Sometimes I hear people or read writers that say things about spam that are incorrect. I thought I would clear those up in this blog post.

1. December is spam season

When the holidays roll around, people start warning other people to watch their inboxes — December is spam season! By that, they mean that more spam than normal flows around the Internet.

People say this because December is the holiday season. Since spam is another form of advertising, and advertisers pepper us with ads during this time, then spammers must do the same.

It makes sense except it’s not true.

There are some years where spammers send more mail, but not every year. To measure this, I compared the month of December’s spam volume to the preceding three months, and the three months following. Below are the results for the past 6 years:

The red text above indicates where spam increased in December and fell off the next few months, which is what we would expect to see if spam really were seasonal.

The graph above shows that sometimes spam increases, but sometimes it doesn’t. It’s not consistent at all, and if it’s not consistent, then you can’t say that December is spam season.

Spam volumes may go down because it’s the holiday season; with more people out on vacation, their computers are turned off (at work) and therefore, the number of bots in the spammers’ botnets are smaller and therefore they send out fewer spam messages.

Whatever the explanation, Christmas is not the spam season.

2. Most spam is about porn

When people tell jokes about spam, they’re either about Viagra (or similar drugs) or about x-rated material. When I first started working as a spam analyst in 2004, I saw lots of x-rated spam. But I noticed that it was a smaller and smaller part of total mail.

In 2009, I started keeping track of categories of spam. Below are the results of how much porn spam accounts for:

2009 — 5%

2010 — 4%

2011 — 4%

It isn’t negligible, but it’s not even in the top 5 (it trails Pharmaceuticals, Products, 419s, Financial [refinance your mortgage, work from home] and Gambling — and has for years). Thus, while spam started out as a way to get people to buy x-rated services, today it’s mostly free. Why buy it (kind of like music and movies)? When that realization sunk in, spammers moved to more profitable ventures.

3. IPv6 is a ticking time bomb and a bonanza for spammers

The primary line of defense in spam filters are IP blocklists. They improve spam effectiveness, save on bandwidth (because you can reject mail at the edge without accepting it), don’t waste server resources filtering unwanted mail, and don’t need mail servers to store spam in a quarantine.

Because IPv6 adds so many IP addresses, it will be impossible to use IP blocklists:

• IPs get onto blocklists because they send spam to honeypots. Because there are so many IPv6 addresses, a spammer could send one spam per IP and then discard it forever. It wouldn’t matter even if they hit honeypots because the IP would never be re-used.

• Even if spammers re-used IPs, blocklists would be so large that back end servers would never be able to store, transfer or process them efficiently.

Since the world is on a march to IPv6, it’s only a matter of time before spammers use it as a floodgate to avoid IP blocklists and mail servers around the world become inundated under spam. The end is near.

Except it’s not true.

It’s definitely true that IPv6 enables more devices to connect to the Internet, but there’s a big difference between connecting to the Internet and connecting to the Internet to send email.

All email receivers know about the two problems I outlined above. Thus, while pointy-haired bosses around the world all want to be on the cutting edge of IPv6 (Look at how state-of-the-art we are!), nobody who receives email is enthralled about potentially receiving it over IPv6.

Because of this, large email receivers are not planning to blindly receive email over IPv6 the way they do with IPv4. Doing so would be swallowing a cyanide pill. It’s crazy! Maybe something like a central whitelist will be created wherein if you want to send mail over IPv6, you have to be registered on that list to do it. This is the model of “block the world and punch holes for your friends” but it’s more or less the same thing that Spamhaus’s PBL does.

How many legitimate email services are there today? 10 million? 20 million? There’s more people in the world, but not everyone needs their own email server. And that’s the point — the problem is manageable if we all agree to not accept mail from anonymous sources on the Internet.

Given how all mail receivers have skin in the game, and given that we worked together with DMARC, the future’s not as bleak as we think.

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: IPv6, Spam

CircleID

After some five years of public debate on the national broadband network it is heartening to see that more and more people are getting the message that the network means more than just fast internet access. Increasingly key decision-makers in business and government are reaching an understanding of the transformation that is underway in the economy.

It started with the music industry, followed by the publishing industry. The retail sector is learning its lessons the hard way but it is now beginning to understand the new environment. The entertainment industry is still trying to stop the tsunami by employing armies of lawyers, but it will soon also be engulfed by the changes. The banking sector is making a much smoother transition, while the demise of Kodak is another example of ‘missing the boat’.

One by one, all sectors of the industry are being confronted with the business transformation that the internet is bringing with it, and yet, incredibly, the ICT industry itself is still struggling with it (Sensis, Nokia, Microsoft, Motorola, Nortel, etc).

Progress in e-education is moving at an enormous pace and already some schools are limiting the number of printed text books — some are going totally e-book. With over a million children now with laptops it is only a matter of time before the education system switches over. The savings in books and other printed material alone will pay for this digital revolution. South Korean schools will be entirely e-book-based by 2015.

Changes in e-health are following the same path, with electronic patient records slowly being introduced and health insurance schemes starting to refund e-health services. This will be a user-driven development as it is more likely that the users will be able to adapt to e-health much faster than the healthcare system can deliver it.

This will clear the way for a whole new e-health industry, worth billions of dollars. One only has to look at some of the e-heath systems linked to the high-end private hospitals in the USA to see what is in store. They use their e-health facilities as a major marketing tool to attract customers, not just to the actual hospital, but to all of the other facilities around it. The add-on revenues are significant.

Those who are still talking about broadband as an end in itself do not understand the situation. Broadband is simply the tool that will further enable and advance the digital economy. So those who are looking at broadband in isolation are totally missing the point.

Included in this group is the Liberal opposition in Australia, and for that matter the Republican party in the USA. To them broadband is ‘it’ — they are completely missing the point of the digital economy.

On the other hand, as an example, the former chief information officer to the United States, Vivek Kundra, praises the Australian national broadband infrastructure investment for all the reasons mentioned above, clearly stating that the cost of that investment should be judged within the context of the digital economy.

FttH is not needed to get the digital economy started — that actually started a decade ago. One only has to look at Apple, Google, Facebook, Amazon, eBay to see what effect the digital economy is having on their valuations and compare it with what is happening to those who were slow to act upon that change. Those who are still lagging behind are going to find it increasingly difficult to catch up. There are now enough examples of struggling sectors that made the change too late that we can predict the impact this will have on these sectors.

In Australia the high dollar is having a negative effect on many business activities in traditional industries such mass manufacturing, retail, banking, airlines, etc. At the same time the unemployment rate remains low. This suggests that it is not so much an economic decline as a shift towards new jobs in new and different sectors, using new technologies and creating innovations and value-adds.

A digital infrastructure is essential to manage this transition. One only has to look at manufacturing — Germany, for instance, remains one of the leading global manufacturing countries, based on technological innovations that give it the edge over the countries whose manufacturing industries continue to operate in more or less traditional ways.

The digital infrastructure plays a key role in German innovation and manufacturing leadership.

Once there is more widespread understanding among business leaders, union leaders and politicians of the impact that these developments are having on the overall economy it becomes clear that we do need to make sure that we have the right conduit for the development of the digital economy. Those who don’t understand the impact of the digital economy — or who, for political reasons, don’t want to know about it — will argue that we can make do with second-rate infrastructure. It would be most regrettable if their lack of vision were to put a brake on the economic transformation that is already clearly taking place — this would result in Australia missing new economic opportunities for its future.

There are certainly many ways to skin the infrastructure cat, but unless the importance of the digital economy is made the central factor of the decision-making process (and not simply broadband) the right choices will not be made — decisions that will have to deliver the social and economic benefits that lie ahead.

Written by Paul Budde, Managing Director of Paul Budde Communication

Follow CircleID on Twitter

More under: Broadband, Policy & Regulation

CircleID

How one of those heavily bearded guys from the 19th century left a lasting mark.
thedailygreen.com article feed

As the WHOIS debate rages and the Top-Level Domain (TLD) space prepares to scale up the problem of rogue domain registration persists. These are set to be topics of discussion in Costa Rica. While the ICANN contract requires verification, in practice this has been dismissed as impossible. However, in reviewing nearly one million spammed domain registrations from 2011 KnujOn has found upwards of 90% of the purely abusive registrations could have been blocked. To be clear, these were domains intended to be abused, not hijacked or spoofed sites with innocent owners. While it is impossible to truly predict registrant intent it is possible to screen for policy violations and assign risk. In our particular research we only focused on one detail in the WHOIS record, the Administrator email address. By conducting a deep review of the email addresses and the information behind them we have determined a number of factors which invalidate the registration or call out for additional scrutiny. For the Registrar this has always been a conundrum of practicality. On the one hand it is their business to sell as many domain names as possible, on the other hand abused domains create untold headaches for Registrars.

A major concern blocking enhancements to registration verification is domain price. Competition has driven the price down while ingenious registration systems have excelled the process. Many are concerned that adding comprehensive verification to the scheme will add costs and slow the process. However, 23% of the abused domains in our study could have been blocked by very basic form scripting. Some of the most obvious were improperly formatted contact emails, emails with invalid characters inserted, and email addresses missing the TLD extension for the domain (see example 1 and 2). We also found contact emails with non-existent TLDs and in one case this lead to the discovery of an illicit no-prescription pharmacy domain using the mailing address and phone number for the newspaper the Los Angeles Times. The point being that red flags in one area of the registration are good indicators of problems elsewhere. The casual onlooker might wonder how these applications were processed when robust e-form validation has existed for years.

Domain registration is a critical entry point for cybercrime that can be choked easily without interfering with legitimate business. Once an illicit domain is registered it is a “horse out the barn” situation as spammers will abuse a domain at a high volume for a very brief period and then abandon it for greener pastures. By the time a victim reports the problem and a Registrar acts on it the damage is done, the money is gone, and precious time is lost. It is at the moment of creation that havoc can be managed and thwarted. Our study relied on 14 million instances reported by the public, the real number of unreported instances is likely massive in comparison.

Now, the 23% which can be outright blocked is a good start, but there is more hope for the rest. In our tests an additional 67% could be flagged with various risk factors. This type of evaluation gives the Registrar choice. The deep intelligence-based analytics emerged from the data collected from spammed domain registrations, but this is not a blacklist. Clearly it is not in a Registrars interest to manually review each registration but these checks merely present the option of additional review. To be sure we dropped a number of legitimate registrations in the test engine and they passed without being flagged. The screening is specifically targeted at domain registrations created with the intent of being abused. We have also found why some Registrars are being targeted for abusive registrations, often due to conditions which may not be obvious at first.

In general we are encouraged by these findings especially if the threat space on the Internet can be reduced through a process that is invisible to the legitimate domainer. We will be discussing these issues and the details of our findings in Costa Rica. This work is ongoing. A PDF brief is available here: PDF Brief

Written by Garth Bruen, Internet Fraud Analyst and Policy Developer

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, DNS, DNSSEC, Domain Names, Registry Services, ICANN, Internet Governance, Malware, Policy & Regulation, Security, Spam, Top-Level Domains, Whois

CircleID

Root name servers are a core service of the Internet [Include footnote to DNS Root Name Server FAQ]. As such they receive a huge amount of queries and need to answer reliably with acceptable delay. The RIPE NCC is responsible for operating one of the 13 DNS root name servers K-root which responds to 10,000 — 15,000 queries per second. Most root servers are operated as a network of distributed “instances” using anycast. That means a single IPv4 or IPv6 address is announced simultaneously by a set of name server “instances” deployed in different geographical locations.

K-root operates 18 instances; You can find a map http://k.root-servers.org/ on the RIPE NCC’s website.

VisualK is a new tool that monitors the load of the K-root name server supported by each instance. It further shows load migrations between pairs of instances over time. ViskalK is one of the tools our operations staff use to monitor the health of K-root.

The image below is a screenshot of the output of the tool. Each instance of K-root is represented by two concentric circles:

• The first one, filled with colour, has a size proportional to the number of queries per second received on that instance;
• The other one, indicated by a dotted line, shows the average load over the previous 30 minutes. This is used as a reference value.

In most cases, these circles overlap. But in some cases you can see that the dotted line is much larger, for example at the root name server instance in Poznan, Poland. This means that something has changed recently: the number of queries has dropped significantly.

In the image you can also see that pairs of instances are connected by links (or “tentacles”) if they are considered topologically adjacent. Links between root name server instances are generally invisible, but become active when traffic migration is detected: colour and size of the link indicate the origin and volume of traffic flow, together with bubbles pouring into the instance receiving the traffic. In our example you can see that some load has moved from the instance at NAP (in Miami, Florida) to the one located at LINX (in London, UK).

In addition, VisualK highlights unusual behaviour. Flashing arrows show load migrations between instances that are not considered adjacent. Root name server instances start to blink if their traffic load decreases significantly. The goal is to help spot unexpected changes while they are happening and to allow root name server operators to investigate what causes these changes.

For more information, please refer to the background article on RIPE Labs: VisualK — Monitoring K-root in Near Real Time

VisualK has been developed by Claudio Squarcella, intern at the RIPE NCC, in collaboration with the Compunet Lab at Roma Tre University.

Written by Daniel Karrenberg, Chief Scientist at the RIPE NCC

Follow CircleID on Twitter

More under: DNS, Regional Registries

CircleID

Some worrying signs are emerging in the USA.

During the last decade I have questioned the economic viability of two parallel telecoms infrastructures. When these two network rollouts commenced no issue existed in relation to conflicting interests — one delivered telephone services, the other broadcasting services. But this all began to change when it became possible to use the HFC network to deliver broadband and telephony as well as broadcasting, and to use the telephone network to deliver broadband in addition to phone services.

In the early to mid-00s we began flagging that these new developments would necessitate further network upgrades to keep pace with the relentless market developments, and that eventually both networks would need to be upgraded to fibre.

We also indicated that when this happened the question would be whether there would be room for two fibre networks to the home. Our answer of course was that there would not.

At that stage we assumed that commonsense would prevail, and that there would be a functional split or specialisation, with infrastructure ending up in the hands of the telcos and content in the hands of the media companies. Unfortunately commonsense has become a scarce commodity in the USA.

However, it now seems that this will not be the way events will pan out. The handful of players involved in this market are monopolists with huge egos, and, thanks to their enormous lobbying powers, they more or less have complete control over the regulatory regime in the USA. Their influence over politicians allows them to dominate this market, with hardly any intervention to the contrary if other operators, including municipalities, try to roll out networks.

Most of the time these players are supported by the state authorities. Given this monopolistic environment, involving a severe lack of competition, the positive economic outcome that we anticipated a decade ago has not materialised.

So the telcos and the cable companies continue their struggle for dominance. The telcos have bought up large chunks of content to compete with the cable companies, and the cable companies have upgraded their networks to high-speed broadband (DOCSIS 3.0). The telcos have not really created an advantage for themselves here as their services are roughly equivalent in content to those of the cable companies.

By now it can be concluded that the cable companies are coming out on top. They remain the key players in the content market and have a far better understanding of this media and advertising business than the telcos. As well as that, their HFC networks offer a superior broadband quality for subscribers.

The only way forward for the telcos is to look at fibre networks. They have tried this in the past, but for all the reasons that we have put forward so many times in the past it is not economically viable to build successful, large-scale FttH networks based on competing infrastructure (so-called ‘overbuild’). This business model can work in small wealthy markets where people are prepared to pay $ 125 a month for a fibre connection (often also retaining their cable subscription), but it will not work in mass markets. In order to roll out FttH in any economically viable way operators require an uptake of at least 60%. With competing infrastructure, especially in the initial years, this will not be possible. Successful fibre builds, judiciously regulated to avoid duplicated network construction, are a reality, as the experience of Switzerland testifies.

While all of this is happening, in the USA, as in other markets, the revenues in traditional telecoms services are declining. Because of the new developments in OTT services it is becoming increasingly difficult for telcos to develop services that can create new revenue streams at the margins they have become used to as monopolists in the telecommunications market.

So they are losing the battle with the cable companies — not just in content but also in broadband, while at the same time their revenues from traditional voice services are either stagnating or declining. Add to this the uneconomic business case for FttH investments and one can see a massive telecoms problem emerging in the USA.

Verizon and AT&T have essentially cancelled their FttH plans, so the path to a future where they can successfully compete with the cable companies has been abandoned (see USA — Broadband Market — Fibre to the Home (FttH) — Overview, Statistics and Forecasts).

Furthermore, there are signs that with declining revenue, and no prospect of increasing that revenue, the telcos may not be able to maintain the current level of telecommunication services demanded by customers. AT&T has indicated that it will start concentrating on markets where it is making money, and that it is looking at divesting markets that are not sufficiently profitable. Over the last two years revenue growth for these telcos has remained below growth in GDP.

These are the words that AT&T used:

…we will accelerate our efforts to improve our overall growth profile. We will do that by looking at opportunities to either divest or restructure low performing and nonstrategic assets. —AT&T Chairman and CEO Randall Stephenson, January 26, 2012

This means that several of these markets — for instance, low-performing fixed-line consumer markets — will be left behind as road-kill on the telecoms superhighway. Estimates are that this could be between 30% and 50% of their fixed consumer markets. Divesting might improve the margins and it might be good for shareholders, despite the fact that overall revenues will shrink — but who is going to pick up the pieces? There will not be many companies interested in investing in markets where revenues and margins are contracting. In the end, whether politicians like it or not, it will be the government that will need to step in. After all, it is their failed policies and regulations that have led to this situation. They allowed the market to develop into one that stopped being competitive a long time ago, and today’s state of affairs is the result of this. The reality, however, is that government intervention is unlikely to happen any time soon. The situation will have to deteriorate significantly before something like that happens.

Spin-offs will mean even less competition and the market in the USA will further be monopolised by the cable companies. We have already seen how hard it is for smaller companies to compete with the large ones. Guess what will happen? Prices for consumers will go up.

The Obama administration tried to do something about this, using stimulus policies to pump $ 7.2 billion into regional and rural broadband. However, from the very start we have said that probably 75% of this money will be wasted, since the regulatory framework is not in place to allow for sustainable investments in regional broadband. The vested interests will make sure that they either get the money (or the stranded assets that will result from this plan) or they will make things difficult for any funded projects that look like becoming successful. In areas which hold no attraction for the vested interests the newcomer will become the de facto monopoly and questions will arise regarding innovations and competitive prices (see USA — National Broadband Plan — Overview and Analysis.)

Open access is proving to be the key to FttH rollouts. Legislation has already been passed in countries such Australia, New Zealand and Singapore. In Switzerland the regulator recently completed its network-sharing format, so all operators know the score and consumers can seamlessly switch between providers very cost-effectively. Without these provisions in place FttH would be an uphill battle.

As we have been predicting for a decade, ‘vertical integration’ is dead. Throwing more money at it is not going to achieve anything; structural changes are the only solution. This is also particularly critical to the country’s economy. Structural changes are essential if the USA wants to maintain its leading economic status in the digital economy.

These developments also make a mockery of the country’s National Broadband Plan, delivering 100Mb/s broadband to consumers. We refer to our analysis of these plans. It would seem that, given the current developments, that promise is moving further and further away. While DOCSIS 3.0 theoretically can provide downstream speeds at 100Mb/s (so that its existence technically meets the plan’s goal) in reality no one will be able to get such speed consistently — cable networks are shared networks and the more people on it, the lower the speed.

Written by Paul Budde, Managing Director of Paul Budde Communication

Follow CircleID on Twitter

More under: Access Providers, Broadband, Mobile, Policy & Regulation, Telecom, Wireless

CircleID

It still amazes us that respected industry commentators join liberal politicians in questioning the need for FttH in the wake of the enormous success of mobile broadband.

They refer to this phenomenon as proof that people are bypassing their fixed broadband and are now using the smartphones and tablets to obtain most of their broadband access.

However, after several years of mobile boom the majority of households — and all of Australian businesses — are still using the fixed-line networks for calls, and most certainly for broadband access. Around 85% of households are still connected to the fixed network, and in the case of businesses this is close to 100%.

This situation is replicated throughout the developed world.

So obviously the majority of the global consumer and business population is making choices contrary to the claims of the NBN naysayers.

But an analysis of mobile broadband usage is even more interesting. Most heavy broadband use on smartphones and tablets takes place in homes, offices, airports, schools, universities, internet cafes, etc, and in most of these situations the WiFi networks are used for this, not the mobile networks. And all of these WiFi modems are linked to the fixed network. The increase of broadband access from tablets and smartphones will increase demand for fixed broadband access, and so the enormous appetite for mobile broadband will only increase the need for a FttH network.

BuddeComm has reported on the impressive progress of mobile broadband, but we have also highlighted the access problems to these networks, even from spots within the CBDs of Sydney and Melbourne. It is not for nothing that the telcos are going to spend some $ 5 billion to renew and buy new spectrum licences. If they did not need the capacity they would not fork out that kind of money.

At the same time we see mobile operators bringing in more caps and differentiating their plans in an effort to manage their network. Australia has always had capped mobile prices, but other countries did not; now, however, operators in America and Europe are introducing capped pricing and throttling usage down — and asking for more money if you want to use more, clearly illustrating the problems that exist around mobile capacity.

This means that the more broadband you use over the mobile network the more you will pay. On the other hand, FttH doesn’t have such capacity limitations and these networks will always be much more price-competitive. So, even with the next generation of mobile networks (LTE), the majority of users will continue to use their WiFi networks to download content-rich applications onto their mobile phones, tablets and laptops.

It could even be argued that smartphones and tablets are becoming the killer apps for the FttH networks and this will become more apparent with the new WiFi devices that are coming onto the market as we speak. The WiFi technology market is booming, and with more wireless devices in the home — and with people using them in different rooms at the same time — there is an urgent need for better WiFi connectivity. This will be provided by the new GigaBit WiFi technology, which will rapidly be implemented in tablets, smartphones and laptops and via in-house WiFi modems and repeaters.

Imagine what all of this will do to broadband capacity requirements in the house?

Even the most committed naysayer must be experiencing at least some doubt regarding their fundamentalist position on this issue.

Written by Paul Budde, Managing Director of Paul Budde Communication

Follow CircleID on Twitter

More under: Access Providers, Broadband, Policy & Regulation, Telecom

CircleID

Over the last year the world has been virtually buried under news items describing hacks, insecure websites, servers and scada systems, etc. Each and every time people seem to be amazed and exclaim “How is this possible?” Politicians ask questions, there is a short lived uproar and soon after the world continues its business as usual. Till the next incident.

In this blog post I take a step back and try to look at the cyber security issue from this angle: nothing is secure and what can be done about it. (The post refers to a lot of articles. As most are in Dutch I left them out here. Should you be interested and you should as some very interesting examples of ways forward are presented, I refer you to my blog. All links to articles, papers and proposed law texts can be found there.)

Week 8 – 15 February 2012

In the past two months I had the impression that there were less news items on the topic. Were we getting tired of this form of news or were there less hacks? I don’t know, but fact is that in the past week the shit hit the fan. One major hack after the other was revealed and vulnerabilities exposed. KPN was hacked by a hacker “who did nothing”, Bavaria, through the hack of a small telco named Creation Point, and Philips lost hundreds of thousands unique privacy sensitive data of customers. All three examples because of outdated security of involved servers. Water regulation systems in parts of The Netherlands were exposed as nearly unprotected. To be honest, I wouldn’t be surprised if the same would go for our national atom power plant in Borssele…

Internet = optimism, or it was

The Internet was expanded on optimism. A great new medium with all these beautiful features that could be added and saved lots of money and resources. In this enthusiasm decisions were made of which the implications could not be overseen or most likely not understood. To quote the above mentioned article on the water scada systems:

“Most organisations do not oversee which of their systems are directly connected to the Internet.”

Nobody had thought through the opportunities let alone the implications the Internet offers to themselves. And who ever thought upfront of the challenges the success of the darker sides would pose?

Let’s pose another question. How much money is spent presently to secure this Internet? Does it surpass the savings? An interesting question, isn’t it?

Richard Clarke and infection of critical infrastructure

In his book ‘Cyber war’, Richard Clarke writes, that he expects that in almost all major critical infrastructure systems in the United States cyber bombs have been installed, somewhere in the past. Small pieces of software that do not belong there and are controlled by unknown entities, to inflict unknown damage. He hints at China as the source. The news that China was inside the Canadian firm Nortel from the year 2000 and undetected, is quite revealing, I’d say. Critics advice to file Cyber war under fiction. Or is it the view of a visionary, warning a non-listening majority? And how is this in The Netherlands or your country? Has anyone even started looking?

(You can find my review of Cyber war here.)

The Dutch National Cyber Security Centre

So here we are in 2012. In the Netherlands there is a National Cyber Security Policy and a National Cyber Security Centre. It specifically aims at public-privacy cooperation and partnerships. The structure to tackle the challenge of a safer Internet on a national basis is installed. This makes a logical, step by step approach to the problem possible.

What could be a starting point? How about taking for granted that systems/websites/servers/etc. are safe till proven different, is no longer the correct approach. My advice would be to declare everything unsafe and from there work towards steps to improve security.

First signs of a coordinated approach

The whitepaper of the NCSC on websites is a first step. Another good example is that the NCSC already has published a factsheet on ICS/Scada systems with advice to those concerned on protective measures to take. This shows commitment and resourcefulness to those concerned.

Extinguish ignorance

But is this enough? Does self-regulation actually work? The track record of the past years is not hopeful. Ignorance (or carelessness?) still seems rampant, despite messages that ought to raise red flags. Apparently passwords are not changed, servers not checked, websites not updated security wise, despite of the news. Of course not all is bad, but it could become much better, more pro-active and coordinated.

Incidence reporting by law

An initiative to come with a law around security and notification duty of cyber incidents a good second.

Coordinated approach to ensure cyber security

I think the government could go one step further in setting a policy or coordination plan that step by step secures the Internet and all related topics around it. So clear rules on the security of websites and servers, including those services offered to the Netherlands from outside. Public systems become better secured through the program, starting with better passwords, mandatory updates of security software and a minimum set level of security, etc.

Next to that a program could start in which security is tested continuously by a team of people that do exactly the same as the people who do so out of a hobby or for more nefarious reasons: hacking. Testing leads to a continuous rise of the security level, awareness replaces ignorance and involvement carelessness. Lessons learned are shared through the coordination of the NCSC and the ISAC programs with all concerned.

Responsibility and accountability

Another thing that needs to happen, is making someone responsible and accountable for security. The loss of privacy sensitive data or successful hacks in public systems, including former utility services, as the public totally depends on them, must not be seen as unfortunate, but as a serious problem. Starting with a serious breach of personal integrity, ending with potential threats to national security and everything in between. Only by presenting it in this way, can executives be made to understand that they really have a problem on their hands. Up to this day, this does not seem the case. It is not as if the news of one hack makes people run for security. The proposed change in the Telecommunications Act and the Data Privacy Act should take care of accountability.

The loss of private companies, e.g. through industrial espionage, is or may also (be) a major problem, but in the end the loss of that company. If they do not understand the implications of a lack of security online, it is their problem. The implications for the national economy come second.

Important to realise is that this law only looks at the results of the hack and does nothing to prevent it, at least not directly, let alone go for the source.

Security costs and saves money

Security costs money and the people making decisions on budgets must be made to understand that neglecting security could lead to considerable losses and even to bankruptcy, as Diginotar has ably demonstrated. Internet security saves money. Governments can explain this quite vividly to those concerned and thus gain involvement from the private sector. Use the Nortel and Diginotar example!

Conclusion

Whether the threat of cyber war or actions by isolated terrorist cells are at present real or science fiction, fact is that a lot of front and back doors are open because of a lack of understanding. This can be dealt with through a solid nationally coordinated plan of action, aimed at making the country safer. The Netherlands at least has built the infrastructure to be able to aim for a comprehensive approach. How is this in your country and what could you learn from the Dutch approach?

Enforcement

Another topic is enforcement. I’ll come back to that later.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Internet Governance, Law, Malware, Policy & Regulation, Security, Spam, Web

CircleID

Google reports that its “experimental” public DNS service launched in December of 2009 has now passed 70 billion requests a day and no longer considered experimental. From the announcement: “Google Public DNS has become particularly popular for our users internationally. Today, about 70 percent of its traffic comes from outside the U.S. We’ve maintained our strong presence in North America, South America and Europe, and beefed up our presence in Asia. We’ve also added entirely new access points to parts of the world where we previously didn’t have Google Public DNS servers, including Australia, India, Japan and Nigeria.”

Follow CircleID on Twitter

More under: DNS

CircleID

Google revealed on its official blog today that it is handling an average of more than 70 billion requests per day on its free Public DNS service.

According to VeriSign’s latest public statistics, it is handling only an average of 59 billion DNS requests per day, less than that handled by Google. However, VeriSign does not perform this service for free.

VeriSign registry fees are $ 7.85/yr for each dot-com domain name, and $ 5.86/yr for each dot-net domain name, with prices increasing 7% and 10% annually (respectively) due to a sweetheart no-bid contract with ICANN.

With more than 100 million dot-com domain names registered, VeriSign generates nearly $ 800 million per year in revenues from the public, with infrastructure costs and load that are comparable to a service provided by Google absolutely free. This should clarify the extent to which ICANN and VeriSign are gouging the public. It certainly does not cost Google $ 800 million/yr to run their Public DNS service.

The time has come for ICANN to open up the dot-com registry contract to a public tender process in order that the public receives the best possible price for registry services. The current contract is the equivalent of the $ 436 hammer or the $ 640 toilet seat that used to be common in the defense industry.

Should ICANN not open up the contract to a public tender process, the NTIA or DOC should compel them to do so. Failing that, the Department of Justice should open up anti-trust investigations to examine whether consumers are being harmed by this anti-competitive untendered contract that bears no relation to the costs of performing the service. Under competition, dot-com registry costs would almost certainly be below $ 2/yr per domain name. That’s $ 500 million or more per year that the NTIA, DOC and DOJ can return to consumers by forcing a tender process for dot-com registry services.

It also begs the question: Why are registrars not more vocal in opposition to the no-bid sweetheart contract that VeriSign enjoys? The answer is clear — many of them want to emulate VeriSign, to become registry operators in new TLDs. This desire for new monopolies and new monopoly pricing demonstrates how broken ICANN has become, and how distant it is from the true desires of consumers.

Written by George Kirikos, President, Leap of Faith Financial Services Inc.

Follow CircleID on Twitter

More under: DNS, Domain Names, Registry Services, ICANN, Internet Governance, Top-Level Domains

CircleID