Today, President Barack Obama released the administration’s much-anticipated Cyberspace Policy Review.

The preface of the report states:

Cyberspace touches practically everything and everyone. It provides a platform for innovation and prosperity and the means to improve general welfare around the globe. But with the broad reach of a loose and lightly regulated digital infrastructure, great risks threaten nations, private enterprises, and individual rights. The government has a responsibility to address these strategic vulnerabilities to ensure that the United States and its citizens, together with the larger community of nations, can realize the full potential of the information technology revolution.

The architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations. Our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information. Other intrusions threaten to damage portions of our critical infrastructure. These and other risks have the potential to undermine the Nation’s confidence in the information systems that underlie our economic and national security interests.

The Federal government is not organized to address this growing problem effectively now or in the future. Responsibilities for cybersecurity are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way. The government needs to integrate competing interests to derive a holistic vision and plan to address the cybersecurity related issues confronting the United States. The Nation needs to develop the policies, processes, people, and technology required to mitigate cybersecurity-related risks.

Information and communications networks are largely owned and operated by the private sector, both nationally and internationally. Thus, addressing network security issues requires a public-private partnership as well as international cooperation and norms. The United States needs a comprehensive framework to ensure coordinated response and recovery by the government, the private sector, and our allies to a significant incident or threat.

The United States needs to conduct a national dialogue on cybersecurity to develop more public awareness of the threat and risks and to ensure an integrated approach toward the Nation’s need for security and the national commitment to privacy rights and civil liberties guaranteed by the Constitution and law.

Research on new approaches to achieving security and resiliency in information and communications infrastructures is insufficient. The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.

For the full report see the pdf at Cyberspace Policy Review. 

It continues to be a boom time for cybercrime according to the latest Consumer Reports National Research Center “State of the Net” survey. Consumer Reports found that one in five online consumers have been victims of cybercrime in the last two years to the tune of an estimated $8 billion. And the overall rate of the crime has remained consistent over the five years that Consumer Reports has been tracking.

But Consumer Reports notes that the problem stands to get worse as rising unemployment and foreclosures fuel a wave of recession-orientated Internet scams, and as the popularity of social networking services grow, creating more openings for identity thieves. Consumer Reports found that 13 percent of social-network users experienced some form of abuse.

Additionally, Consumer Reports estimates that 1.2 million consumers have had to replace their computers over the past two years due to software infections and an estimated 3.7 million households with broadband Internet access did not use a firewall to protect against hackers. Below are additional findings related to major online threats:

• Phishing or sending authentic-looking but fraudulent e-mail designed to steal sensitive personal information is a continuing concern. Consumer Reports estimates that about 7 million consumers gave phishers personal information over the past two years; that’s 1 in 13 online households. Among scam victims, 1 in 7 lost money in the past two years, comparable with data from the last survey. Total damage to U.S. consumers through phishing attacks works out to about $483 million.
• Spyware: Consumer Reports found 545,000 households had to replace computers in the past six months and one in 12 people had serious problems with spyware.
• Online identity theft: Consumer Reports estimates 1.7 million households were victims of ID theft committed over the Internet in the past year, of those two-thirds said the incident occurred because of an online purchase.

Certain online threats are almost as prevalent today as when Consumer Reports conducted its first survey five years ago. Consistent with last year’s findings, 1 in 3 respondents had heavy levels of spam and 1 in 7 have had serious problems with viruses.

See the full press release at:  PRNewswire

From the news you can use department, PC World reports:

McAfee has launched a new Web site designed to help cybercrime victims recover from hacker attacks.

The company bills its Cybercrime Response Unit as a kind of “online 911″ where consumers and small-business owners can figure out whether they’ve been hacked, and to take the first steps to connect with law enforcement once they know a crime has been committed.

The site helps victims triage any common computer problems. For example, it can tell them what to do if they’ve opened an attachment that they now think may have been malicious, or if they’re worried that their child may be talking to a predator online.

For the full report see:  McAfee launches ‘online 911′ for cybercrime victims

And, if you try the service and would like to offer a first hand review, email us.

A spam e-mail claiming to be from former CBP Assistant Commissioner, Thomas S. Winkowski, is currently being circulated. This attempt to defraud is the typical e-mail scam using the name and reputation of a federal government official to create an air of authenticity.

The spam e-mail indicates the CBP has stopped a Diplomat who is carrying a consignment to be delivered to the recipient’s residence. This consignment allegedly contains millions of dollars, which is revealed to be an inheritance for the e-mail recipient.

As with many other scams, this e-mail advises the recipient they will be permitted to access this inheritance once the recipient has given the sender of the e-mail their personal information.

This e-mail is a hoax. Do not respond.

The U.S. CBP does not send unsolicited e-mails. Consumers should not respond to unsolicited e-mails or click on any embedded links, as they may contain viruses or malware.

It is imperative consumers guard their personally identifiable information (PII). Examples of a person’s PII include, but are not limited to: date of birth; social security number; and bank account numbers. Providing your PII will compromise your identity.

If you have received this e-mail, or a similar e-mail, please file a complaint at www.IC3.gov.

Source: www.IC3.gov.

With the recent infection of over 700 computers at the University of Utah, many people are asking, “How do I know if my computer is infected with Conficker?”

For those who want to know if their computer (this does not currently apply to Apple products) is infected, there is a simple test called the “Conficker eye chart test.”

Just click here for the Conficker eye chart test  and follow the easy onscreen instructions.

Some other indications that your computer is infected with the Conficker worm include:

•1)      You cannot visit the Microsoft Conficker fix page.

•2)      You cannot visit security sites like Symantec , Trend Micro , or McAfee.

•3)      You cannot shut down your computer.

 If you determine that your computer is infected with Conficker:

•1)       Disconnect your computer from the Internet.

•2)       From a different computer, which is not infected, change your user names and passwords.

•3)       If you have used your credit card while infected contact your credit card company and cancel that card and ask for a new card/number.

•4)       Have an expert remove the Conficker worm from your computer from a different uninfected computer.

Conficker is now selling itself to unsuspecting victims by pretending to be a $50 Anti-Virus product named “Spyware Protect 2009.”   Spyware Protect 2009 is being offered to computer users though spam emails and pop-up advertisements.  Those who sign up for Spyware Protect 2009 lose their $50 and have their computer infected with the Conficker worm.

A Conficker timeline:

 Win32/Conficker.A was reported to Microsoft on November 21, 2008

 Win32/Conficker.B was reported to Microsoft on December 29, 2008

 Win32/Conficker.C was reported to Microsoft on February 20, 2009

 Win32/Conficker.D was reported to Microsoft on March 4, 2009

 Win32/Conficker.E was reported to Microsoft on April 8, 2009

Shortly after Microsoft offered a bounty on the heads of the criminals behind the widespread Conficker worm, a new version of the malware has appeared that could signal a major shift in the way the worm operates.

The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines.

Conficker-infected machines could be used for nasty stuff – sending spam, logging keystrokes, or launching denial of service (DoS) attacks, but an ad hoc group calling itself the Conficker Cabal has largely prevented this from happening. They’ve kept Conficker under control by cracking the algorithm the software uses to find one of thousands of rendezvous points on the Internet where it can look for new code. These rendezvous points use unique domain names, such as pwulrrog.org, that the Conficker Cabal has worked hard to register and keep out of the hands of the criminals.

See the full report at Techworld.com.

Verizon.net is home to more than twice as many spam-spewing zombies as any other major Internet service provider in the United States, according to an analysis of the most recent data from anti-spam outfit Spamhaus.org. Verizon, however, says it plans to put measures in place to prevent it from being used as a home to so many spammers.

See the full report at Security Fix.

Identity Thieves Beat Obama to Stimulus Package Punch:

Although the U.S. government’s economic stimulus package hasn’t even gotten out of Congress, scammers aren’t waiting; they’ve launched multiple campaigns that tempt users into revealing personal information, a security researcher warned today.

One spam-and-scam example, said Dermot Harnett, a principal researcher at Symantec Corp., poses as a message from the Internal Revenue Service, and claims that the recipient qualifies for something called a “stimulus payment.”

“After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a stimulus payment,” the bogus e-mail reads. The message then tells the user to download the attached document, supposedly a form that must be submitted to the IRS.

The document, in fact, is an identity-stealing tool that asks users to provide personal information, much or all of it data that the actual IRS would presumably have on file, said Harnett.

See the full report at ComputerWorld.

Most Spam Sites Tied to Just 10 Registrars:

Nearly 83 percent of all Web sites advertised through spam can be traced back to just 10 domain name registrars, according to a study to be released this week.

The data come from millions of junk messages collected over the past year by Knujon (”no junk” spelled backwards and pronounced “new john”), an anti-spam outfit that tries to convince registrars to dismantle spam sites.

While there are roughly 900 accredited domain name registrars, spammers appear to register the Web sites they advertise in junk e-mail through just one percent of those registrars.

See the full report at Security Fix.

Commercial Twitter Spamming Tool Hits the Market:

Last week, a commercial Twitter spamming tool (tweettornado.com) pitching itself as a “fully automated advertising software for Twitter” hit the market, potentially empowering phishers, spammers, malware authors and everyone in between with the ability to generate bogus Twitter accounts and spread their campaigns across the micro-blogging service.

TweetTornado allows users to create unlimited Twitter accounts, add unlimited number of followers, which combined with its ability to automatically update all of bogus accounts through proxy servers with an identical message make it the perfect Twitter spam tool.

TweetTornado’s core functionality relies on a simple flaw in Twitter’s new user registration process. Tackling it will not render the tool’s functionality useless, but will at least ruin the efficiency model. Sadly, Twitter doesn’t require you to have a valid email address when registering a new account, so even though a nonexistent@email.com is used, the user is still registered and is allowed to use Twitter.

See the full report at ZDNet.com.