ENISA, the European Network and Information Security Agency, publishes an in-depth focus interview with Agency Experts on the forthcoming Cyber Security Exercise, and the cooperation between the Agency and the Member States, in the context of the Agency's Critical Infrastructure Information Protection and Resilience programs.

Interview on ENISA’s first pan-European CIIP exercise with Evangelos Ouzounis, Panagiotis Trimintzios & Panagiotis Saragiotis on the Resilience and CIIP Program

First of all, what does CIIP stand for?

It stands for Critical Information Infrastructure Protection.

What is the background to this first pan-European CIIP exercise?

The idea for the first pan-European exercise was proposed by the European Commission in their CIIP Action Plan in 2009. The Tallinn Ministerial conference confirmed the importance of the first pan-European exercise and asked the Commission, the Member States and ofcourse ENISA to work together for the implementation of this idea by the end of 201. After that the Member States started to mobilise resources accordingly.

You have now had four preparatory workshops for the first pan-European CIIP exercise. What have you been focusing on in these workshops?

The first workshop was in the beginning of January. We then started to plan the exercise and position it among the Member States to get their views and agree upon the exercise.

We also created a team of planners from different Member States and started working together on the tasks, planning, the scenario, policies, etc.

During the second workshop, ENISA and the planners submitted the planning and asked the Member States if they agree with the tasks, deadlines etc.

During the third workshop, held in Tallinn in May, ENISA and the planners discussed with all Member States the ideas for different scenarios, and during the fourth workshop in June, we finalised the scenario details, policies for the observers, media policies, infrastructure logistics etc.

In addition to these preparatory workshops we will also have a training seminar in September. We will also test the infrastructure before the exercise in November.

Who is participating in these planning workshops?

First of all, there was a significant interest for these planning workshops and a lot of the Member States are taking part in these discussions. Some of the Member States are extremely active and have also volunteered to help organise and plan the exercise. The team of planners involved staff from DK, FI, FR, HU, IT, PT, SE, UK, and the contribution of staff from ENISA and the EU's Joint Research Centre (JRC).

There are also other Member States that are interested in participating, or have an interest in how the exercise develops and many of them will participate as observers. At the moment all Member States have expressed interest in taking part in the exercise either as players or observers.

What organisations do the participants come from?

There are different profiles for the participating countries, which varies between the Member States. It depends on where the competences and experiences in each Member State lie. For example, in the Netherlands, the Ministry of Economic Affairs is responsible for this topic. In Sweden it is The Swedish Post and Telecom Agency (PTS), who is the regulator. However, during the exercise itself the countries will also include other players from other relevantorganisations.

What are the main objectives of the pan-European CIIP exercise?

The main objective of the exercise is to bring the Member States together and enhance the Member States’ coordination efforts during a crisis. We also want to test the Member States’ abilities to find the right contacts and assess the competences in the other Member States during a crisis. This is the first time we have a pan-European CIIP exercise, i.e. the first time that the Member States come together and work on a NIS related topic. We are all very much looking forward to this and we have been spending a lot of time analysing what the best approach for this kind of exercise is. Several Member States have already had national exercises.

You can, of course, not reveal the scenario for the exercise, but could you give us a general idea of what the scenario will look like?

The general idea is that the Internet will become gradually unavailable, and as a result citizens, businesses and public institutions could not access critical online services. As the phenomenon will continue one Member State after the other will increasingly suffer from this problem. In that case, all Member States have to co-operate to jointly respond to such crisis.

What is ENISA’s role in the pan-European exercise?

The Member States are the drivers of this exercise. ENISA and EU Commission’s JRC facilitate, organise and manage the exercise.

The full interview is available in .pdf format from the ENISA website.

www.enisa.europa.eu

Eastern Michigan university has released information regarding a server security breach on Sept 3, 2010.

EMU IT staff discovered on Saturday September 4th that a breach of a server containing login information for the ‘my.emich’ portal and Banner self-service areas had been compromised.  An unauthorized individual gained access to the server during the previous night.

The statement offers the following key points:

Key points:

1. Information in the file that was accessed included login information, but no personal data such as social security numbers, birthdates, etc.

2. No unexpected/suspicious user issues have been observed or reported since the breach.

3. IT staff continue to observe the systems and will take immediate action if anything unusual is noted.

4. Both IT and DPS are investigating the incident.

5. We recommend that users change their password and PIN information as a precaution.

The statement further advises that the hacker may have reached a file containing login credentials despite the swift containment steps taken by staff. Investigations continue along with assistance from a national breach response firm carrying out forensics analysis of the compromised areas. EMU is working with the Police Department to further any potential criminal investigation that may result from this analysis.

www.emich.edu

Goodmail Systems®, the creator of CertifiedEmail™, the industry standard for trusted-class email, today announced a distribution partnership with Truedomain®, a trusted provider of authentication and antiphishing solutions, that gives email senders the key analytics and intelligence to monitor email performance and protect their domains and brands from being used in phishing attacks.  Integrated with and accessible through Goodmail’s CertifiedEmail family of products, the Truedomain Antiphishing NetworkTM offers a standards-based authentication network with a comprehensive feedback loop and analytics layer to provide the highest level of phishing protection for email.

The combination of the multi-tiered and standards-based email authentication technology provided by Truedomain and Goodmail’s use of cryptographically secure tokens to ensure email sender authenticity provides Goodmail’s customers the best of both worlds - a solution that not only ensures delivery of legitimate email, but also prevents brands from being used as bait in phishing attacks.

“Phishing scams continue to proliferate online at alarming rates, eroding users’ trust in the Internet and email,” said Daniel Dreymann, president and co-founder at Goodmail®.  “Through our partnership with Truedomain we will be able to provide customers with the definitive solution for protecting their brands from being hijacked or used as phishing bait for online scam artists.  We will also have the ability to further extend the value we bring to our clients through expanded relationships with Truedomain’s ISP network, covering over 300 million email accounts.”

Goodmail’s CertifiedEmail is available to senders meeting strict standards for best email practices and low complaint rates. As trusted-class email, all CertifiedEmail messages are delivered to users’ inboxes with links and images automatically on by default. End users are presented with a unique blue-ribbon envelope trustmark icon at participating mailbox providers, identifying senders’ messages as real and from a legitimate sender.

The Truedomain Antiphishing Network combines a cloud-based email authentication clearinghouse and analytics platform with direct ISP integration to give email senders direct insight into email authentication results, phishing and spoofing activity and delivery performance.  Together with the ability to implement and enforce email filtering policies based on authentication against widely adopted industry standards including DKIM, Domainkeys and SPF, Truedomain delivers the most effective email monitoring and antiphishing solution available.  As a result, email senders and their customers benefit from the prevention of email borne financial and identity theft threats, reduced operational and support costs associated with phishing activity, and greatly improved protection of their investment in and reputation of their brands in the marketplace.

“We are delighted to join forces with Goodmail to protect our mutual customers’ brands and strengthen trust in their online identities,” said Robert Pickup, Founder & CEO of Truedomain. “Our integrated solution not only expands the range of email delivery and security offerings that Goodmail can provide to their customers, but also extends the access to antiphishing and brand protection benefits that Truedomain provides to a broader range of brands and email senders.”

About Truedomain

Founded in 2009, Truedomain delivers the most effective and reliable solutions to stop email phishing attacks.  Built upon a standards-based authentication framework, the Truedomain Antiphishing Network™ combines multi-tiered email authentication and consistent policy application with direct visibility into authentication results and performance across our network of email receivers. We have partnered with the largest email providers in the world and are protecting some of the most recognizable online brands to eradicate phishing and bring trust back to email.  For more information, please visit www.truedomain.net.

About Goodmail Systems

Goodmail Systems is the creator of CertifiedEmail™, the industry standard for trusted-class email. CertifiedEmail provides a safe and reliable means for consumers to easily identify authentic email messages from legitimate commercial and nonprofit email senders. Each CertifiedEmail is sent with a cryptographically secure token that assures authenticity and is marked in the inbox with a unique blue ribbon envelope icon, enabling consumers to visually distinguish email messages which are real and sent from email senders with whom they have a pre-existing relationship. Available to email senders meeting strict standards for best practices and low complaint rates, it is the only class of email available that assures delivery of all opt-in email messages to the inbox, with links and images automatically rendered intact, and embedded multi-dimensional applications like CertifiedVideo™ for streaming video, yielding measurable improvements in email effectiveness. CertifiedEmail has been adopted by many of the nation's top email mailbox providers and is in use by the very best commercial, government and non-profit senders. It is supported in North America and Europe by a wide network of email platforms and service providers.

Heather Haas, Goodmail PR at GoodmailSystems.com

www.goodmailsystems.com

While most of the IT workforce had a long weekend due to the Labor Day holiday, Microsoft engineers were burning the investigative midnight oil, thanks to a vulnerability in Internet Explorer that has resurfaced. If exploited, the flaw could go viral, leading to attacks on webmail and social networking, to name but a few.

The story itself begins with a blog post made by researcher Chris Evans, where he explained the process of abusing the standards related to the loading of CSS style sheets in a browser. The attack starts with the injection of what the browser sees as valid CSS.

However, the injected code will harvest information from the victim. Using 'background-image:url' for example, an attacker would see all of the harvested data as the image path from the injection point, up until the next ‘);’. At that point, all an attacker need do is examine their own weblogs, and collect the stolen data.

Research, going as far back as 2002, as well as insider talk and further research in 2005 and 2008, shows proof that this type of attack has been known for some time. It doesn’t matter what precedes the injected CSS strings, it could be anything from HTML to XML, the attack would still work. As a cruel bonus, if the injected string is a URL, and even if JavaScript is disabled in the browser, the attack will work.

So what data is harvested? Simply put, information and authentication. As an example, an attacker could send an email to a victim’s webmail account with a link. Once the victim clicks said link, if they are using Internet Explorer, the cross-origin attack is a success and they stand to lose their account.

Another example involves automating the attack, turning it into a Worm. At this point, an attacker could spread a malicious shortened URL and, once clicked, it is instantly re-tweeted.

In a paper recently published by researchers at Carnegie Mellon University (CMU), it was concluded that it's dangerous for browsers to ignore the content type specified on a cross-origin resource.

The report also added that: “Cross-origin CSS attacks have been known for some time, but existing defenses for JavaScript-based CSS attacks are ineffective against the new variants...”

The CMU researchers were able to use the attack to target IMDb, Yahoo Webmail, and Hotmail successfully.

Evans, in a posting to Full Disclosure last Friday, said he has been unsuccessful in getting Microsoft to address this vulnerability. As of now, Redmond is the only browser vendor left vulnerable, due to the fact that Google, Mozilla, Opera, and Apple have all addressed the issue.

To see a demo of an attack, load this page in Internet Explorer, and follow the directions.

At the time of this article, Evans was unavailable for additional comment on the matter.

In his 2009 post, Evans listed two issues preventing the attack from being serious. Quotes and newlines are the mitigating measures, as they stop the attack from working due to the way CSS parsing is specified.

“It turns out that Internet Explorer is not compliant in either of these aspects, leaving it more vulnerable [than] the other browsers. Not only is it the most vulnerable, but it is also the only browser to not have a fix available for its latest stable version,” Evans wrote via his blog.

In a comment to The Tech Herald, Microsoft stated the responsible (coordinated) disclosure policy, but did not get into any other details.

“Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer. We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” Microsoft’s Jerry Bryant said in an email.

“To minimize risk to computer users, Microsoft continues to encourage coordinated vulnerability disclosure,” he added. “Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of a vulnerability and work to exploit it... Disclosing vulnerabilities publicly only puts customers at risk.”

The problem is the responsible (coordinated) disclosure policy leaves a little to be desired, as this issue has been known since at least 2008, earlier if you count all the variations.

For Microsoft, it is smart business to be aware of the vulnerabilities patched by the competition. There is little doubt it knew this issue was out there. So while it's nice to have plenty of forewarning, it isn’t like this is a brand new issue to deal with.

We’ll keep tabs on this story and update as needed.

By Steve Ragan

www.thetechherald.com

A timely guilty plea was heard in the Superior Court of the District of Columbia with charges stemming from armed attacks on four women whom Edgar D. Romero, 24, of Bladensberg, Md., met through their Craigslist postings. Craigslist recently shut down its Adult Services section in the U.S. after much acrimonious publicity with human rights groups now calling for similar actions globally.

Romero pled guilty to two counts of first degree sexual abuse while armed, one count of first degree burglary, and one count of first degree robbery while armed. Each count involves a different female victim. The sentence provided by the plea, if accepted by the Court, is 30 years of incarceration. The defendant also is required to register as a sex offender for the rest of his life.

The Honorable Judge Michael L. Rankin set sentencing for December 17, 2010.

According to the evidence presented at the plea hearing and two previously held preliminary hearings, Romero contacted numerous women—including the four identified in the plea—during the period of December 12, 2008, through February 20, 2009, through Craigslist advertisements for “erotic services.” He met each victim at a hotel in the District.

At each encounter with a victim, Romero at some point brandished a weapon, either a knife or a firearm, and threatened to kill her if she did not cooperate fully. He, along with accomplices, bound each victim with cords or duct tapes. Romero stole numerous items from these victims including money, cell phones, lap tops, identification cards, and credit cards.

He sexually assaulted the two victims identified in the plea and aided and abetted his accomplice’s sexual assault on one of the victims. After he made a final threat to find and harm the victims if they told the police, he and the accomplices left.

In announcing today’s plea, U.S. Attorney Machen praised the outstanding law enforcement efforts of an entire team of members of the Metropolitan Police Department and the FBI’s Washington Field Office who worked on these investigations. He praised lead detective Wallace Carmichael of MPD’s Sexual Assault Unit, as well as the dedicated special agents from the FBI’s Washington Field Office. He also noted and thanked the significant effort made by Sexual Assault Unit detective Ingrid Harkins and Second District Detective Keith Tabron.

In addition, U.S. Attorney Machen recognized the assistance of MPD Sergeants Ronald Reid and Julius Hunter; detectives Kimberly Netivier, Nelson Morais, and Don Juan Monroe; Mobile Crime Lab officers Thomas Coughlin, Kevin Jeter, Ridley Durham, Loether Strong; Crime Scene Officers Tisha Lyons, Mary Wise, and Israel Ruiz, and fingerprint examiners Hayward Bennett, Barbara Evans, Murray Jones, and Clinton Hall.

He also commended the cooperation of prosecutors with the Montgomery County State’s Attorney’s Office and members of the Major Crimes Homicide/Sex Section and the Fourth District Investigative Section of the Montgomery County Police Department, who provided assistance during all stages of the investigation. U.S. Attorney Machen praised the work of Victim Witness Unit Advocates Tracey Hawkins, Iris Vega, and Melissa Milam, Paralegals Joyce Arthur and Tiffany Jones, and Legal Assistant Ashley Patterson, all of the U.S. Attorney’s Office. He also recognized the substantial assistance by U.S. Attorney’s Office Criminal Investigator John March. Finally, he recognized Assistant U.S. Attorney Sharon Marcus-Kurn who is prosecuting the case.

www.washingtondc.fbi.gov

The Council of Europe has announced its intended contribution to a range of workshops and sessions at the forthcoming IGF in Vilnius. These include a workshop to discuss the Budapest Convention as a common basis for joint action against cybercrime.

Workshop 23 entitled 'Cybercrime: Common Standards and Joint Action', will take place on Wednesday 15th September. The workshop will discuss the following possible solutions:

Reinforcing global capacity building (technical assistance) efforts to support countries in the implementation of existing tools and instruments in a pragmatic manner.

Setting up of a mechanism (a type of “Cybercrime Action Task Force”) to determine needs and review progress made by countries in the implementation of the Budapest Convention and other instruments and tools.

Further details on the Council of Europe's involvement at Vilnius can be found on the COE website.

www.coe.int

EURid, the registry for the .eu top-level domain, is pleased to announce that .eu has a complete ‘chain of trust’ for Domain Name System Security Extensions (DNSSEC), an Internet security standard, with the addition of .eu DNSSEC key material to the Internet’s root zone.

The .eu zone was enabled for DNSSEC on 15 June 2010 knowing that the Internet’s highest level, the root zone, would become DNSSEC-compliant at a future date. Indeed, DNSSEC was fully deployed at the Internet root zone during July 2010 creating a single trust anchor. EURid’s application to insert .eu DNSSEC key material into the root, therefore completing the chain of trust for .eu, was concluded early this morning. This makes .eu one of the safest top-level domains.

“The completion of the DNSSEC chain of trust means that everyone visiting a website using a signed .eu domain name can be confident of its legitimacy since name server responses can now be validated all the way up to the Internet root zone,” says Marc Van Wesemael, General Manager of EURid. “As such, .eu is amongst the first top-level domains to have full DNSSEC-support, fulfilling our objective to be at the forefront of implementing Internet security measures via proven standards.”

“EURid encourages .eu domain name holders, through their registrars, to sign their .eu domain names with DNSSEC, therefore adding digital signatures to all levels in the chain,” continues Marc Van Wesemael. He also observes that as an ever-increasing number of .eu websites become DNSSEC-compliant, European businesses and consumers will benefit from the collective online protection brought to the .eu top-level domain.

DNSSEC is a protocol that verifies and validates name server responses from the bottom up through a chain of trust, thereby making the Domain Name System (DNS) more secure against web traffic interception attacks. Digital signatures are attached to DNS data – a process known as signing – so the origin and integrity of this data can be verified as it crosses the Internet. All name servers used to look up DNS data (such as a website IP address or an email delivery location) check the validity of the signed data, preserving trust throughout the hierarchy for website owners and users.

www.eurid.eu

The police hosted a workshop for cyber café owners here on Monday. Nearly 200 cyber café owner participated in it. A free cyber café security software was launched by Ideacts Innovations Ltd on the occasion.

The objective of the workshop was to ensure cyber security and better data management at cyber cafés. “Cyber cafés are sought after by all sorts of anti-social elements such as fraudsters, data thieves and terrorists. Given the growth of such unlawful activities over the last few years, it has become absolutely essential for cyber cafés to have a foolproof system to monitor their customers,” said Krishna Swamy, retail head of Ideacts Innovations.

Mr. Swamy said that the software “CLINK Cyber Café Manager” keeps accounts of every printout taken from any computer in the café. It has a user data storage system to capture and store the photographs of every customer.

As per the provisions of the IT Act, café owners have to maintain details of each customer, Mr. Swamy said and added that the new software simplified the procedure and made it more effective. Cyber cafés account for approximately 47 per cent of the access points for internet usage in the country and hence their digital management and security is critical. “Café owners do not have practical solutions for café management and visitor information storage,” Mr. Swamy said.

Mangalore City Police Commissioner Seemanth Kumar Singh said that until now, most cyber cafes were maintaining visitor data in physical registers.

Terming it an inefficient information management, he said it was difficult to retrieve the data in that method.

Stressing that cyber cafes were used by anti-social elements, Mr. Singh welcomed the fact that the software was free of cost. “We are happy to associate ourselves with the company and encourage the use of this software in all cyber cafés here,” he said.

www.mangalorean.com

ReD (Retail Decisions), a  blue chip international payment fraud prevention group, is predicting a 9% decrease in CNP (card not present) fraud in the first six months of 2010 compared to the same period in 2009.

CNP fraud reached an estimated GBP122 million, a reduction of approximately 9% compared with the first six months of 2009 when CNP fraud losses totalled GBP134 million  (UK Payments Administration 2009 figures).

ReD, with 20 years experience in the fraud prevention arena, predicts that card-not-present fraud could reach an estimated value of GBP242 million by the end of 2010, down from GBP266 in 2009, as more fraud is being foiled.

According to a ReD, the international payment fraud prevention group’s press release, online shopping has never more secure thanks to strategies put in place by retailers to beat card crime. They predict that there will be fewer attempts by criminals to fraudulently buy items from websites, by mail order or by phone in the UK this year, compared with 2009.

UK consumers , according to ReD, are becoming more security savvy and aware of the tricks that fraudsters use such as such as phishing - when an email that appears to be from a genuine company asks for a customer's account details or malware infection from Trojan links that monitor keystrokes to obtain personal information and passwords.

It’s not all good news however as fraudsters quickly change tactics. ReD shows how the value of an average transaction has increased by 24% compared to the same period last year, from GBP61 to GBP7.

More information can be found on the ReD website.

Cybersecurity is a major topic at an OSCE workshop being held in Azerbaijan on September 7 and 8. A spokesperson for OSCE warned of Azerbaijan’s vulnerability to cyber attack as information and communication technologies grow within the country calling for more international cooperation.

The warning came as the representative of the Ministry of National Security, Kaarim Karimov spoke of the increase in the number of cybercrimes in the country. Money laundering of funds from computer crimes, robberies involving credit cards, illegal collection and destruction of data, disinformation along with increased activity across transnational criminal groups by means of illegal communication channels are all on the rise.

One of the problems encountered is the reluctance of victims to report crime making it all the easier for the criminal element.

At the same time Azerbaijan has made progress having joined the Council of Europe Convention on cybersecurity and has shown commitment towards combating terrorists use of the Internet.

A foremost business woman specializing in women’s health problems was released on a $150,000 cash bond on Friday September 3rd after being arrested two days earlier and charged with importing and selling millions of doses of counterfeit drugs, including fake Viagra, and conspiring to sell prescription pain-killers, stimulants and tranquilizers.

Marla Ahlgrimm, owner of Women’s Health America, will face the charges, brought by a computer crimes and intellectual property prosecutor in Washington, on September 9 before the Brooklyn federal court.  Ahlgrimm is a leader in the field of hormone replacement therapy for women suffering from menstrual or menopausal problems. She has advised on boards, such as the UW Foundation and has been acclaimed for her achievements and contributions in the field of women’s health by several business groups having written two well-received books on this subject.

Co-defendant, Balbir Bhogal, will also face similar charges. They are accused of importing fake pills from India with the same markings as well-known prescription drugs and of supplying drugs to the owner of an online pharmacy who was not legally able to purchase the medication. The client was an FBI informant.

Consignments of the alleged counterfeit drugs s ent from India and intercepted by law enforcement officials. When tested pills were found to be lacking in the correct dosage of the active ingredients.

The availability of counterfeit drugs is of growing concern worldwide. There are a number of sources that can help advise on this issue of safety and provide information about the legitimacy of online pharmacies. Legitscript is one such leading source providing 'information for patients, Internet users, physicians, businesses and other third parties who need to know if an Internet pharmacy is acting in accordance with the law and accepted standards of ethics and safety.’ Legitscript is verified by the National Association of Boards of Pharmacy. The website provides an online pharmacy legitimacy tool for checking the validity of pharmacy websites.

In a blog that appeared on Friday 3rd September Legitscript stated ‘The website, womenshealth.com, had not been a LegitScript-approved Internet pharmacy. The website is currently designated as unapproved/rogue in our database, based on the search warrant’s statements of probable cause related to the sale and distribution of counterfeit drugs.’

The Partnership for Safe Medicines website is a source providing interesting news and information surrounding the issue of counterfeit drugs.

The many benefits to registrars in signing ICANN’s most recent RAA (Registrar Accreditation Agreement) from May 2009 are explained in a detailed interview with Tim Cole, Chief Registrar Liaison.

An RAA agreement authorizes registrars to sell gTLD domain names to consumers. According to ICANN, consumers are seeking out registrars who have signed the 2009 RAA, as opposed to earlier versions, as well as making sure that registrars are ICANN accredited. The May 2009 RAA offers increased rights for consumers as well as making registrars more accountable.

Read the interview with Tim Cole here:

What is the 2009 Registrar Accreditation Agreement (RAA)?

The Registrar Accreditation Agreement is a contract between registrars and ICANN. Only registrars that have been approved by ICANN can enter into this agreement and become eligible to sell gTLD domain name registrations. In May 2009, the ICANN Board approved a new version of the RAA. All ICANN-accredited registrars have signed some form of the RAA, but since ICANN adopted the new RAA in May 2009, we’ve been encouraging registrars to sign on to the new version.

How is the 2009 RAA different from the older version of the RAA?

The previous version of the RAA was adopted in 2001 and, in some respects, was no longer sufficient to address some of the developments in the domain registration marketplace. Under the 2001 agreement, the primary recourse ICANN had if a registrar violated the RAA was to terminate the registrar’s RAA. This could be a drastic option that might do more harm to registrants. Under the 2009 RAA, we have sanctions, such as temporary suspensions, that aren’t as extreme as terminations. The 2009 RAA has a number of additional registrant protections that include added requirements for registrar data escrow and improvements in contact requirements—registrars must publish their contact details in an easily accessible online place.

We’re also developing an online training component for registrars that covers their obligations to follow ICANN policies and agreements. Overall, changes to the RAA fall into four categories: Registrant Protection, Enforcement Tools, Promotion of Stable and Competitive Marketplace, and Agreement Modernization.

Why did ICANN introduce the 2009 RAA?

Much of the impetus for the creation of the new RAA came about when serious problems arose concerning a registrar that was going out of business. Many registrants suffered because of this registrar’s actions. This prompted ICANN to explore how we could better prevent such registrar behavior and business failures and to take steps, when appropriate, to terminate a registrar in such a way that registrants are protected during the process.

How do registrars benefit from the 2009 RAA?

There are improvements in how registrars pay their fees to ICANN. For example, payments of annual fees may now be spread out over the course of a year. There are also financial incentives for registrars who sign up for the new RAA. The ICANN Board has approved reductions in certain fees for Registrars who have signed the May 2009 RAA. Other non-monetary incentives have also been introduced. But primarily, registrars that already follow ICANN policies and sound business practices benefit from public recognition of the enhanced registrant protections they offer and by the fact that bad actors can be more readily stopped, which enhances the competitive marketplace for all registrars.

How do registrants benefit from the 2009 RAA?

The big benefit is that the new RAA provides greater protections for registrants. Under the 2009 RAA, registrars agree to follow enhanced compliance provisions that protect registrants. And ICANN has enhanced options for taking action when a registrar fails to abide by provisions of the agreement and other ICANN policies.

How is the new RAA catching on with registrars?

Since the 2009 introduction of the new RAA, over 700 registrars, out of a total of about 960 registrars, have signed up. These registrars under the new RAA represent over 95% of all gTLD domain names registered.

How do registrars enter the new RAA?

There are three ways a Registrar can enter the new RAA.

Any new registrar that’s signed up since May 2009 is automatically subject to new RAA provisions.

All registrars’ contracts have a five year term. At the end of five years, to remain ICANN accredited, a registrar must renew its contract. All renewing registrars get the 2009 RAA.

Registrars can voluntarily adopt the 2009 RAA before their renewal dates. To date, about 50% of all registrars covered by the 2009 RAA voluntarily signed up for it before the expiration of their former RAA.

How have registrants responded to the 2009 RAA?

We’ve had registrants contact us asking about whether or not their registrar is covered under the 2009 RAA. Registrants have also asked how to find out which registrars have signed the new agreement. As consumers, they want to use a registrar with the greatest protection, and those are the registrars under the 2009 RAA.

How can registrants determine which registrars are covered by the new RAA?

Registrants can go to the InterNIC listing at http://www.internic.net/regist.html, where they can view listings of registrars arranged by registrars’ names, locations, and languages supported. All registrars who have signed the 2009 RAA have an “ICANN 2009 RAA” logo next to their name listing. ICANN also maintains a list of accredited registrars at http://www.icann.org/en/registrars/accredited-list.html that also identifies the RAA version for each registrar.

www.icann.org

A little taste of an apocalyptic scenario occurred last Friday when a large chunk of the Internet was unreachable for up to an hour. Similar to the plot of a Hollywood horror movie, this was an experiment that went wrong -- on one of the most important protocols of the Internet system.

An experiment designed to “contribute towards the secure and stable operation of the Internet” delivered a surprising result to researchers from Duke University and staff from RIPE NCC, the operations center for Réseaux IP Européens.

Investigations revealed that RIPE’s Routing Information Service (RIS) caused a major service breakdown, which at its peak affected 1.4 percent of the whole Internet, or about 4,500 prefixes.

RIPE, based in Amsterdam, is one of the five Regional Internet Registries (RIRs) that support the operation of the global Internet, an important position that requires constant system vigilance. One of its expected duties is to conduct research that could “further global understanding of specific aspects of Internet routing behavior.” Well, that is exactly what happened, but in a roundabout sort of way. What RIPE and its academic investigators didn’t account for was a serious flaw in the Border Gateway Protocol (BGP).

BGP is not something that the majority of users have to worry about, and even many system administrators are blissfully unaware of its importance to the Internet framework. However, BGP is the protocol of Internet service provider and of many large networks. BGP is essential as a routing communication; BGP underpins the entire Internet.

Just one of the effects of this action is described by RIPE: “Noticeable problems were seen for the Slovenian and French TLDs, .si and .fr. In the case of .fr, two DNS servers became almost completely unreachable.”

Although an unfortunate accident, all damage limitation systems went into action. The problem was quickly found in Cisco routers, was promptly patched, and all was back up and running within an hour (see the Cisco advisory)

In the aftermath, one anonymous response on a wiki board summed it up best: “Not the whole internet, but a part. And the few buggy routers here and there were mostly Cisco CRS-1's which didn't understand the new attribute and sent a malformed message to all peers, causing them to close the BGP session."

So not much damage done and pretty good response times?

In a way, yes, thankfully, and it could have been a whole lot worse, although there are one or two reports of possible obscure “knock-on” effects that need further investigation. Another issue altogether is why such a major vulnerability within a core component of BGP had not been detected in the Cisco lab long ago. The public release of the patch still poses a security risk, more evidence of the seriousness of the event -- if more were needed.

However, for me, the most worrying aspect is the exposure of the Internet’s vulnerability, reliant as it is upon some very fragile and buggy components, any one of which could ”de-peer” huge chunks of our service provision. Sadly, this is but one of the results of piecemeal development. The Internet is not a robust system; most technicians’ familiar with the Internet’s infrastructure know just how fragile it is. The overall system has limitations, and a breakdown is almost certain to happen again.

How it may happen again is a question, and the reason it is important to understand the who, where, and when of cybercrime. A real Cyber Apocalypse consequence has been discussed in small circles as a plausible scenario for some time.

With limited suppliers and known vulnerabilities -- such as Cisco Systems Inc. (Nasdaq: CSCO) and Juniper Networks Inc. (NYSE: JNPR) controlling a majority of the world’s market for infrastructure routers -- it is simple to see how a real attack on core vulnerabilities, allied with malware-laced exponential BGP query requests, could collapse the whole house of cards.

By Jart Armin

www.internetevolution.com

The Japan Times Online reports that the number of Internet crimes investigated by police increased by 31.5 percent in the first half of 2010 as revealed by a survey released by a National Police Agency.

Reaching a new high since records began in 2004 Internet crimes, or crimes involving a computer, reached a figure of 2,444 cases investigated by police, 586 more than in the corresponding period last year.

Other computer related crimes also  increased dramatically although police attribute this to increased investigating efforts by the police. Notably child online sexual abuse cases had jumped 69.6 percent, to 329, while child prostitution cases increased 21.8 percent, to 212.

According to the survey use of the Internet for child abuse cases accounted for more than half of all cases involving the production and distribution of illegal online child abuse content.

False information in a successful bid during an online auction went up 22.8 percent to 867 cases whereas providing a false identity for online auctions , or unauthorized computer access went down from 1,965 cases to 85.

The anonymous purchase of pre-paid mobile phones will be harder from today in China and Bahrain with the intorduction of new policies aimed at improving public safety.

In China both an identity card and registration with a real name will be required from now on when buying a new phone. Current users have until 2013 to register under their real name or be suspended according to the Chinese Global Times.

The Kingdom of Bahrain has introduced similar measures today advising users to ensure that their mobiles are properly registered to avoid suspension of service.

The new policies are described as being introduced in the interest of public safety in the fight against mobile abuse and criminal behavior. This will require a huge effort in China alone where it is estimated that there are over 700 million phone subscribers, 70 per cent of which use pre-paid, anonymous, SIM cards.

In Bahrain reports suggest that as many as 400,000 unregistered mobiles were disconnected after the 31st August deadline passed. Prior to the disconnection users were advised on Friday 27th August by public announcement from the Telecommunications Regulatory Authority (TRA) that users had until midnight 31st August to ensure proper registration.

'All unregistered prepaid mobile users are encouraged to visit their mobile operators outlets in person to register their mobile lines by no later than midnight of 31 August 2010 to avoid the suspension of mobile services.

'The mobile operators have already started to notify all unregistered or improperly registered prepaid mobile subscribers via voice recorded message, SMS and the media to register their personal details with their services provider in order to continue un-interrupted use of mobile services.

'Customers buying new prepaid lines indirectly or through resellers must contact their mobile operators in person to complete registration and activate the line.

'The obligation for mobile operators to register their subscribers personal details arise from the Regulation on the Requirement to Register Details of Prepaid Mobile Telecommunications Services Subscribers issued by TRA in July 2008.’

Proper registration of mobiles is to be encouraged but experts think it is unlikely to solve the problem of mobile misuse or of fraudulent practices by criminals who are willing to circumvent the system for monetary gain.

The  US National institute of Standards and Technology (NIST) has published its first report providing Cyber Security guidelines for the Smart Grid community.

The three-volume report, named NISTIR 7628, Guidelines for Smart Grid Cyber Security, presents an analytical framework that organizations can use to develop effective cyber security strategies tailored to their particular combinations of Smart Grid-related characteristics, risks, and vulnerabilities.

Organizations in the diverse community of Smart Grid stakeholders—from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements.

The three volumes of Guidelines for Smart Grid Cyber Security (NISTIR 7628) can be downloaded from the NIST website

Nine former employees of a national cell phone service provider were charged with conspiracy to commit wire fraud, access device fraud and aggravated identity theft on Wednesday in the United States Southern District of New York. They are accused of taking part in a $15 million cell phone cloning scheme while employed by a national cell phone service provider.

Eight of the defendants were present in court; the ninth remains at large.

From at least January 2010 through to June 2010, the nine defendants worked for various branches of the cell phone service provider located in the Bronx, New York; in North Bergen, New Jersey; and in Tampa, Florida.

During this period of time, the defendants used the Cell Phone Company’s computer network to obtain confidential information about the cell phones of thousands of customers of the Company without authorization. Together, the nine defendants accessed customer accounts over 16,000 times without authorization.

The customer information that they obtained was used to create “clones” of the customers’ cell phones. These cell phone clones were then used to make unauthorized calls, which usually began just days after one of the defendants accessed the defrauded customer’s account. The cell phone clones were used to make approximately $15 million worth of calls, including a large volume of international calls. The Cell Phone Company has credited its defrauded customers for the value of these calls.

Each of the nine are charged with one count of conspiracy to commit wire fraud, which carries a maximum penalty of 20 years in prison, access device fraud, which carries a maximum penalty of 10years in prison, and aggravated identity theft, which carries a mandatory minimum penalty of 2 years in prison, which must run consecutively to all other counts of conviction.

Manhattan U.S. Attorney PREET BHARARA said: “The defendants arrested today allegedly breached our everyday telecommunications system to obtain information used clone the cell phones of thousands of unsuspecting customers. Fraud was allegedly their calling card to the tune of $15 million. We intend to prosecute these defendants and others who would undermine and exploit these essential services to the full extent of the law.”

BRIAN PARR, the Special Agent-in-Charge of the New York Field Office of the United States Secret Service, said: “The U.S. Secret Service will continue to aggressively pursue those that commit fraud and identity theft for their own enrichment. These crimes remain a top investigative priority for our agency.”

The charges contained in the Complaint are merely accusations, and the defendants are presumed innocent unless and until proven guilty.

The cell phone service provider was named as Sprint in a Wall Street Journal article.

Source: US Department of Justice (Southern District of New York)

On 27 August 2010, the RIPE NCC's Routing Information Service (RIS) was involved in an experiment using optional attributes in the Border Gateway Protocol (BGP). As a result of this experiment, a small, but significant percentage of global Internet traffic was disrupted for a period of about 30 minutes. The following article provides some background information on the experiment itself and its effect on the network.

Background on RIS Experiments

As part of its mission, the RIPE NCC works with other members of the Internet technical community to contribute towards the secure and stable operation of the network. The RIPE NCC Routing Information Service (RIS) has a long tradition of supporting Internet researchers.

Since 2002, the RIS has announced a set of beacon prefixes. These prefixes are announced and withdrawn at predictable times, to assist in propagation and flap dampening research. In 2007, the RIS was the second network in the world to start announcing a prefix from a 4-byte AS Number. This helped operators test their 4-byte AS capabilities and allowed us to measure the effectiveness of the transition mechanisms for 4-byte AS Numbers.

The announcements made by RIS are also a vital part of the De-bogon Project, with RIS measuring the visibility of former bogon prefixes. We have also done measurements on traffic attracted after announcing 1/8, work later extended by APNIC.

The Experiment

A research group at Duke University in the United States approached the RIPE NCC for help with experimental research. This group is working on a secure Border Gateway Protocol (BGP) design, in which optional transitive attributes are used to propagate some of the certification information. In order to estimate the feasibility of such a design, they asked the RIPE NCC to announce a route resembling their design from the RIS network.

The design of BGP allows routes to have an attribute that is not recognised by the BGP implementation. If this attribute is set as transitive, it is passed to other routers, without intermediate routers understanding what it actually means. This aspect of the protocol has been key for the transition to 4-byte AS Numbers.

This ability of the BGP protocol allows some implementations to support a new feature, while others do not yet understand the contents of the attribute. In the design proposed by the team from Duke University, upgraded routers add certification information and verify certificates from other routers, without affecting the rest of the Internet.

As the researchers did not have their own AS Number or address space, they provided the RIPE NCC with a patch to Quagga, the BGP software used by RIS. This allowed us to run the experiment from our infrastructure. We checked the patch for security or protocol problems.

In addition, all announcements were sent through another Quagga instance, so that any protocol violation would be noticed before the announcement went to the Internet.

Issues Encountered During the Experiment

To run the experiment, we installed a custom Quagga instance announcing the route through the RIS collector connected to the Amsterdam Internet Exchange (AMS-IX) and Groningen Internet Exchange (GN-IX). We started the announcement at 08:41 (UTC) on Friday, 27 August 2010. It was originated from AS12654, using the prefix 93.175.144.0/24.

The attribute used by the RIS had never been announced on the Internet before, although it was in accordance with the BGP specification.

The announcement was withdrawn, as planned, at 09:08 (UTC). Shortly after, we discovered that the experiment had caused a negative impact on Internet operations that lasted for approximately 30 minutes.

We immediately started an investigation, using input from the affected operators. The investigation indicated that the attribute had triggered a bug in some Cisco router models, which corrupted the announcement and sent this on to other routers. Their peers recognised the corruption, and dropped the peering session.

We provided Cisco with all of the information that we had collected and they released a security advisory the same day. The data collected during the announcement was preserved for processing by the researchers from Duke University.

Impact of the Experiment on the Internet

The following is an analysis of the impact of the experiment, using the data provided by the RIS and other RIPE NCC services.

The graph shows the rate of updates (changes in routing) seen by RIS around the time of the experiment.  We can see up to 20 times as many updates, indicating massive instability in the routing system.

Looking at the data for each Remote Route Collector (RRC), we can see that the effects of the experiments were much stronger in some specific locations. The collector in Vienna registered many times more updates per peer than all other collectors. This may indicate that this region had a higher amount of affected routers.

Knowing that the experiment had a significant effect on the routing system as a whole, we've attempted to look at how much of the Internet was actually affected. A first step is to look at prefixes being withdrawn from the Internet. We have measured this around the time of the experiment and used three reference sets for comparison.

The graph shows the percentage of prefixes on the Internet that became invisible for a certain period around the time of the experiment. There is a large variance in the dataset, with the values for very short outages in the reference sets affecting between 0.04% and 0.13% of all prefixes on the Internet. Overall though, and especially looking at outages longer than 30 minutes, the values during the experiment were up to three times higher than usual. We conclude that the experiment caused an additional 0.5% of the prefixes to become completely unreachable, and to be unreachable for a longer period than they would have under normal conditions.

Another way of looking at how much of the Internet was impacted is to look at the number of unstable prefixes. For this measurement, we consider a prefix unstable if we see more than 100 updates in a 5-minute period.

The graph shows that under normal conditions, less than 0.1% of the prefixes on the Internet are unstable. The experiment caused this to hit a peak of 1.4%, which amounts to almost 4500 prefixes, about nine times more than usual. For reasons unknown to us, this spike quickly fell to about 0.8%, and stayed there for the remainder of the experiment. About 20 minutes after the experiment, most prefixes returned to normal.

The effect of the experiment on major DNS servers was very limited. The RIPE NCC DNS Monitoring Service (DNSMON) monitors DNS servers for the root and many Top Level Domains (TLDs) from probes worldwide.

None of the root servers were affected. Minor problems, like a few dropped queries for a few of the probes on just one or two of the DNS servers, were observed in about 15 monitored domains, including the .com domain. We believe that users would not have noticed this. For 63% of the domains monitored by DNSMON, no extra queries were lost.

Noticeable problems were seen for the Slovenian and French TLDs, .si and .fr. In the case of .fr, two DNS servers became almost completely unreachable. However, the other five name servers for the TLD showed no effects, so this will not have caused anything more than some additional delays for users.

Some Conclusions

The experiment caused a massive increase in routing instability, but with different strength in different locations. It caused about three times more prefixes to have periods of invisibility, for longer periods. In total, up to 1.4% of the Internet was affected by instability around the time of the experiment.

The DNS servers for vital Internet infrastructure, such as the root and TLDs were not widely affected.

Final Results

Disruption to the routing system was limited to a relatively small subset of Internet traffic, and the event drew attention to a software bug for which the vendor has now issued a patch. Through a coordinated effort, the situation was quickly recognised and corrected by network operators and those conducting the experiment.

The disruption caused is regrettable, and future experiments conducted with the cooperation of the RIPE NCC will need to meet far stricter internal guidelines, including comprehensive impact assessments, prior announcements with sufficient lead time for Internet operators, and the responsible handling of detected vulnerabilities.

For graphs and more information visit the RIPE website:

www.labs.ripe.net