U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Select Committee on Intelligence and co-founder of the bipartisan Senate Cybersecurity Caucus, has released a letter asking three federal agencies for information on the tools available that prevent cyber criminals from compromising consumer products, such as Internet of Things (IoT) devices. "The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic," Sen. Warner says.
— Prohibition of harmful devices: "Under the Federal Communications Commission's (FCC's) Open Internet rules, ISPs cannot prohibit the attachment of "non-harmful devices" to their networks. It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the "network" – whether the ISP's own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area."
— "Mirai’s efficacy depends, in large part, on the unacceptably low level of security... Juniper Research has projected that by the end of 2020, the number of IoT devices will grow from 13.4 to 38.5 billion – yet there is no requirement that devices incorporate even minimal levels of security. The internet's open architecture has been a catalyst for its growth ... The lack of gating functions, however, has potentially created a systemic risk to the resiliency of the internet."
Follow CircleID on Twitter
"Tech companies like Snapchat and Skype's owner Microsoft are failing to adopt basic privacy protections on their instant messaging services, putting users' human rights at risk," says Amnesty International in a new report. The organization's new 'Message Privacy Ranking' assesses the 11 companies with the most popular messaging apps on the way they use encryption to protect users' privacy and freedom of expression across their messaging apps.
— Amnesty International has highlighted end-to end encryption as a minimum requirement for technology companies to ensure that private information in messaging apps stays private. The companies that ranked lowest on the scorecard do not have adequate levels of encryption in place on their messaging apps.
— "If you think instant messaging services are private, you are in for a big surprise. The reality is that our communications are under constant threat from cybercriminals and spying by state authorities. Young people, the most prolific sharers of personal details and photos over apps like Snapchat, are especially at risk," said Sherif Elsayed-Ali, Head of Amnesty International's Technology and Human Rights Team.
Follow CircleID on Twitter
2016-10-25T11:25:00-08:00"We often refer to the Cuyahoga River in Cleveland that caught on fire over 20 times before we actually did something to introduce the Clean Water Act," says Allan Friedman, the director of cybersecurity initiatives for the Department of Commerce's National Telecommunications and Information Administration (NTIA), in conference call on Monday. "I don't know if you can count this [Friday's masive DDoS attack] as an internet on fire — I know a lot of the people who were affected called it an internet on fire — but it may take several of these before we are sufficiently motivated. ... Given the very uncomfortable nature of some of the policy responses and the very long lead time to implement them and bring new problems to market, I think now is the time to start." Government should start working to prevent future attacks immediately, Friedman warned. — "Baby Steps" / Tim Starks reporting in Politico, quoting Homeland Security Secretary Jeh Johnson: "The recovery from last week's attack that downed major websites like Twitter and Netflix appears to be complete. But preparing for the next huge distributed denial-of-service attack like the one that hit domain name system provider Dyn is still making baby steps. ... the department is working with law enforcement and the private sector to defend against Mirai and similar threats. And he pledged that DHS [Department of Homeland Security] would produce a strategic plan "in the coming weeks" to protect internet of things devices." — "Internet Under Siege: The Cost of Connectivity," Rachel Ansley reporting from the Atlantic Council: "In the rush to produce cost-effective connected devices, not enough focus has been placed on security measures. ... [Joshua] Corman [the director of the Atlantic Council’s Cyber Statecraft Initiative] described how the widespread dependence on connected technology is exceeding the ability to secure devices. 'In our race to adopt technologies for their immediate and obvious benefits, we seldom do the cost-benefit equation to notice the deferred cost in security risks these [devices] incur,' he said. Once the devices are sent to market, security is no longer accounted for. Corman claimed that if the default posture of these devices is insecure, they will continue to pose a greater and eventually unmanageable threat." Follow CircleID on TwitterMore under: Cyberattack, DDoS, Policy & Regulation, Security [...]
2016-10-25T09:32:01-08:00A venerable old International Telecommunication Union (ITU) tradition got underway today. Its Telecommunication Standardization body, known as the ITU-T, gathered, as it has done every four years for much of the past 100 years in a conclave of nations, to contemplate what they should be doing at their Geneva intergovernmental standards meetings for the next four years. The gathering is called the WTSA — World Telecommunications Standardization Assembly. Old intergovernmental institutional habits still continue, so the participants are gathered in a remote location in Tunisia called Hammamet. Their real challenge today is severely diminished ITU-T participation and the actual use of their work. What is now unfolding, unfortunately, will not improve that trend. So what appears at the top of the list for proposals for what the ITU-T should be doing? Nearly a dozen documents have almost identical text from three country blocs — the Russian Communications Commonwealth (RCC), the Arab States Administrations, and the African Telecommunication Union — purporting to make the world safe for users of the internet, mobile phones, and all forms of telecommunication. The promises are enticing: flawless identity integrity, network trust, privacy, counterfeiting mitigation, cybersecurity, eHealth, Internet of Things, Smart Cities. The proposals offer a kind of nirvana for accomplishing all these things, if only the nations of the world, via ITU agreement, buys into a service platform being proffered by an almost unknown new organization called The DONA Foundation. If one digs a little deeper, however, it gets interesting. The DONA Foundation, it turns out, is a private organization based in Switzerland whose members are drawn from the same country blocs making the proposals. The DONA platform itself is a twenty year old scheme, known as Handles, to build a master global database allowing every networked device in the world to be uniquely tagged so that any desired information can then be added, tracked, and queried. Russia has had a special affinity for the platform - which it has been championing over nearly the past decade in the ITU. For many reasons - including usefulness of the technology, cost, and the existence of more effective alternative platforms - industry and technical communities have ignored the DONA platform over the past two decades. However, the ITU as an intergovernmental body operates under a different paradigm — political processes where Nation State blocs can simply propose anything they wish — as they have at the Hammamet meeting. Russia knows the process well, and the Russian, Arabic and ATU blocs control a significant number of votes. There are some really sad, unfortunate dimensions to what is unfolding here. One of the more obvious known to experts in the field is that the ITU-T itself pioneered an effective means for tagging information objects thirty years ago known as OIDs (Object IDentifiers), and the platform has been usefully deployed across internet and telecommunication networks for many purposes. Another related aspect is that major global industry standards bodies have developed their own specialized tagging platforms that could be adversely affected by the patently anticompetitive ITU action of promoting the DONA platform for global use. The concerns do not stop there. There are other reasons why the DONA scheme has remained almost unused after twenty years. A single overlay global information system for tagging, tracking, and querying the existence of every network device is the equivalent of Snake Oil. No network singularity can scale to the degree required. Furthermore, it would be costly and difficult to even attempt to create and maintain — certainly by economically challenged countries. Lastly, such an overlay would itself be constantly exposed to all kinds of cybersecurity threats and constitute a major global vulnerability. Indeed, MobilePhoneSecurity.org recently[...]
U.S. Department of Transportation issues Federal guidance to the automotive industry for improving motor vehicle cybersecurity. The guidance covers cybersecurity best practices for all motor vehicles, individuals and organizations manufacturing and designing vehicle systems and software.
— Cybersecurity Best Practices for Modern Vehicles / Page 5: "Vehicles are cyber-physical systems and cybersecurity vulnerabilities could impact safety of life. Therefore, NHTSA’s authority would be able to cover vehicle cybersecurity, even though it is not covered by an existing Federal Motor Vehicle Safety Standard at this time. Nevertheless, motor vehicle and motor vehicle equipment manufacturers are required by the National Traffic and Motor Vehicle Safety Act, as amended, to ensure that systems are designed free of unreasonable risks to motor vehicle safety, including those that may result due to existence of potential cybersecurity vulnerabilities."
— Aftermarket Devices / Page 20: "The automotive industry should consider that consumers may bring aftermarket devices (e.g., insurance dongles) and personal equipment (e.g., cell phones) onto cars and connect them with vehicle systems through the interfaces that manufacturers provide (Bluetooth, USB, OBD-II port, etc.). The automotive industry should consider the incremental risks that could be presented by these devices and provide reasonable protections."
Follow CircleID on Twitter
2016-10-25T08:34:00-08:00Last week, millions of infected devices directed Internet traffic to DNS service provider Dyn, resulting in a Distributed Denial of Service (DDoS) attack that took down major websites including Twitter, Amazon, Netflix, and more. In a recent blog post, security expert Bruce Schneier argued that "someone has been probing the defences of the companies that run critical pieces of the Internet". This attack seems to be part of that trend. This disruption begs the question: Can we trust the Internet? The answer to that question is not yes, or no, or even "it depends." First, it is important to realise that there is no security czar on the internet; there is nobody who can force the global Internet and its users to solve any of these cyber issues. Various actors on the internet must take responsibility, often in collaboration with others, taking into account the fundamental values and properties that underpin the Open Internet. We call this approach the collaborative security approach. For now, it is sufficient to realise that security of the Internet depends on many actors taking responsibility. In this post, I look at this attack through the lens of the internet 'as a system', and I identify one success, share one observation, talk a failure, and outline an agenda that we must adopt. The success lies in the collaborative nature of how Dyn worked with others to mitigate the attack. As mentioned in their statement, Dyn had to work with the technical community to mitigate the attack. My speculations will not be far off if I say that this must have involved work with network operators, computer security specialists, law enforcement, computer security incident response teams, DNS providers, and their customers. Given the size and scale of the attack, I see their reactive work as a testament to the effectiveness of the coordination. So, kudos to Dyn for thwarting the attack even though, metaphorically, this is the success of a fire truck arriving on time and limiting damage and not a success of preventing the fire in the first place. We should not take the sort of collaboration that happened here for granted. These sort of attacks can only be stopped when network operators collaborate to address issues that are not exclusively impacting their own network (the firemen from other areas coming to aid). At the Internet Society our Routing Manifesto, or MANRS, initiative speaks to just that: We are growing the community that commits to taking measures against certain types of attacks and takes action that allows for effective collaboration. MANRS acts as a signal to customers that they are dealing with an entity that understands their responsibility. I'll get back to signalling below. The observation. One of the benefits of having a site's DNS service managed by one or a few consolidated companies is that specialist expertise can be outsourced and these few organisations can efficiently deal with problems quickly. However, it also means that chokepoints are created and those few managed DNS service providers are becoming very big targets. The failure lies herein that the target painted seems to have become too big, and many major companies and websites now share their fate with these consolidated DNS providers. Given that one of the services often offered by DNS service providers is load balancing, untangling these hefty integrations may be a bit tricky. But since some companies and websites got a real hit last week, I think there may be some market-driven evolution in this space. Now for the failure: Why is it that we are shipping an Internet of Things (IoT) that is so insecure? These types of attacks depend on malicious software (usually referred to as "bot," from robot) being installed on various devices that connect to the internet. The installation can happen because users (accidentally) open links that download software or because devices are open to attack from the internet[...]
2016-10-25T08:09:00-08:00There is no doubt that the number of online consumers is on a rise and that this is a trend that will not stop any time soon. Over the last couple of years, the number of digital buyers has grown by a steady 150 million each year. This number is expected to stay stable for a few more years to come. By 2020, about two billion people will be purchasing things online and making online money transactions on a regular basis. Perhaps the most interesting thing is that this increase in numbers could have been even more spectacular if not for one factor that makes a world of difference for many online shoppers — security. An Unsafe World Online stores and other organizations that sell their services or products online have traditionally been among the most attractive targets for cyber criminals. The reasons for this are numerous and very understandable. For one, such organizations and their data systems will hold a bounty of personal financial information, including people's credit card details and more. In 2015, we have seen a number of high-profile data breaches where consumer data was stolen. And while 2016 has seen more ransomware attacks (where no data is compromised) than anything else, it is not like it has been without its data breaches. While not all of the biggest breaches this year have involved online stores or service providers, they were definitely among the victims. For example, in June this year, Acer suffered a serious data breach when personal details (including credit card numbers) of more than 30,000 of their U.S. and Canadian online shoppers were stolen. The fault was with a third-party payment processing system, but that does not in any way absolve Acer of responsibility. Still, it is a perfect example of how even the world's biggest and most technologically advanced companies can be compromised just like anyone else. How the Consumers See It It is really not that difficult to understand why many of the people are discouraged from shopping or purchasing anything online when they hear stories like this. We live in an age of information and people are aware of how easily their data can be accessed by people and organizations that should never be in possession of such data. Back in the early days of online shopping, a paper was published in the Journal of Business Research which showed that the financial risk was the most commonly perceived risk on the behalf of online shoppers (followed by product performance and time/convenience risks). More recently, Connexity did a survey which found out that almost two thirds of American online shoppers are concerned about how the companies they do business with are securing their data. Other research also reinforces this view where security has become one of the main concerns for online shoppers. It is not just the problem of data security. For example, there are certain online shopping models such as online marketplaces which come with their own slew of potential problems. Besides having to handle data, such websites and services also need to ensure that both the sellers and the buyers will honor the agreement. How It Is Being Handled At times, it feels that ecommerce sellers, marketplace operators and companies that sell their services online are always a step behind. In many ways, they are. This is mostly due to the very nature of cybersecurity solutions that are in the vast majority of cases reactive, i.e. they are introduced when vulnerabilities are discovered. The good news is that the majority of online service providers and shops are still secure. Cybersecurity companies around the world are working on providing the best security measures to such companies and they are doing a great job. Furthermore, most governments have already started initiatives to keep online consumers secure and they are insisting on cooperation to reduce the risks. Ecommerce business owners and [...]
2016-10-25T07:04:00-08:00During the last Computer Law Conference organized by ADIAR (Argentina Computer Law Association) and the Universidad Nacional de Sur, I gave a conference on the Internet of Things, cybercrime and the dangerous situation presented by the lack of proper regulation — a topic in which I have one of my research projects. At the moment some people argued that I was talking about something that might happen in a relatively distant future, dissenting with my view that the possibility was imminent… the massive cyberattack a few days ago only showed the scenario to which I referred to that day. Reports talk about the huge DDoS attack being conducted using multiple devices connected to Internet, devices that are more vulnerable to malware due to lack of security measures in them, devices that form what is known as the Internet of Things. Even if we forget that too many users don't even have antivirus software in their computers, most users have no knowledge nor capabilities to secure Internet enabled devices, only the connection itself, which is not always enough in these cases. So, what is the authorities response to it? Different jurisdictions are dealing with the issue in different manners, but there is deafening silent about putting forward some kind of compulsory security regulatory framework directed to manufacturers and vendors, and too many talks about educating consumers and hopes of self-regulation, and attacks like the one on Friday show how insufficient those approaches are. Like many thing in the Information society, things are left to self-regulation with the highly ideological basis that the technology in question is too dynamic to be properly regulated and that, taking into account the need to keep consumers' trust, the companies would do what is proper. The problem with that idea, not usually supported by facts like we've just seen, is that it forgets that companies in general, also those in the IT sector, are there to make profits and, regardless of how much "do no evil" they can try to promote, they may have the legal obligation to maximize profits for shareholders even if it means doing some evil (like censoring sites in some jurisdictions such as China). So, understandably, in the same way manufacturers and vendors will spend on security no more than what is strictly necessary to avoid a potential lawsuits, which currently represents quite less than what it would take to make their devices more secure than what they are today. One of the arguments to not regulate IT has been the possibility that such a regulation would stifle its development, but it can be strongly said that it is time to leave that argument aside. IT and its companies have resulted in one of the fasted and biggest concentration of income in recent memory and new billionaires have been popping like mushrooms after the rain… it is hard to believe that strong regulation forcing companies to produce and sell secure Internet-connected devices would disincentivize too many of those companies to develop more of them, having — as worse case scenario — just fewer luxury items sold to IT-billonaires around the world in exchange of a more secure digital environment… Written by Fernando Barrio, Professor of Law at Universidad Nacional de Río NegroFollow CircleID on TwitterMore under: Cyberattack, DDoS, Internet of Things, Policy & Regulation, Security [...]
2016-10-24T11:29:01-08:00The recent Internet outages caused by the DDoS attack on Dyn's infrastructure highlights deep architectural issues that need resolution. Security and performance are intertwined, and both need fundamental upgrades. A few days ago I was working at a friend's house. He likes to have Magic FM on during the day. They regurgitate the same playlist of inoffensive 70s, 80s and 90s pop music, with live drive-time shows. Later in the day I heard the DJ sputter how their Twitter access had gone wonky, so you couldn't expect to interact with them via that channel. I thought little of it. Many of you will have seen news stories that explained what was going on: a huge DDoS attack on the infrastructure of Dyn had taken down access to many large websites like Twitter. A great deal of digital ink has since been spilled in the mainstream press on the insecurity of the Internet of Things, as a botnet of webcams was being used. Here are some additional issues that might get missed in the resulting discussion. An unfit-for-purpose security model The Internet's security model is completely unsuitable for these connected devices. The default is that anyone can route to anyone, and that all routes are always active. This is completely backwards. The default ought to be that nobody can route to anybody until some routing policy is established that is suitable for that device. This process is called "association", and it precedes the "connection" that is done by protocols like TCP. The camera needed to be on its own virtual network that should be isolated from websites like Twitter. This is a fundamental architecture issue, and one that cannot be fixed by tinkering around with DDoS mitigation code in routers. The present Internet has been likened to running MS-DOS. It has a single address space, and doesn't have any real concept of "multitasking". We now have to move to the Windows or Unix level of sophistication, where different concurrent users and uses exist, but are suitably isolated from one another in terms of network resource access. This issue highlights why investment in new modern architectures like RINA is essential. TCP/IP is just the prototype, and lacks the necessary association functions for future demands! Weak technical contracts on demand The very nature of a DDoS attack is to aggregate lots of small innocuous flows into a large and dangerous one. The essential nature of the attack is to overload the resources of the target. This means we need to master a new skill: managing network (and networks of networks) in overload. This is a problem faced by the military, since their networks are under active attack by an enemy. Part of the solution is to have clear technical "performance contracts" between supply and demand at ingress and traffic exchange points. These not only specify a floor on the supply quality, but also impose a ceiling on demand. With the present Internet we typically have weak contracts at those points, which don't set a supply quality floor or demand ceiling, or do so in a fashion that can't sufficiently contain problems. A DDoS attack is merely a special case of performance management in overload, and the real issue is broader than security management. The Internet needs an upgrade to be able to manage quality issues. Lack of economic incentives My final point is that we don't have good feedback mechanisms in the long run to prevent this problem from getting worse. It's a kind of "environmental pollution" issue where the cost of insecure devices and poor operational practises is not borne by those who designed and deployed them. There has to be a way of putting more "skin in the game". That could partly come from resolving the above two technical issues. Breach of the technical contact on the demand ceiling would result in some kind of commercial penalty for overl[...]
2016-10-23T14:01:00-08:00October 2016 marks a milestone in the story of the Internet. At the start of the month, the United States Government let its residual oversight arrangements with ICANN (the Internet Corporation for Assigned Names and Numbers) over the operation of the Internet Assigned Numbers Authority (IANA) lapse. No single government now has a unique relationship with the governance of the protocol elements of the Internet, and it is now in the hands of a community of interested parties in a so-called Multi-Stakeholder framework. This is a unique step for the Internet and not without its attendant risks. How did we get here? Scott Bradner, long time IETF participant and also an active individual while he was the Internet Society's Vice President for Standards, was personally involved for much of the IANA's history, and he took some time at the recent NANOG 68 meeting in October this year to mark this change with his history of the IANA function. Having been directly involved in some of these events myself, I found Scott's history quite enlightening and I found myself taking detailed notes. In anticipating that others may find this equally interesting, I'll reproduce my notes here. * * * SCOTT BRADNER, NANOG 68 Keynote IANA Transition, DALLAS, TEXAS / OCT 2016 / NANOG Photograph Originally the IANA function started within the research project that became the Internet, and the initial "bookkeeping" was performed under the name of the "Network Working Group", which dates back to 1968. This was an Ad‐hoc group "concerned with the HOST software, the strategies for using the network, and initial experiments with the network" according to RFC 3. The "IANA" name itself did not show up until 1988 in RFC1060, but of course things had been happening well before that time. Much of the DNS structure was put in place by 1984: RFC822/823 and RFC920 date from the early 1980's, and define the hierarchical structure of the domain name space and the role of the registry of those names that were directly delegated from the DNS Root. Of course at the time the Internet was a well kept secret, and from a wider perspective, at the time no one had even the slightest interest in this project. Even when the Internet started to gain some attention in the academic and research environment in the late 80's and early 90's, there was much scepticism from the mainstream IT and communications enterprise sectors. So much so that at one conference at the time, the Internet folks in attendance used the bumblebee as the Internet's icon because, in theory, bumblebees could not fly — as with the common perception of the Internet at the time! "The shift from an obscure semi-private function, to the glare of public attention, and the challenges on an enthusiastic entrepreneur sector, happened at a pace for which the IANA function appeared to be ill-equipped to cope with."The mid 90's saw the comprehensive demise of OSI and the interest in the Internet as a public service was taken up by various agencies and corporate entities, complementing the earlier adoption in the research and educational community. Interestingly, it was the namespace that attracted the most interest and attention, and this posed some real challenges to the nascent community and IANA in particular. The shift from an obscure semi-private function, to the glare of public attention, and the challenges on an enthusiastic entrepreneur sector, happened at a pace for which the IANA function appeared to be ill-equipped to cope with. As early as 1995, the Internet Society Advisory Council championed a proposal to move the global DNS root to Internet Society. This was aired at the DNS Evolve BOF in IETF 34 in Dallas, and the Internet Society proposal received spirited discussion. Despite this, there was not much support either way, but rough consensus[...]
2016-10-21T10:41:00-08:00AREAS AFFECTED BY THE OUTAGE / 21 OCT 2016 – Source: Level3 Outage Map Major internet sites were disrupted for several hours this morning as internet infrastructure provider Dyn reported it was under a cyberattack, mainly affecting traffic on the U.S. East Coast. Twitter, Spotify, Airbnb, Reddit, Visa and various media sites were among organizations whose services were reported to be down on Friday morning. Amazon also disclosed an outage that lasted several hours on Friday morning. — Doug Madory, director of internet analysis at Dyn, in an email said: Dyn received a global DDoS attack on its Managed DNS infrastructure in the east coast of the United States. DNS traffic resolved from east coast name server locations experienced a service interruption during the attack. Updates will be posted as information becomes available. Services were restored to normal as of 13:20 UTC. — Update: As of around 12 PM ET, Dyn reported that it is investigating another DDoS attack, and is continuing to attempt to “mitigate” the attack. Box, Twitter and other sites appear to be down again. The White House press secretary has also said that the Department of Homeland Security is investigating the attacks. — Update from Dyn: "Our engineers continue to investigate and mitigate several attacks aimed against the Dyn Managed DNS infrastructure." — Gillian Christensen of the U.S. Department of Homeland Security says the agency is "investigating all potential causes." — "The attack on DYN comes just hours after DYN researcher Doug Madory presented a talk on DDoS attacks in Dallas, Texas at a meeting of the North American Network Operators Group (NANOG)," says Brian Krebs whose own site recently underwent historic DDoS attack. "Madory's talk ... delved deeper into research that he and I teamed up on to produce the data behind the story DDoS Mitigation Firm Has History of Hijacks. ... I have no data to indicate that the attack on Dyn is related to extortion, to Mirai or to any of the companies or individuals Madory referenced in his talk this week in Dallas. But Dyn is known for publishing detailed writeups on outages at other major Internet service providers. Here's hoping the company does not deviate from that practice and soon publishes a postmortem on its own attack." — Update, 3:50 p.m. ET / Brian Krebs reports: "Security firm Flashpoint is now reporting that they have seen indications that a Mirai-based botnet [see earlier report on Mirai] is indeed involved in the attack on Dyn today. Separately, I have heard from a trusted source who’s been tracking this activity and saw chatter in the cybercrime underground yesterday discussing a plan to attack Dyn." — "This was not your everyday DDoS attack," Kyle York, Dyn’s chief strategist. Nicole Perlroth reporting in the New York Times: "Dave Allen, the general counsel at Dyn, said tens of millions of internet addresses, or so-called I.P. addresses, were being used to send a fire hose of internet traffic at the company's servers. He confirmed that a large portion of that traffic was coming from internet-connected devices that had been co-opted by type of malware, called Mirai." ... Dale Drew, chief security officer at Level 3: "Roughly 10 percent of all devices co-opted by Mirai were being used to attack Dyn's servers." — Update, 7:53 p.m. ET / Dyn issues Preliminary Findings Report with additional detail: "On Friday October 21, 2016 at approximately 11:10 UTC, Dyn came under attack by a large Distributed Denial of Service (DDoS) attack against our Managed DNS infrastructure in the US-East region. Customers affected may have seen regional resolution failures in US-East and intermittent spikes in latency globally. Dyn’s engineers were able to successful[...]
2016-10-20T17:00:01-08:00"Reverse Domain Name Hijacking" (RDNH) is a finding that a panel can make against a trademark owner in a case under the Uniform Domain Name Dispute Resolution Policy (UDRP). RDNH Defined Specifically, according to the UDRP Rules, RDNH is defined as follows: "Reverse Domain Name Hijacking means using the [UDRP] in bad faith to attempt to deprive a registered domain-name holder of a domain name." The Rules also state: "If after considering the submissions the Panel finds that the complaint was brought in bad faith, for example in an attempt at Reverse Domain Name Hijacking or was brought primarily to harass the domain-name holder, the Panel shall declare in its decision that the complaint was brought in bad faith and constitutes an abuse of the administrative proceeding." While neither the UDRP nor the Rules provide any further details or guidance, the WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Second Edition, provides some insight into the circumstances in which panels have found RDNH: To establish Reverse Domain Name Hijacking, a respondent would typically need to show knowledge on the part of the complainant of the complainant's lack of relevant trademark rights, or of the respondent's rights or legitimate interests in, or lack of bad faith concerning, the disputed domain name. Evidence of harassment or similar conduct by the complainant in the face of such knowledge (e.g., in previously brought proceedings found by competent authorities to be groundless, or through repeated cease and desist communications) may also constitute a basis for a finding of abuse of process against a complainant filing under the UDRP in such circumstances. The WIPO Overview lists the following circumstances in which UDRP panels have actually entered a finding of RDNH: the complainant in fact knew or clearly should have known at the time that it filed the complaint that it could not prove one of the essential elements required by the UDRP the complainant failed to notify the panel that the complaint was a refiling of an earlier decided complaint or otherwise misled the panel a respondent's use of a domain name could not, under any fair interpretation of the reasonably available facts, have constituted bad faith the complainant knew that the respondent used the disputed domain name as part of a bona fide business for which the respondent obtained a domain name prior to the complainant having relevant trademark rights RDNH in Practice Although WIPO's UDRP statistics do not indicate how many cases have resulted in a finding of RDNH, a regular reading of decisions makes clear that RDNH is far from common. It appears as if a little more than 100 WIPO UDRP decisions so far this year have mentioned RDNH — out of more than 2,400 decisions to date. And, of course, not all of those decisions actually found RDNH; many of them denied it. Here's one particularly interesting example: In a decision denying transfer of the domain name
A total of 3.2 million debit cards across 19 banks may have been compromised as a result of a suspected malware attack. The breach, possibly largest of its kind in India, was confirmed by the National Payment Corporation of India (NPCI) in a statement today. The problem was brought to NPCI's attention via complaints from banks informing the agency that their customers' cards were used fraudulently, mainly in China and USA, while customers were in India, according to the statement.
"How the breach could have occurred," Alex Mathew reporting in Bloomberg: "The breach that has apparently given hackers access to the PIN codes of several bank customers is likely to be on account of a malware attack. This attack is believed to have originated at an ATM. The actual modus operandi of the hackers will only become clear once the forensic audit is released in November… First, the hacker would have had to gain physical access to an ATM. The malware was then likely injected by connecting a laptop or another special device to a port on the cash disbursing machine, said Tiwari, a consultant at Centre For Internet & Society in Bengaluru. Once the malware is injected, it automatically spreads across the network..."
Follow CircleID on Twitter
2016-10-20T12:22:00-08:00Update on the Digital Economy Officers Program at the U.S. Department of State Answering questions at the Internet Association's Virtuous Circle conference last week, Secretary Kerry presented the U.S. Department of State's effort to prioritize global digital economy issues abroad in order to reflect the growing importance of these issues in both economic and foreign policy. The State Department has made real progress on this initiative in the last year and hopes to continue our momentum going forward. Approximately six months ago, we announced the State Department's new Digital Economy Officers (DEO) Program with the goal of strengthening the capacity of our people, embassies, and consulates overseas to address the challenges and seize the opportunities that are emerging with the development of the global digital economy. We believe that this new global platform will help enhance the prosperity not only of U.S. people and firms, but that of other nations and their people, helping achieve more broadly shared prosperity and sparking innovative solutions to both commercial and social challenges that the world faces. Secretary Kerry Speaking About Internet Policy – Virtuous Circle Conference on October 10, 2016, at the Rosewood Sandhill Hotel in Menlo Park, California. State Department PhotoGiven that the internet and the digital economy are global in scope and affect a range of U.S. interests, the State Department is uniquely equipped among U.S. agencies, to engage, lead, and advocate on these issues.The component parts of the global digital economy are the communications networks that connect the world and the data, information, and services that ride over those wires and airwaves as well as every industry process across sectors dependent on those networks and services. With that definition in mind, it is clear that the global economy is in many ways dependent on the health of the global digital economy. And the issues involved — from debates over data localization to privacy to intellectual property and platform regulation — constitute a dynamic and rapidly changing area of foreign and economic policy that demands constant updating of skills, access to information, and new capacities to keep pace. The development of the modern digital economy creates immense opportunity for economic social progress due to its economies of scale and scope but it is not without its challenges. It raises complex issues that are often technical but require an understanding of how the technical interacts with the political and economic outcomes we are pursuing in the world. Issues ranging from market competition between firms operating in the digital space to how changes in production resulting from the digital economy are impacting labor markets to how all of this information is transferred and used in a manner that respects our basic dignity are confronting us in dialogues and debates within and across markets all over the world. Since the launch of the DEO program, we have identified nearly 140 digital economy officers at our embassies and consulates around the world. To make sure that our diplomatic workforce is informed and competitive in this space, we have taken some important steps in the last six months in key areas to elevate our game in this space: Training: We have strengthened our annual training course on Internet and telecommunications policy at the Foreign Service Institute and are working on a proposed global training event for digital economy officers to be held in the United States in the spring of next year. Communications: We have increased the frequency of our communications with posts on digital economy issues, improved the Department's intern[...]
2016-10-20T10:49:00-08:00The Uniform Domain Name Dispute Resolution Policy (UDRP) is an online dispute resolution regime. While panelists technically have discretion under Rule 13 to hold in-person hearings if they "determine[ ] ... and as an exceptional matter, that such a hearing is necessary for deciding the complaint" no in-person hearing has ever been held. Rule 13 exists to be ignored. Parties make their appearance and present themselves on the written page, and what they say and how they express themselves in pleadings and what they annex are crucial to their argument. Traditionally with live witnesses, juries and judges look and listen to performances; demeanor, comportment, and facial expression are important factors as indicators of truthfulness. While we can't transfer these qualities to paper submissions in any literal sense, there are equivalents if we think of these qualities in a broader sense as meaning the content and nuance of a speaker's presentation in writing, selecting, organizing, and proving contentions. What speakers say, the language they use, the allegations they make, the narratives they construct, and the evidence they produce or withhold play a decisive role in assessing their claims and defenses. In a word, speakers have to be credible, which is no small matter because it requires a disciplined approach to the content of argument both in the pleadings and annexes. We are constantly reminded of this in UDRP decisions. In the small percentage of contested disputes (that is, where respondents appear and defend), there is either a lack of evidence or lack of credibility, or both. It infects both parties' submissions. However, measuring credibility is not scientific and there are cases that go one way when they should have gone the other. The dispute over
The Advocate General, top advisor to the European Court of Justice, has issued an opinion today about Internet anonymity, Electronic Privacy Information Center reports. "He found that dynamic IP addresses are personal data subject to data protection law. The opinion concerns the case of German pirate party politician and privacy activist Patrick Breyer who is suing the German government over logging visits to government websites. ... The opinion is not legally binding but 'is usually a good indication of how the court will eventually rule'." The issued opinion in full: Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland.
Follow CircleID on Twitter
U.S. bank regulators on Wednesday outlined cyber security standards meant to protect financial markets and consumers from online attacks against the nation's leading financial firms," Patrick Rucker reporting in Reuters: "Leading banks will be expected to use the most sophisticated anti-hacking tools on the market and to be able to recover from any attack within two hours… Banks with assets of $50 billion or more must satisfy the new rules that will be finalized in the months ahead."
"Agencies Issue Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards," states the press release issued today by Federal Reserve: "The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Board. The proposed enhanced standards would not apply to community banks. The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For these sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event."
Follow CircleID on Twitter
(image) A screenshot from a video released by Czech police showing a man identified only as a Russian hacking suspect being taken into custody at a restaurant in Prague. CBS NEWS / 19 OCT 2026
FBI in a joint operation with the Czech police, arrested a Russian citizen in Prague on Wednesday in connection with attempted cyber-attacks against the United States. FBI says the man was suspected of conducting criminal activities targeting U.S. interests, but have not give any more details. The arrest is not related to the Russian hacks of the Democratic National Committee and other political organizations or the ongoing probe of Russian interference in the U.S. election, federal law enforcement officials said. Czech courts will decide whether to extradite the man to the United States. –Katie Mettler further reports in the Washington Post
— Update / 19 Oct 2016: LinkedIn and other sources report the arrestee is suspect in a major 2012 LinkedIn hack involving theft of nearly 6.5 million user credentials. Statement by LinkedIn spokesperson: "Following the 2012 breach of LinkedIn member information, we have remained actively involved with the FBI's case to pursue those responsible. We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity."
Follow CircleID on Twitter
2016-10-19T10:09:00-08:00Observers of IANA transition may have found a remarkably interesting fact that both supporters and opponents of the transition like citing China, along with a small number of other countries, as evidence in favor of their arguments. For supporters, take Larry Strickling as an example, blocking transition benefits China in that it will "intensify their advocacy for government-led or intergovernmental management of the Internet via the United Nations." On the contrary, opponents led by Ted Cruz think that the US should not "give away control of the Internet to a body under the influence and possible control of foreign governments" like China, as they will "censor the internet internationally." The understanding of relating IANA's technical coordination to censorship is certainly wrong, as Tim Berners-Lee and Daniel Weitzner have persuasively pointed out. By contrast, the pro-transition camp's arguments appear more plausible. Their arguments imply that China does not like the transition at all, therefore they have to make this happen. It is an unsurprising, even popular idea. In many places, China has been labeled as a stakeholder who at best "dislikes," and at worst "opposes" the multistakeholder governance process, which is claimed to be the building blocks of ICANN and the broader Internet community. Unfortunately, these understandings turned out to be misleading or wrong. China has recently extended welcome to IANA transition. In a press conference for the preparation of the third World Internet Conference a week ago, Ren Xianliang, the deputy chief of Cyberspace Administration of China (which oversees Internet governance) said that China welcomes US government's decision to relinquish its oversight of the critical Internet resources. Mr. Ren emphasized that China has given high-level attention to Internet development and Internet governance. In addition, China has consistently advocated constructing a cyberspace that features being peaceful, secure, open and cooperative. Wishing a smooth transition, Mr. Ren believed that the transition would have positive impact on the internalization of the critical resources management and on bridging the digital gap between the developed and developing countries. I am not in the position to elaborate too much about the policy implication of Mr. Ren's remarks. However, the positive attitude from high-profile authority at least sends a clear signal that China is not standing as a hurdle in the transition. I believe that it will encourage the Chinese Internet community to be more actively participating in the post-transition ICANN affairs and more broadly, in the global Internet governance discussions. Written by Jian Chuan Zhang, Senior Research Fellow at KENT and ZDNSFollow CircleID on TwitterMore under: ICANN, Internet Governance [...]
2016-10-19T05:00:00-08:00Google has recently announced the release of Nomulus, its free, open source registry software, triggering discussion of its impact on the industry. Afilias has over 15 years of experience in registry operations, and offers the following initial thoughts. * * * First, free registry software is not new. CoCCA (Council of Country Code Administrators) has offered this option for years, and TLDs such as .CX (Christmas Island) and .KI (Kiribati) use it. It is supported on a "best efforts" basis and appears to meet the limited needs of a few small operators. Second, registry services are about the SERVICE, not the software. While software is important, someone has to answer the phone when registrars (and ICANN) call. Someone has to deal with abuse if it happens. Someone has to accept deposits, manage billing, and keep the accounts straight. Even Afilias doesn't know how to automate EVERYTHING (and we have tried!). Most TLD owners don't like operational administrivia, and find it cheaper and easier to outsource it. Third, free registry software does not mean a free registry operation, as Minds and Machines (MMX) recently concluded. MMX has decided to stop running its own registry and outsource their entire registry (and registrar) operations. Why? As stated in their 20SEP2016 Investor Presentation, this was to "Rationalize the business into a pure play owner of top level domains. Historically, MMX ran its own technical backend (RSP) and retail outlet (registrar) at considerable cost." After years of trying to do everything themselves, MMX is outsourcing operations so they'll be free to focus scarce internal resources on the strategically more important parts of their business. Finally, even Google misses the mark sometimes, as evidenced in the Google Graveyard, which is rife with examples of products that were launched and then discontinued (e.g. Google Reader, Google Talk, iGoogle, Google Health, Knol, Picnik and many others). * * * What will be the impact of another free registry software option? With over 1400 TLDs in the root now, surely someone will try it and gain some real-life experience. Stay tuned. Written by Roland LaPlante, Senior Vice President and Chief Marketing Officer at AfiliasFollow CircleID on TwitterMore under: Domain Names, Registry Services, Top-Level Domains [...]