Today, President Barack Obama released the administration’s much-anticipated Cyberspace Policy Review.

The preface of the report states:

Cyberspace touches practically everything and everyone. It provides a platform for innovation and prosperity and the means to improve general welfare around the globe. But with the broad reach of a loose and lightly regulated digital infrastructure, great risks threaten nations, private enterprises, and individual rights. The government has a responsibility to address these strategic vulnerabilities to ensure that the United States and its citizens, together with the larger community of nations, can realize the full potential of the information technology revolution.

The architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations. Our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information. Other intrusions threaten to damage portions of our critical infrastructure. These and other risks have the potential to undermine the Nation’s confidence in the information systems that underlie our economic and national security interests.

The Federal government is not organized to address this growing problem effectively now or in the future. Responsibilities for cybersecurity are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way. The government needs to integrate competing interests to derive a holistic vision and plan to address the cybersecurity related issues confronting the United States. The Nation needs to develop the policies, processes, people, and technology required to mitigate cybersecurity-related risks.

Information and communications networks are largely owned and operated by the private sector, both nationally and internationally. Thus, addressing network security issues requires a public-private partnership as well as international cooperation and norms. The United States needs a comprehensive framework to ensure coordinated response and recovery by the government, the private sector, and our allies to a significant incident or threat.

The United States needs to conduct a national dialogue on cybersecurity to develop more public awareness of the threat and risks and to ensure an integrated approach toward the Nation’s need for security and the national commitment to privacy rights and civil liberties guaranteed by the Constitution and law.

Research on new approaches to achieving security and resiliency in information and communications infrastructures is insufficient. The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.

For the full report see the pdf at Cyberspace Policy Review. 

Just about every day, a story is published somewhere across the country documenting the failure of a local, state or federal government agency to protect critical information – including the personal identifying information (PII) Americans trust the government to keep out of the hands of identity thieves.

Perhaps, because of the volume of these reports, we’ve all become immune to the inability of our government to maintain the security of our nation’s secrets – much less our personal information. 

Perhaps, we excuse our government officials based on the defensible belief that information security is a complex issue and, therefore, information can never be completely secured from all threats. 

Realistically, both factors are in play.

But, the story today from SC Magazine that the U.S. Marshals Service and Federal Bureau of Investigation fell victim to a computer virus last week because a software security patch wasn’t installed documents an inexcusable security failure on behalf of the federal government.

Why?

Because the patch in question has been available since October of last year.

This leaves me wondering.  How can we as citizens trust the federal government to run our financial, auto and health care industries if they can’t even install run-of-the-mill security patches on computers?

Afilias, a global provider of Internet infrastructure services, today announced that a new Global Phishing Survey released by the Anti-Phishing Work Group (APWG) reveals that the .INFO domain is the generic top-level Internet domain (gTLD) safest from phishing attacks. The results of the Survey show that, during the second half of 2008, .INFO had the lowest phishing rates and the lowest average attack duration among the gTLDs measured. .INFO’s phishing durations were half the world average.

“The .INFO registry is at the forefront of protecting Internet users from online identity theft across the world,” said Greg Aaron, Director of Key Account Management and Domain Security at Afilias, and a co-author of the study. “In January 2008, Afilias implemented a vigorous anti-phishing program working closely with .INFO registrars. We are pleased that the hard work of the .INFO anti-phishing team and dedicated registrars have propelled .INFO to the top spot for safety from phishing.”

The Global Phishing Survey analyzes the APWG phishing attack repository and other data sources comprising a comprehensive archive of phishing activity. It reports 56,959 phishing attacks worldwide in the second half of 2008, hosted on 30,454 unique domain names. Phishing took place on domain names in 170 top-level domains (TLDs). According to the report, a phishing rate is a standard measure of the number of detected phishing Web sites for every 10,000 domains registered, and indicates the prevalence of phishing in a top-level domain. Attack duration measures the amount of time a phishing Web site remains online — the longer one stays online, the more unsuspecting users may fall victim to the criminals.

Phishing is a common way that criminals perpetrate Internet identity theft and fraud. A phisher builds a fake Web site that masquerades as a trustworthy entity such as a bank, to fool Internet users into revealing sensitive information such as their usernames, passwords, and financial information.

“Identity theft and fraud are important issues for anyone who goes online, and criminals are using vulnerable top-level domains and registrars to steal identities and money,” said Ram Mohan, Executive Vice President and CTO of Afilias. “The new data demonstrates the effectiveness of active, self-regulated domain name anti-abuse programs in improving the safety of Internet users against those who steal from them.”

View the full report at: http://www.apwg.org/reports/APWG_GlobalPhishingSurvey2H2008.pdf

About .INFO

.INFO was the first generic, unrestricted TLD to be launched since .com. Registrations in .INFO first became available in 2001. Since then, .INFO has grown to become the fourth largest gTLD in the world. Domains are currently available in ten Internationalized Domain Name (IDN) scripts. For more information please visit www.info.info.

About Afilias

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit www.afilias.info.

Over at the Identity Theft Assistance Center (ITAC) blog, they’ve made note of the continuing delay in the Obama administration’s much anticipated release of its review of U.S. Cybersecurity.  ITAC hopefully proffers that the report may see the light of day this week.

As ITAC reports – based on a piece published by Federal Computer Week – the most recent delay in the report is being attributed to the outbreak of Swine Flu.

I fear if the report has actually been delayed because of this very mild outbreak of flu, that does not bode well for how the federal government is prioritizing cybersecurity.

There will always be competing emergencies on multiple fronts that the administration will have to juggle.  Cybersecurity can no longer take a back seat to any other priorities.  To do so, is to imperil this country even more than it already is.

It continues to be a boom time for cybercrime according to the latest Consumer Reports National Research Center “State of the Net” survey. Consumer Reports found that one in five online consumers have been victims of cybercrime in the last two years to the tune of an estimated $8 billion. And the overall rate of the crime has remained consistent over the five years that Consumer Reports has been tracking.

But Consumer Reports notes that the problem stands to get worse as rising unemployment and foreclosures fuel a wave of recession-orientated Internet scams, and as the popularity of social networking services grow, creating more openings for identity thieves. Consumer Reports found that 13 percent of social-network users experienced some form of abuse.

Additionally, Consumer Reports estimates that 1.2 million consumers have had to replace their computers over the past two years due to software infections and an estimated 3.7 million households with broadband Internet access did not use a firewall to protect against hackers. Below are additional findings related to major online threats:

• Phishing or sending authentic-looking but fraudulent e-mail designed to steal sensitive personal information is a continuing concern. Consumer Reports estimates that about 7 million consumers gave phishers personal information over the past two years; that’s 1 in 13 online households. Among scam victims, 1 in 7 lost money in the past two years, comparable with data from the last survey. Total damage to U.S. consumers through phishing attacks works out to about $483 million.
• Spyware: Consumer Reports found 545,000 households had to replace computers in the past six months and one in 12 people had serious problems with spyware.
• Online identity theft: Consumer Reports estimates 1.7 million households were victims of ID theft committed over the Internet in the past year, of those two-thirds said the incident occurred because of an online purchase.

Certain online threats are almost as prevalent today as when Consumer Reports conducted its first survey five years ago. Consistent with last year’s findings, 1 in 3 respondents had heavy levels of spam and 1 in 7 have had serious problems with viruses.

See the full press release at:  PRNewswire

From the news you can use department, PC World reports:

McAfee has launched a new Web site designed to help cybercrime victims recover from hacker attacks.

The company bills its Cybercrime Response Unit as a kind of “online 911″ where consumers and small-business owners can figure out whether they’ve been hacked, and to take the first steps to connect with law enforcement once they know a crime has been committed.

The site helps victims triage any common computer problems. For example, it can tell them what to do if they’ve opened an attachment that they now think may have been malicious, or if they’re worried that their child may be talking to a predator online.

For the full report see:  McAfee launches ‘online 911′ for cybercrime victims

And, if you try the service and would like to offer a first hand review, email us.

A spam e-mail claiming to be from former CBP Assistant Commissioner, Thomas S. Winkowski, is currently being circulated. This attempt to defraud is the typical e-mail scam using the name and reputation of a federal government official to create an air of authenticity.

The spam e-mail indicates the CBP has stopped a Diplomat who is carrying a consignment to be delivered to the recipient’s residence. This consignment allegedly contains millions of dollars, which is revealed to be an inheritance for the e-mail recipient.

As with many other scams, this e-mail advises the recipient they will be permitted to access this inheritance once the recipient has given the sender of the e-mail their personal information.

This e-mail is a hoax. Do not respond.

The U.S. CBP does not send unsolicited e-mails. Consumers should not respond to unsolicited e-mails or click on any embedded links, as they may contain viruses or malware.

It is imperative consumers guard their personally identifiable information (PII). Examples of a person’s PII include, but are not limited to: date of birth; social security number; and bank account numbers. Providing your PII will compromise your identity.

If you have received this e-mail, or a similar e-mail, please file a complaint at www.IC3.gov.

Source: www.IC3.gov.

With the recent infection of over 700 computers at the University of Utah, many people are asking, “How do I know if my computer is infected with Conficker?”

For those who want to know if their computer (this does not currently apply to Apple products) is infected, there is a simple test called the “Conficker eye chart test.”

Just click here for the Conficker eye chart test  and follow the easy onscreen instructions.

Some other indications that your computer is infected with the Conficker worm include:

•1)      You cannot visit the Microsoft Conficker fix page.

•2)      You cannot visit security sites like Symantec , Trend Micro , or McAfee.

•3)      You cannot shut down your computer.

 If you determine that your computer is infected with Conficker:

•1)       Disconnect your computer from the Internet.

•2)       From a different computer, which is not infected, change your user names and passwords.

•3)       If you have used your credit card while infected contact your credit card company and cancel that card and ask for a new card/number.

•4)       Have an expert remove the Conficker worm from your computer from a different uninfected computer.

Conficker is now selling itself to unsuspecting victims by pretending to be a $50 Anti-Virus product named “Spyware Protect 2009.”   Spyware Protect 2009 is being offered to computer users though spam emails and pop-up advertisements.  Those who sign up for Spyware Protect 2009 lose their $50 and have their computer infected with the Conficker worm.

A Conficker timeline:

 Win32/Conficker.A was reported to Microsoft on November 21, 2008

 Win32/Conficker.B was reported to Microsoft on December 29, 2008

 Win32/Conficker.C was reported to Microsoft on February 20, 2009

 Win32/Conficker.D was reported to Microsoft on March 4, 2009

 Win32/Conficker.E was reported to Microsoft on April 8, 2009

The Conficker worm was first discovered in October of 2008 and has infected millions of computers worldwide, turning them into nodes in a large and sophisticated botnet. Conficker nodes attempt to retrieve commands deposited on pre-determined domain names. Version B recently sought to exploit many known gTLDs. The C variant is now attempting to exploit ccTLDs. It is expected to activate as early as April 1, 2009, although there is no indication that specific new botnet activity will occur on that date.

Afilias’ role has been to help deprive Conficker of its command-and-control network by deploying registration policies and processes, for the TLDs that we support, that prevent the registration of domains that Conficker had targeted for possible use. The belief is that if we prevent the registration of these domains, we will deprive Conficker’s creators of Internet resources that they could potentially use to control and update their botnet. We have deployed this strategy across relevant TLDs immediately and have readied the same solution should our other customers be affected.

While the extent varies, Afilias has been able to work with our customers to identify the right blocking mechanisms for domains anticipated to be involved in Conficker. Jointly with our affected registry customers, we have taken all reasonable steps possible and expect that service for domain names in the TLDs we serve will not be affected due to Conficker on April 1, or otherwise.

Afilias has already invested heavily in infrastructure as well as detection and mitigation capabilities to address domain abuse. One output from that was the introduction of the .INFO Domain Anti-Abuse Policy, the first policy of its kind, introduced last year. We have been able to leverage this expertise to help secure our other customers with immediate and effective strategies to address future security events like Conficker.

Afilias is a member of the Conficker Working Group, which brings together TLD operators, industry leaders like Microsoft and ICANN, and security researchers to combat the Internet’s latest major security threat: the Conficker worm.

FTC Chairman Jon Leibowitz told a data security workshop on Monday that the United States and other countries must “move beyond the ‘we agree to disagree’ approach” to securing consumers’ sensitive information in the global marketplace. Such harmony among nations, which have varying privacy rules and regulations, is “not beyond our reach,” Leibowitz said, pointing to the Organization for Economic Cooperation and Development’s 1980 privacy guidelines and a set of security guidelines adopted by the group in 2002. “Without adequate data security there really is no privacy,” he said.

Corporations must protect their back doors from hackers, malware, spyware and other high-tech intrusion mechanisms and protect their front door by properly storing and disposing of consumers’ data, Leibowitz said, noting that the FTC is “not shy about knocking on anyone’s door.” Since 1999, the agency has brought a number of cases alleging that companies failed to protect data, including a settlement this month with a consumer reporting agency that failed to properly screen prospective customers and, as a result, sold at least 318 credit reports to identity thieves.

See the full report at National Journal Online.