Today, President Barack Obama released the administration’s much-anticipated Cyberspace Policy Review.

The preface of the report states:

Cyberspace touches practically everything and everyone. It provides a platform for innovation and prosperity and the means to improve general welfare around the globe. But with the broad reach of a loose and lightly regulated digital infrastructure, great risks threaten nations, private enterprises, and individual rights. The government has a responsibility to address these strategic vulnerabilities to ensure that the United States and its citizens, together with the larger community of nations, can realize the full potential of the information technology revolution.

The architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations. Our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information. Other intrusions threaten to damage portions of our critical infrastructure. These and other risks have the potential to undermine the Nation’s confidence in the information systems that underlie our economic and national security interests.

The Federal government is not organized to address this growing problem effectively now or in the future. Responsibilities for cybersecurity are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way. The government needs to integrate competing interests to derive a holistic vision and plan to address the cybersecurity related issues confronting the United States. The Nation needs to develop the policies, processes, people, and technology required to mitigate cybersecurity-related risks.

Information and communications networks are largely owned and operated by the private sector, both nationally and internationally. Thus, addressing network security issues requires a public-private partnership as well as international cooperation and norms. The United States needs a comprehensive framework to ensure coordinated response and recovery by the government, the private sector, and our allies to a significant incident or threat.

The United States needs to conduct a national dialogue on cybersecurity to develop more public awareness of the threat and risks and to ensure an integrated approach toward the Nation’s need for security and the national commitment to privacy rights and civil liberties guaranteed by the Constitution and law.

Research on new approaches to achieving security and resiliency in information and communications infrastructures is insufficient. The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.

For the full report see the pdf at Cyberspace Policy Review. 

Afilias, a global provider of Internet infrastructure services, today announced that a new Global Phishing Survey released by the Anti-Phishing Work Group (APWG) reveals that the .INFO domain is the generic top-level Internet domain (gTLD) safest from phishing attacks. The results of the Survey show that, during the second half of 2008, .INFO had the lowest phishing rates and the lowest average attack duration among the gTLDs measured. .INFO’s phishing durations were half the world average.

“The .INFO registry is at the forefront of protecting Internet users from online identity theft across the world,” said Greg Aaron, Director of Key Account Management and Domain Security at Afilias, and a co-author of the study. “In January 2008, Afilias implemented a vigorous anti-phishing program working closely with .INFO registrars. We are pleased that the hard work of the .INFO anti-phishing team and dedicated registrars have propelled .INFO to the top spot for safety from phishing.”

The Global Phishing Survey analyzes the APWG phishing attack repository and other data sources comprising a comprehensive archive of phishing activity. It reports 56,959 phishing attacks worldwide in the second half of 2008, hosted on 30,454 unique domain names. Phishing took place on domain names in 170 top-level domains (TLDs). According to the report, a phishing rate is a standard measure of the number of detected phishing Web sites for every 10,000 domains registered, and indicates the prevalence of phishing in a top-level domain. Attack duration measures the amount of time a phishing Web site remains online — the longer one stays online, the more unsuspecting users may fall victim to the criminals.

Phishing is a common way that criminals perpetrate Internet identity theft and fraud. A phisher builds a fake Web site that masquerades as a trustworthy entity such as a bank, to fool Internet users into revealing sensitive information such as their usernames, passwords, and financial information.

“Identity theft and fraud are important issues for anyone who goes online, and criminals are using vulnerable top-level domains and registrars to steal identities and money,” said Ram Mohan, Executive Vice President and CTO of Afilias. “The new data demonstrates the effectiveness of active, self-regulated domain name anti-abuse programs in improving the safety of Internet users against those who steal from them.”

View the full report at: http://www.apwg.org/reports/APWG_GlobalPhishingSurvey2H2008.pdf

About .INFO

.INFO was the first generic, unrestricted TLD to be launched since .com. Registrations in .INFO first became available in 2001. Since then, .INFO has grown to become the fourth largest gTLD in the world. Domains are currently available in ten Internationalized Domain Name (IDN) scripts. For more information please visit www.info.info.

About Afilias

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit www.afilias.info.

It continues to be a boom time for cybercrime according to the latest Consumer Reports National Research Center “State of the Net” survey. Consumer Reports found that one in five online consumers have been victims of cybercrime in the last two years to the tune of an estimated $8 billion. And the overall rate of the crime has remained consistent over the five years that Consumer Reports has been tracking.

But Consumer Reports notes that the problem stands to get worse as rising unemployment and foreclosures fuel a wave of recession-orientated Internet scams, and as the popularity of social networking services grow, creating more openings for identity thieves. Consumer Reports found that 13 percent of social-network users experienced some form of abuse.

Additionally, Consumer Reports estimates that 1.2 million consumers have had to replace their computers over the past two years due to software infections and an estimated 3.7 million households with broadband Internet access did not use a firewall to protect against hackers. Below are additional findings related to major online threats:

• Phishing or sending authentic-looking but fraudulent e-mail designed to steal sensitive personal information is a continuing concern. Consumer Reports estimates that about 7 million consumers gave phishers personal information over the past two years; that’s 1 in 13 online households. Among scam victims, 1 in 7 lost money in the past two years, comparable with data from the last survey. Total damage to U.S. consumers through phishing attacks works out to about $483 million.
• Spyware: Consumer Reports found 545,000 households had to replace computers in the past six months and one in 12 people had serious problems with spyware.
• Online identity theft: Consumer Reports estimates 1.7 million households were victims of ID theft committed over the Internet in the past year, of those two-thirds said the incident occurred because of an online purchase.

Certain online threats are almost as prevalent today as when Consumer Reports conducted its first survey five years ago. Consistent with last year’s findings, 1 in 3 respondents had heavy levels of spam and 1 in 7 have had serious problems with viruses.

See the full press release at:  PRNewswire

A spam e-mail claiming to be from former CBP Assistant Commissioner, Thomas S. Winkowski, is currently being circulated. This attempt to defraud is the typical e-mail scam using the name and reputation of a federal government official to create an air of authenticity.

The spam e-mail indicates the CBP has stopped a Diplomat who is carrying a consignment to be delivered to the recipient’s residence. This consignment allegedly contains millions of dollars, which is revealed to be an inheritance for the e-mail recipient.

As with many other scams, this e-mail advises the recipient they will be permitted to access this inheritance once the recipient has given the sender of the e-mail their personal information.

This e-mail is a hoax. Do not respond.

The U.S. CBP does not send unsolicited e-mails. Consumers should not respond to unsolicited e-mails or click on any embedded links, as they may contain viruses or malware.

It is imperative consumers guard their personally identifiable information (PII). Examples of a person’s PII include, but are not limited to: date of birth; social security number; and bank account numbers. Providing your PII will compromise your identity.

If you have received this e-mail, or a similar e-mail, please file a complaint at www.IC3.gov.

Source: www.IC3.gov.

With the recent infection of over 700 computers at the University of Utah, many people are asking, “How do I know if my computer is infected with Conficker?”

For those who want to know if their computer (this does not currently apply to Apple products) is infected, there is a simple test called the “Conficker eye chart test.”

Just click here for the Conficker eye chart test  and follow the easy onscreen instructions.

Some other indications that your computer is infected with the Conficker worm include:

•1)      You cannot visit the Microsoft Conficker fix page.

•2)      You cannot visit security sites like Symantec , Trend Micro , or McAfee.

•3)      You cannot shut down your computer.

 If you determine that your computer is infected with Conficker:

•1)       Disconnect your computer from the Internet.

•2)       From a different computer, which is not infected, change your user names and passwords.

•3)       If you have used your credit card while infected contact your credit card company and cancel that card and ask for a new card/number.

•4)       Have an expert remove the Conficker worm from your computer from a different uninfected computer.

Conficker is now selling itself to unsuspecting victims by pretending to be a $50 Anti-Virus product named “Spyware Protect 2009.”   Spyware Protect 2009 is being offered to computer users though spam emails and pop-up advertisements.  Those who sign up for Spyware Protect 2009 lose their $50 and have their computer infected with the Conficker worm.

A Conficker timeline:

 Win32/Conficker.A was reported to Microsoft on November 21, 2008

 Win32/Conficker.B was reported to Microsoft on December 29, 2008

 Win32/Conficker.C was reported to Microsoft on February 20, 2009

 Win32/Conficker.D was reported to Microsoft on March 4, 2009

 Win32/Conficker.E was reported to Microsoft on April 8, 2009

Computer-virus infections don’t cause your machine to crash anymore.

Nowadays, the criminals behind the infections usually want your computer operating in top form so you don’t know something’s wrong. That way, they can log your keystrokes and steal any passwords or credit-card numbers you enter at Web sites, or they can link your infected computer with others to send out spam.

Here are some signs your computer is infected, tapped to serve as part of “botnet” armies run by criminals:

See the full report at MSNBC.com.

Last November, after giving the keynote address at the Gartner Identity and Access Management Summit in Orlando, Florida, I finally got to meet Avivah Litan.  Avivah, a vice-president and distinguished analyst at Gartner, is one of the nation’s leading analysts of identity theft and financial fraud and someone I’ve admired for a long time.

While chatting with Avivah, she mentioned that she had just received the raw statistics back from a survey she had designed to examine identity theft, data breaches and financial fraud.  We huddled over Avivah’s laptop in a side room at the conference and quickly reviewed some of the numbers.  It was immediately obvious – even with just a cursory look – that this new Gartner study would break ground.

Indeed it did.

Gartner and Avivah have just released the study.  Here is the Gartner press release.  I think you’ll find the numbers and analysis eye-opening.  In coming days, I’ll try to break down the numbers even further to look for more information on the scope and impact of identity theft.

Gartner Says 7.5 Percent of U.S. Adults Lost Money as a Result of Some Sort of Financial Fraud in 2008

Victims of Electronic Checking and/or Savings Account Transfer Fraud Were Nearly Five Times More Likely to Change Banks Because of Security Concerns

Approximately 7.5 percent of U.S. adults lost money as a result of some sort of financial fraud in 2008, in large part because of data breaches, according to a recent survey by Gartner, Inc. Analysts said this is having an adverse effect on consumer victims who are significantly changing their financial transaction behaviors.

Gartner surveyed nearly 5,000 U.S. adults in September 2008 to gauge the impact of identity theft, and the leading types of financial fraud. Payment card fraud – that is, credit, debit and ATM card fraud – was the method most actively used by crooks to steal money, claiming 36 percent more victims in 2008 than other types of fraud. New-account fraud, in which a thief steals identity information to open a new account, occurs less frequently than payment card fraud, although Gartner estimates that up to half of all new-account frauds involve synthetic identities, and therefore many cases go unreported.

“When compared with the average consumer, nearly twice as many people who lost money to fraud in 2008 changed their shopping, payment and e-commerce behavior,” said Avivah Litan, vice president and distinguished analyst at Gartner. “Furthermore, fraud victims are also more cautious about which brick-and-mortar stores they shop at and how they pay for goods when they get there, demonstrating more awareness of the risk of data breaches.”

Ms. Litan said that victims of electronic checking and/or savings account transfer fraud in 2008 were nearly five times more likely to change banks because of security concerns, when compared with the average customer. About twice as many of the victims curtailed online money transfers and bill payment used in online banking.

Conviction rates for these crimes are quite low. Less than one-third of the victims reported the crimes to law enforcement, and about 5 percent reported them to the Federal Trade Commission. The chances of a criminal getting arrested and convicted for identity-theft-related fraud are much less than half of 1 percent.

Gartner found that financial losses were highest in the case of new-account, credit card and brokerage fraud, with average losses per incident totaling $1,097, $929 and $900, respectively. However, victims of brokerage, credit card and debit/ATM card account fraud find it easiest to recover their losses, receiving an average of 100 percent, 86 percent, and 77 percent of the funds stolen, respectively.

In contrast, victims of new-account fraud, check forgery, and checking or savings account fund transfer fraud recovered the lowest percentage of stolen funds, or 42 percent, 48 percent and 54 percent, respectively. New-account fraud is also the most difficult from which to recover, with 35 percent of victims suffering further from a damaged credit rating, which can take years to restore.

“Given the impact of financial breaches on the consumer, it is not surprising that many are now changing their behaviors,” said Ms Litan. “In percentage terms, the behaviors most influenced by security concerns include online shopping and payments. Online banking also takes a big hit, with 20 percent of worried consumers in our survey saying that their online banking behavior has been affected. This percentage doubles among fraud victims.” Gartner found that PayPal has received a big boost from those who change their online payment behavior because of security concerns.

While a relatively modest 6 percent of all consumers say they changed banks as a result of security concerns; that number rises to 28 percent among victims of checking/savings account transfer fraud. This compares with 5 percent overall who switched because of concerns regarding the financial health of their banks and 21 percent overall who changed because of excessive fees.

Ms. Litan advised financial institutions that have implemented strong security controls and protections to make this fact visible to their customers and engage customers in jointly participating in security solutions.

“Most consumers will say that security is as important to them as the financial health of the institution, and this rises significantly in importance among customers who have been victims of a financial account takeover,” she said. “Financial institutions that take security seriously will be rewarded with greater customer retention, which is a smart move when you consider that the cost of acquiring new customers is typically much higher than the cost of retaining existing ones.”

 For the full press release and to purchase the report click –> here.

The following phishing email purporting to be from the IRS was in my in-box yesterday.  Can you spot the obvious flaws that mark this as a phish?

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund under section 501(c) (3) of the
Internal Revenue Code. Tax refund value is $189.60.

Please submit the tax refund request and allow us 6-9 days in order to IWP the data received.

If u don’t receive your refund within 9 business days from the original IRS mailing date shown, you can start a refund trace online.

If you distribute funds to other organization, your records must show wether they are exempt under section 497 (c) (15). In cases where the recipient org. is not exempt under section 497 (c) (15), you must have evidence the funds will be used for section 497 (c) (15) purposes.

If you distribute fund to individuals, you should keep case histories showing
the recipient’s name and address; the purpose of the award; the maner of
section; and the realtionship of the recipient to any of your officers, directors, trustees, members, or major contributors.

To access the form for your tax refund, please click here

This notification has been sent by the Internal Revenue Service, a bureau of the Department of the Treasury.

Sincerely Yours,

John Stewart
Director, Exempt. Organization
Rulings and Agreements Letter
Internal Revenue Service

Phishing fraudsters have moved on from banking sites with an attack designed to hoodwink hotel customers, according to a team of security volunteers.Hotel chains including Hyatt, TraveLodge, Comfort Inn, Ramada, Days Inn, and Wyndham are being targeted in the reported scam. More than 71,000 travelers each month have been redirected to counterfeit sites, volunteer security community FraudTip.com warns. Mainstream net security firms are unable to confirm these figures.

FraudTip.com culled its figures using “audience measurement” technology. It reckons the scam combines “advanced online advertising, bogus hotel locators, third-party reservation systems, and Internet browser crimeware to redirect hotel guest traffic to fake versions of well-known hotel chain websites”.

However net security firms reckon the attack is nothing more or less than a straightforward phishing scam, albeit one directed at hotels rather than banks or ecommerce outlets. Some element of search engine trickery to inflate the rank of counterfeit sites may also be involved.

See the full report at The Register.

Phishing Scam Taps Sense of Entitlement:

The e-mail is supposedly from the U.S. Internal Revenue Service, and it begins like this:

“After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a stimulus payment.”

FINALLY! A little slice of the trillion-dollar pie for us little people.

The e-mail continues: “A stimulus payment can be delayed for a variety of reasons. For example, submitting invalid records or applying after the deadline.

“To submit your stimulus payment form, please download the attached document.”

The recipient of the e-mail is then linked to a Web site that looks exactly the way you would imagine the IRS site would look. The logo, the language, the whiff of federal bureaucracy – it’s all perfect.

The form asks for information that, in the wrong hands, could land a person in a world of financial hurt.

See the full report at LSJ.com.