight of the monikers behind every Web site, e-mail address and Twitter post named former U.S. cybersecurity chief Rod Beckstrom Friday as its next chief executive.
The board of the Internet Corporation for Assigned Names and Numbers approved his hiring in a voice vote Friday as ICANN capped weeklong meetings in Sydney, Australia. Beckstrom becomes CEO next Wednesday.
Beckstrom, who had resigned after less than a year as cybersecurity director amid persistent turf battles, brings credentials in industry, government and diplomacy — but little direct experience with domain names and broader Internet addressing issues, ICANN's chief mission.
In an interview with The Associated Press, Beckstrom said that won't be a problem because he saw his job as bringing various constituencies with various expertise together, rather than creating policies himself.
"Our job at ICANN is to facilitate that dialogue and process," he said. "I don't see myself as being the leading source or expert."
U.S. Senate Approves Genachowski as FCC Chair
The U.S. Senate on Thursday approved the Obama administration's nomination of Julius Genachowski, a telecommunications industry executive, to head the Federal Communications Commission.
Genachowski is set to chair the five-member panel that will be dominated by Democrats seeking to bring more power to consumers and extend high-speed Internet access to rural parts of the United States.
The Senate also approved renewing the FCC term for Republican Robert McDowell.
The FCC's broad mandate includes regulation of telephone and cable companies, oversight of ownership of radio and television outlets and management of public airwaves.
Toon of The Day: Hiking
By Mike Luckovich, via Truthdig.com.
DoD Cyber Command: Observers Worry About Unintended Consequences
John S. Monroe writes on FCW.com:
The Defense Department’s new U.S. Cyber Command is now the cybersecurity heavyweight in the government division, according to numerous media accounts.
Defense Secretary Robert Gates and other Defense Department officials have emphasized that the new organization, which will be commanded by the director of the National Security Agency (NSA), would have a clearly defined role: Protecting military networks and conducting offensive cyber operations against hostile forces.
But the sheer size and importance of DOD’s military operations have caused some observers to wonder about how big an effect the Cyber Command might have outside its own domain.
International Politics Slows Full Deployment of DNSSEC
William Jackson writes on GCN.com:
A growing number of generic top-level domains, including .gov and .org, are deploying DNS Security Extensions to help ensure the reliability of the Domain Name System. But full deployment of the extensions is moving at a glacial pace.
Part of the problem is the complexity of managing the cryptographic keys used to sign DNS data and authenticate queries and responses. But one Commerce Department official said another part of the problem is international concern about the United States controlling the Internet. In many cases, the challenges faced are diplomatic rather than technical. The official likened the process of bringing the international community on board to herding cats.
Commerce has put much of the job of managing the Internet into the hands of the Internet Corporation for Assigned Names and Numbers, a nonprofit organization formed for that purpose. But Congress is unwilling to give up its oversight of a network the Defense Department originally created, and that worries some who see the Internet as a global resource.
In Passing: Michael Jackson
Iranian Hackers Attack The U.S.
Nick Farrell writes on The Inquirer:
Supporters of Iran's President Mahmoud Ahmadinejad, who recently was announced to have won an election before many of the votes had even been counted, have been hacking into US websites.
Hackers defaced the home page of the Oregon University System, posting a message telling President Barack Obama to mind his own business and stop talking about the disputed Iranian election.
Scareware Peddlers Will Only Fork Over $116,000 of $1.9M Settlement
Michael Cooney writes on the NetworkWorld "Layer 8" Blog:
Two defendants charged in a massive scareware scheme will reconcile Federal Trade Commission charges and give up more than $116,000 in assets as part of an original $1.9 million settlement.
The two settling defendants -- James Reno and ByteHosting Internet Services, LLC -- were allegedly part of a massive deceptive advertising scheme that tricked more than a million consumers into buying rogue computer security products, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, according to the FTC's complaint. The scheme allegedly relied on deceptive advertisements featuring bogus computer "scans" that falsely claimed to detect viruses, spyware, and illegal pornography on consumers' computers.
The settlement imposes a judgment of nearly $1.9 million but under a court agreement, all but $116,697 of the judgment will be suspended based on the defendants' inability to pay the full amount, the FTC stated.
In Passing: Farrah Fawcett
Quote of The Day: Truthdig.com
"Dick Cheney, former vice president, defense secretary and White House chief of staff, has signed a reported $2 million deal with Simon & Schuster to publish his memoirs as a public official in four administrations. Bets are it’ll be a thriller marked with torture, stolen elections, war and, hopefully, no sex."
Defense Secretary Gates Approves U.S. Cyber Command
Jaikumar Vijayan writes on ComputerWorld:
Defense Secretary Robert Gates today approved the creation of a unified U.S. Cyber Command to oversee the protection of military networks against cyber threats.
In a memorandum issued today to the Joint Chiefs of Staff, Gates said he intends to recommend to the President that the new command be led by the director of the National Security Agency (NSA) Lt. General Keith Alexander.
Gates directed the Commander of the U.S. Strategic Command, General Kevin Chilton, to develop implementation plans for USCYBERCOM, as the new unified command will be called.
The plans are due by Sept. 1 and need to include the new command's mission, roles and responsibilities, reporting structures, and accountability measures, Gates said.
The new command will most likely headquartered in Fort Meade, MD. and will reach initial operating capabilities by October, and full operating capability by October 2010, Gates said in his memo.
The "subordinate unified" cyber command will operate under U.S. Strategic Command for military cyberspace operations.
SCADA Watch: AT&T Enters Smart Grid Sensor Business
Brad Reese writes on NetworkWorld:
Now that the United States has committed $4.5 billion to implement so-called smart grid technology over its energy infrastructure, AT&T is trying to stay ahead of the curve by getting into the smart grid sensor business.
AT&T Wednesday announced a deal with energy technology vendor Cooper Power Systems to jointly sell and market sensor devices that will be activated on smart grid power networks. The sensors will run over AT&T's wireless data network and AT&T says they will deliver "real-time performance data" to help utility companies "efficiently operate their electric grids, reduce the need for on-site inspection and identify and solve problems that could cause outages or increase system energy losses."
In Passing: Ed McMahon
White House to Abandon Domestic Spy-Satellite Program
Siobhan Gorman writes on the Wall Street Journal:
The Obama administration plans to kill a controversial Bush administration spy satellite program at the Department of Homeland Security, according to officials familiar with the decision.
The program came under fire from its inception two years ago. Democratic lawmakers said it would lead to domestic spying.
he program would have provided federal, state and local officials with extensive access to spy-satellite imagery — but no eavesdropping capabilities— to assist with emergency response and other domestic-security needs, such as identifying where ports or border areas are vulnerable to terrorism.
It would have expanded an Interior Department satellite program, which will continue to be used to assist in natural disasters and for other limited security purposes such as photographing sporting events. The Wall Street Journal first revealed the plans to establish the program, known as the National Applications Office, in 2007.
'Clear' Shuts Down Registered Traveler Lanes
Benet Wilson writes on the Aviation Week "Things With Wings" Blog:
Verified Identity Pass’s Clear registered traveler lanes, located at 20 airports, are shutting down at 11:00 p.m. Pacific time tonight.
The company web site was blank except for a white page with the official statement and no calls were returned. Clear said it was “unable to negotiate an agreement with its senior creditor to continue operations.”
Orlando International Airport spokeswoman Carolyn Fennell said they had not received notice until late this afternoon via email that Clear was ceasing operations. "We haven't had time to evaluate the impact or get further information," she said.
The pilot program was rolled out with great fanfare July 18, 2005, in Orlando. Travelers initially paid $99 a year for a card that was supposed to target those who posed a minimum security risk, and give them a special line that would process them through airport security more quickly.
The Transportation Security Administration (TSA) was slow to release the program from the pilot phase, finally giving the green light to roll out the program in January 2007. The program hit a snag after TSA halted the use of GE SRT kiosks designed to serve as a shoe scanner and explosives detection system, blunting one of the program’s key benefits – allowing passengers to keep on shoes and jackets, and keep laptop computers in their bags.
Iran's Web Spying Aided By Nokia, Siemens
Christopher Rhoads and Loretta Chao write in The Wall Street Journal:
The Iranian regime has developed, with the assistance of European telecommunications companies, one of the world's most sophisticated mechanisms for controlling and censoring the Internet, allowing it to examine the content of individual online communications on a massive scale.
Interviews with technology experts in Iran and outside the country say Iranian efforts at monitoring Internet information go well beyond blocking access to Web sites or severing Internet connections.
Instead, in confronting the political turmoil that has consumed the country this past week, the Iranian government appears to be engaging in a practice often called deep packet inspection, which enables authorities to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes, according to these experts.
The monitoring capability was provided, at least in part, by a joint venture of Siemens AG, the German conglomerate, and Nokia Corp., the Finnish cellphone company, in the second half of 2008, Ben Roome, a spokesman for the joint venture, confirmed.
The "monitoring center," installed within the government's telecom monopoly, was part of a larger contract with Iran that included mobile-phone networking technology, Mr. Roome said.
Cyber Security Czar Front-Runner No Friend of Privacy
Ryan Singel writes on Threat Level:
Former Republican Congressman Tom Davis, reportedly President Barack Obama’s top candidate for cyber security czar, voted repeatedly to expand the government’s internet wiretapping powers, and helped author the now-troubled national identification law known as REAL ID.
Citing White House sources, Time magazine on Friday identified the the former head of the Government Reform Committee as the president’s number one candidate for the new position. Davis’ reputation as a tech-smart moderate who knows his way around D.C. makes him an attractive pick for the administration, the magazine reported.
But an examination of Davis’ record in Congress shows that he’s been on the wrong side of key privacy issues, including the controversial REAL ID Act, which aims to turn state driver’s licenses into a de facto national identification card linked by shared databases and strict federal authentication standards.
Inside China's Spam Crisis
Thomas Claburn writes on InformationWeek:
While China is cracking down on Google for displaying search results that lead to harmful content and trying to get its Green Dam Web filter on every PC in the country, it may want to consider the role that poor oversight of local companies plays in the distribution of "unhealthy" material.
In the case of spam, through which pornography, malware, and scams are spread, most of it appears to be coming from inside China. Approximately 70% of all domains used in spam since the beginning of 2009 have a Chinese top-level domain (.cn), according to Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham.
This is not to say the spammers themselves necessarily reside in China. Rather, these international criminals have found it profitable to take advantage of poorly regulated infrastructure in China.
"I truly believe that the Chinese government would not willingly tolerate this horrible situation," Warner said in a blog post Saturday. "My only answer is that it must not have been properly brought to their attention so far."
Warner characterizes the situation in China as a spam crisis. The problem, he explains, is threefold.
Spammer Alan Ralsky Pleads Guilty to Federal Charges
Ben Schmitt writes in The Detroit Free Press:
International spam king Alan Ralsky pleaded guilty this afternoon in U.S. District Court in Detroit to charges of violating federal anti-spam laws by sending millions of emails in a stock-fraud scheme.
A 41-count indictment last year said Ralsky, 63, of West Bloomfield; his son-in-law, Scott Bradley, 47, also of West Bloomfield, and nine other people used unsolicited e-mail to pump up the price of penny stock in Chinese companies to artificially high prices and then sold it, reaping huge profits for themselves and leaving Internet subscribers who purchased it holding the bag.
Bradley also pleaded guilty today in front of U.S. District Judge Marianne Battani along with three other people who were involved in the conspiracy.
“Alan Ralsky was at one time the world’s most notorious illegal spammer,” U.S. Attorney Terrence Berg said after the plea.
“Today Ralsky, his son-in-law Scott Bradley, and three of their co-conspirators stand convicted for their roles in running an international spamming operation that sent billions of illegal e-mail advertisements to pump up Chinese ‘penny’ stocks and then reap profits by causing trades in these same stocks while others bought at the inflated prices.”
Technical Priorities for Smart Grid Development Outlined in New Report
William Jackson writes on GCN.com:
Developing a consensus for the architecture of a secure, interoperable next-generation power distribution system might not be a simple process, according to a preliminary report produced for the National Institute of Standards and Technology.
After meting with hundreds of stakeholders and evaluating contributions from more than a thousand, the Electric Power Research Institute (EPRI) found that industry understanding of existing technical standards and issues facing a nationwide Smart Grid tends to be incomplete and parochial.
“These patterns make rapid consensus difficult,” EPRI concluded in the Report [.pdf] to NIST on the Smart Grid Interoperability Standards Roadmap. “So, it is appropriate that these results be built upon through further analysis and refinement. NIST desires to accommodate existing technology while relying on technical experts that aid in successfully developing a standards roadmap to achieve an innovative smart grid.”
UBC Journalism Students Find Sensitive U.S. Homeland Security Data in Ghana
Via the University of British Columbia.
A team of UBC journalism students investigating e-waste in three countries for an international reporting course uncovered a previously unknown US security breach in a country listed as one of the top 10 sources of cybercrime globally.
The students purchased hard drives in an open-air market in Ghana for $40 (Cdn) that turned out to contain sensitive information about multimillion-dollar defence contracts between the Pentagon, Department of Homeland Security and Northrop Grumman, one of the largest military contractors in the U.S.
“We had the drives analysed after leaving Ghana and were surprised at what we found,” says UBC Associate Professor Peter Klein, an Emmy Award-winning former 60 Minutes producer, who teaches the course. Ghana is listed by the US State Department as one of the top sources of cybercrime worldwide.
According to the students’ investigation, the FBI is concerned that companies such as Northrop Grumman may believe that their drives are wiped clean by software before being recycled. Northrop Grumman has acknowledged it is looking into how its hardware and data ended up in Ghana.
Faster Actions Needed Against Phishing Domains
Criminals often register their own domain name to perform phishing attacks. Unlike the other common phishing site scenarios (including hacked servers, open redirects, and abuse of free webhosting), phishing sites that have their own domain name can be harder to remove, because the website owner and domain owner is the fraudster. Only the hosting and DNS providers and the domain registrar are able to take the site down and also likely to cooperate.
The operation of top-level domains is generally split between a registry, which operates the infrastructure that answers DNS queries, and registrars, which sell domain names and provide the process for owners to maintain their records. Registries generally are not directly involved in removing phishing domains, and refer those to the registrar through which the domain was registered.
However, it is relatively easy to become a registrar, so large numbers of hosting companies, web design firms and domain name resellers are able to handle registrations. Registrars may not all respond quickly to abuse complaints. And in unusual cases registrars themselves may be involved in illegal activity.
Top German Spy Says More Russian Snooping on Firms
A Reuters newswire article, via The Washington Post, reports that:
Russian spies are targeting the German energy sector to help Russian firms gain commercial advantages, the head of Germany's domestic counter-espionage unit said Sunday.
"The Russian intelligence services, keeping up with their government's changing information needs, have intensified efforts in recent years to investigate German firms illegally," Burkhard Even, told Die Welt am Sonntag newspaper.
The director of Counter-Intelligence at the Federal Office for the Protection of the Constitution, said the spying was aimed mostly at information on alternative and renewable energy and efforts to increase efficiency. European energy interests, diversification plans, and Germany's economic situation were also espionage targets.
Last month Interior Minister Wolfgang Schaeuble also noted, when presenting his ministry's 2008 security report, that Russia and China were stepping up espionage efforts and Internet attacks on German companies.
Russian or Armenian Mob Used 'Model Employee' Con at Southern California Arco
Paul Teeter writes on The L.A. Weekly:
An organized-crime ring that police believe is Russian or Armenian targeted a high-volume Redondo Beach Arco gas station, assigned a low-level soldier to infiltrate it and waited eight months while he worked himself into a position where he could implant a tiny, high-tech “skimmer” to steal customers’ credit-card information.
Armed with a fresh batch of personal-information numbers, the gang began draining thousands of Southern California bank accounts soon after “Erick,” the model employee who was by then entrusted with opening the station every day at 5 a.m., vanished in late April along with 1,500 packs of cigarettes, $1,000, a laptop, his employee application form — and the two digital video recorders used for surveillance.
Because the Arco is at a prime location at the bustling corner of Pacific Coast Highway and Prospect Avenue, the skimmer scam left a string of more than 1,000 victims, stretching from Santa Barbara to Newport Beach.
The “model employee” con represents an elite level of criminal sophistication in its planning, patience and execution, police say, which is now appearing in the South Bay and Los Angeles.
21 June 2009: Happy Summer Solstice, The Longest Day of The Year
If you've been waiting for the chance to get more done during the day, Sunday is your day, but only by a fraction of a second.
Like a giant timepiece, Earth and sun are configured for the summer solstice once again. This year it happens June 21, the longest day of the year in the Northern Hemisphere. The sun will be up a fraction of a second longer than the day prior or the day after. (The length of the full day, including night, does not change, of course.)
To grasp how it works, one must understand Earth's cockeyed leanings and some celestial configurations that even the ancients knew something about.
Our planet is tilted 23.5 degrees on its spin axis. On June 21 this year (some years it's June 20), the North Pole is pointing toward the sun as much as is possible.
.Image source: Wikipedia