Trademark owners outside of the adult industry may sign up with ICM Registry to block trademarks from showing up on its new .XXX gTLD. Trademark owners have been making several common errors when applying for a .XXX gTLD.[1] If your company plans on submitting an application before the Sunrise B October 28, 2011 deadline, keeping these mistakes in mind can help you avoid paying multiple fees and having to reapply.[2]

Research which registrar you will use when submitting an application. Some registrars are more experienced than others.[3] Make sure you choose a registrar that will pre-check your application for compliance with all of the application guidelines.[4]

Also, the most common application mistakes to avoid are:[1]

• Eligibility. Make sure that your trademark is eligible. To be eligible, you must have a trademark that was registered prior to September 1, 2011, and you must have the following information:
  • Trademarked Name
  • Trademark Registration Number: Note that your trademark registration number is not the same as your application number
  • Nation Code: The country where your trademark was registered
  • Trademark Registration Date: The date your trademark was registered
  • Trademark Ownership: Your relation to the trademark: Owner or Assignee
• Dropping .com from Trademark. Do not drop the ‘.com’ from your trademark if it includes a ‘.com’. If you want ‘example.com’ to be eligible for ‘example.xxx.’ and not just ‘examplecom.xxx’ you can file amendment 7 with the United States Patent and Trademark Office to have the ‘.com’ removed.
• Inexact Match. Apply to register a domain that is an exact match for your trademark. If you want to register characters in addition to the actual brand name, such as slogans or tag lines, apply under Sunrise AD using a pre-existing domain name because members of the adult entertainment industry (the “Sponsored Community”) is very broad.

While this process is intended to provide greater security, it also opens the doors for brand abuse. To help thwart misuse, ICM Registry, the company that will act as a registry for all domains ending in .XXX, has developed a comprehensive rights protection mechanism (RPM) for the launch period of these new gTLD’s. To protect non-adult entertainment industry rights holders from trademark infringement, ICM is also providing an opportunity for these rights owners to block their mark from registration. The opt-out effectively blocks names at the .XXX registry and means they cannot be used as conventional web addresses. This feature, provided by ICM for a onetime fee, will only be available to trademark holders during the sunrise period, which began earlier this week on September 7^th.

There will be two initial sunrise periods (A and B) for the launch of .XXX, allowing trademark holders and adult entertainment webmasters to secure their .XXX domains. This includes companies that own trademarks outside of the adult entertainment industry that wish to defensively register domains the same way that they register “sucks” sites. Both sunrise periods will run concurrently followed by a landrush period and finally a general availability period:

Sunrise A Sunrise A is dedicated to members of the adult entertainment community with either verifiable trademark rights or owners of exact matching domains in other Internet Assigned Numbers Authority (IANA) TLDs which is also known as “Grandfathering.” This period is open from September 7, 2011 to October 28, 2011.

Sunrise B Sunrise B was created especially for Intellectual Property holders who are non-members of the adult entertainment community with verifiable trademark rights so that they can block their domains in the .XXX sTLD. This period is open from September 7, 2011 to October 28, 2011.

Landrush Landrush is for members of the adult Sponsored Community but NOT on a first come, first served basis. Unlike Sunrise A and Sunrise B, there are no qualification requirements needed for Landrush. Applications for competing names will go to a closed-auction at the end of the Landrush period. This period is open from November 7, 2011 to November 25, 2011.

General Availability General Availability is when members of the adult entertainment community get regular, resolving names on a first come, first served basis. Non-members of the adult Sponsored Community can also get “Non-Resolving” names.[1] The period opens December 6, 2011 and is ongoing.

Please note that to be successful, applications made during the sunrise periods must provide basic trademark particulars such as the mark, registration number and date, designated class(es), the country or region, and the status of the entity submitting the request. Applications are $200-$300 per registered mark, assessed as a one-time fee and will run for the length of ICM’s contract with ICANN (at least 10 years). If you miss the Sunrise Period or want to block others from using a .XXX domain corresponding to an unregistered trademark, you can defensively register .XXX domains once the general availability period opens in December 2011. However, keep in mind that the annual registration fees for .XXX domains are expected to be significantly higher than the annual fees for domains in existing TLDs like .com, .net, etc.

The .XXX registration process requires all registrants to agree to participate in and abide by specific dispute resolution procedures that will provide mechanisms for brand owners to challenge .XXX domains that infringe trademarks. ICM is contracting with the National Arbitration Forum to provide the RES and CEDRP dispute resolution services. ICM estimates that the cost for each service will be US$750 to US$1,500. During these disputes, the domain will be locked against transfers. Decisions will not be published. Statistical information about the process itself will be made available. In the event of a conflict between a trademark rights holder and a member of the adult entertainment industry, the domain will be awarded to the adult entertainment industry member and the Sunrise B applicant will be notified.

Although ICM services have been approved by ICANN, there are legal issues that have not been tested. Participating in this process could limit your legal remedies because of your agreement to participate in and abide by the dispute resolution procedures outlined. Additionally, porn and mainstream businesses alike complain they are being forced to buy domain names they don’t want, don’t need and won’t use. A few companies are refusing to pay, but also demanding that ICM block their domains free of charge. ICM responded to the legal threats with a seven-page report in July, claiming that a registry cannot be sued for trademark infringement. The letters, though, have placed ICM on notice, which increases the potential for liability if ICM sells the trademarked names.

As this exchange indicates, registering domains with ICM is one option but may not be the only option available to companies seeking to protect their trademarks. Cyveillance encourages companies to take a hard look at their brand protection strategy to determine if defensively registering for .XXX gTLDs is the only and best option for their brand protection. The ongoing battle for domain name registration and brand protection is always going to be waged; the key to minimizing losses is tied to a company’s assessment of their true threats and their proactive approach to minimizing those threats.

The sender name is spoofed to appear to come from “protection@nsa.security.gov” and the links go to national-security-agency.com, a domain that was just registered yesterday. This attack is a perfect example of how deeply spear-phishers understand the psychology of social engineering users. It invokes the authority of a respected and mysterious government agency, it uses fear of being hacked or getting “in trouble” at work to prompt action, and it takes advantage of current events in the form of the widely reported (i.e. verifiable fact) and recent RSA token hack. This is a potent cocktail of logic, emotion and authority to manipulate the user into a desired action, and is typical of today’s advanced Phishers.

Here are some of the tips that can help you spot scams like this one:

1. Supposed needs for patches, security updates and vulnerability fixes are a favorite technique of scammers and phishers. Even if the message appears to come from someone in your own company, treat all such requests as suspicious and verify with your IT team by voice or fresh email to the actual IT person who supports you.
2. Treat ANY email that tells you to download something as malicious until proven otherwise. Again, contact your IT team before installing anything on your system.
3. Hover (but do NOT click) your mouse over all links in the email. The true destination of the link will pop up next to your mouse pointer. If you’ve never heard of the site, treat it as dangerous. Does the site in the link address match the site in the sender’s email address? If it does not, be suspicious. Is the pop up destination different from the URL shown in the visible text of the email, what we call a bait-and-switch link? If so, this is a major warning.
4. Finally, any link that ends in .zip or .exe should be treated as extremely hazardous and not clicked on.

Education is needed to convey to your network users that the stakes here are high. Even if the intruder isn’t seeking a dime from your company, the potential cost with respect to response, data loss and reputation can be crippling. As indicated, the vast majority of these incidents are the result of your users’ social-media behavior. Actually, the exploitation of social media for the purpose of malware attacks is growing at the same or at an even greater pace than the overall use of these sites. Online tools – like the popular, URL-shortening ones for Tweets – are very handy in masking malware threats, and a lack of security-savvy on the part of users establish social networks as a virtual playground for cyber criminals.

In seeking to avoid fallout from this that would impact your business, we at Cyveillance strongly advocate the following five-point plan for our customers a plan that has helped us earn recognition by industry-research leader Gartner Inc. as a top provider of the surveillance/collection/analysis of social-media activity for commercial-organization networks:

1. Launch a social-media policy. We realize that many of our customers already have a policy in place. We examine it, however, to get a sense of whether it’s up to date. Social media changes all the time. Legal documents do not. We look to see whether the policy addresses “real” modern-day concerns about social media, or if it’s really just a copy/paste of some antiquated HR form. Here as some questions to consider within the policy: Is it OK for employees to say that they are representing the company on Facebook, Twitter, etc.? If so, what are the guidelines as for appropriate content to post?

2. Train everyone. As stated before on this blog, your weakest link can be your most uninformed employee. Printing and distributing a policy is fine. But reinforcing it with training is even better. Don’t lecture them. Instead, engage in interactive workshops or computer-based training sessions to test their awareness of the latest social engineering attack techniques. Too many organizations put all of their focus on firewalls and passwords. These days, hackers don’t necessarily need to know how to get around these measures to do damage. They just need to get a single user within the network to trust them via a cleverly disguised email.

3. Establish the significance. Meaning, make sure your users realize how important it is to remain informed and alert. If your logo is used to support some kind of malware scheme, for example, your future relationships with customers and partners will suffer. As conveyed previously, there’s tangible, bottom-line value in a company’s reputation. Within minutes, a successful intrusion can crush the good reputation that an organization has been building for years.

4. Don’t try to do it all on your own. Social media is a very, very large universe. In fact, nearly 56 percent of Internet users in the U.S. use some type of social media, according to the Pew Research Center. That translates to a lot of traffic to monitor. Consider tools such as social media monitoring solutions and protection appliances to address this need for you.

5. Keep it current. No matter what tools you use – as well as intrusion techniques you share with users – make sure everything is up-to-date. The entire landscape of social media and the methods used to exploit it are in a constant state of rapid transformation. What worked this month won’t necessarily work the next. Your security team needs to stay on top by constantly educating and re-educating itself and company staffers on the latest trends.

The bottom line is that – in the “share more, not less” world of today criminals can easily obtain the information needed to craft emails that can fool even the most savvy of users. With no “silver bullet” solution to thwart all intrusion attempts, the best practice is to educate users to make decisions, and equip yourself with the best monitoring tools to detect attacks in progress.

James Brooks, Director of Product Management, Cyveillance

Question to consider: What essentials do you feel are needed in a social-media policy?

Two Australian girls, ages 10 and 12, got stuck in a storm drain. To get help, they whipped out their smartphones and posted Facebook status updates to say they were lost in a local drain, and someone needed to call 000 (Australian 911).

Now, if you read that summary and concluded, “OK. So what? That’s what I’d do in the same situation,” consider yourself as part of a generation in which social media remains fully immersed within practically every facet of your life.

If you’re like me and say, “Wait…What?! They had phones in their hands and they posted Facebook updates asking someone to call the rescue brigade?!,” then you’re clearly a degree or two removed from this typically younger demographic.

Ironically, however, it’s members of the older generation – the ones who would call 911 instead of asking Facebook friends to do it for them who are often the biggest targets for socially-engineered attacks. That’s because higher-level executives with more access to valuable data tend to fall into this category. This, in turn, makes them more vulnerable. They may be connected to social media (or not, see here for an interesting case of what can happen then), but they’re often not as sophisticated in using it as younger employees are.

Think about it: For many in their 20s, social media is like running water or electricity. There is simply no conception of technology as distinct from daily existence, nor a comprehension of living, working, playing or socializing without it. For older users, technology is a topic, a tool, a discipline. They didn’t grow up with all of “this stuff.” Some are happy to use it, but don’t see it as integral to every aspect of their personal or profeesional lives.

This generational gap – where the least social-media savvy employees are most likely to be the prey in a highly targeted attack – presents a significant risk to corporate and government organizations. One need only read the details of the penetrations of Google, Conoco or RSA to see how public information and social media have become the tools of choice for achieving significant penetration and data exfiltration.

To make these well known cases more “real”, let me actually step through this hypothetical but otherwise very realistic scenario: Let’s say I’m a data thief and I know that executive Joe Smith works for a high-profile IT contractor that serves key DoD agencies. (The company here could just as well be a law firm, an accounting company or a widget maker.) I also know from an easy online search that he’s a big booster for his old college’s football team. So guess how easy it would be for me to come up with a completely believable email to send to Joe about the team, in anticipation that he’ll click my infected Web link to get more information?

The answer: incredibly easy, and that one click is often all I need to compromise the network of the company that employs Joe. (If you’re not sure why that’s true, see our White Paper here on A/V Detection Lag Times).

To mitigate these risks, organizations must come up with standard-operating procedures that allow the senior executives to anticipate, identify and avoid socially-engineered attacks. And all users on the enterprise should take a long, careful look at the extent of information they publish on sites such as Facebook, Twitter and LinkedIn. They need to “think like a data thief,” examining what’s posted “out there” relating to their job duties, associated customers/vendors/partners, building location, e-mail, phone and other details to get a sense of how vulnerable they could be and what information about themselves a hand-crafted attack would likely contain or leverage.

Consider educating your workforce – especially the senior members – about these scenarios as a “Safe Social Media Usage 101” ongoing seminar of sorts. It’s one that would provide great, lasting value, regardless of where your users fall within the generational divide.

Eric Olson, Vice President/ Solutions Assurance, Cyveillance

Question to consider: How up-to-date are your users – especially senior executives on socially-engineered attack methods?

And here’s another troubling wrinkle: These criminals aren’t gaining access to networks to exclusively steal money anymore. No, these days, your network’s data commands the big dollar signs.

To protect themselves, those overseeing enterprises must dispense of badly outdated stereotypes about would-be intruders. Especially the one in which the hacker is some pimply faced kid pecking away solo in his parents’ basement. This kid has grown up, now a member of a thriving, sophisticated organized crime ring – possibly with deep connections to international syndicates or rogue nations in Eastern Europe, the Middle East or Asia.

The mob once dealt in liquor, gambling and other vices. Now, it’s all about the black market for information. The organized cyber-crime syndicate could be on retainer to obtain secrets from the Pentagon or U.S. Department of State. Or the data of interest could be the molecular blueprint of a pharmaceutical company’s developing wonder drug – a valuable “purchase” for a competitor. Or a food retailer may be willing to pay a small fortune for details on the expansion plans of a rival. It could be one of these or any number of countless scenarios in which information commands an asking price.

Once the terms of an agreement are reached between the buyer and the criminal ring, the strategies of intrusion are deployed. As described in detail by Manoj, the most popular technique involves getting inside network users to unwittingly open an emailed link that’s really malware.

You may think that your network users are above that sort of ruse, but people use multiple ways to connect to your network (i.e. working from home, non-corporate or personal mobile devices); which only broadens the attacker’s vectors of access and points for trust. Keep in mind that the phishing scammer here simply needs one ill-advised click. That’s it. Even relatively savvy users can lapse into a weak moment, perhaps during an especially frazzling day when they’ve been multitasking for hours and are attempting to swiftly go through their in-box before heading home. That’s the kind of moment the hacker is waiting for, because mental fatigue + urgency = a ripe opportunity for that much-sought click.

Keep in mind that once in the network, it’s time to mine for the information. If the intruder keeps a low profile – not taking part in any activity that would raise any suspicions among those monitoring the network – he can settle in for the long haul and keep gaining access to data. And consider the wealth of information within that can be exploited for ill-gain: intellectual-property, sensitive financial reports, R&D innovations, hiring plans, salary structures and other confidential personnel information.

Because so many users are combining “work” with personal tech, hackers can further expand their market reach. Information about corporate executives, for example, is highly valued because they usually have a “clean” background record and such a record is valuable for black-market operatives. These operatives will use the records to create bogus passports, visas and driver’s licenses to allow dubious characters from foreign countries to arrive here while avoiding a watch list.

All it takes is one bad click to unleash all of this access. If you’re not taking pro-active steps to thwart these data thieves, are you prepared to deal with the consequences?

Terry Gudaitis , Ph.D., Cyber Intelligence Director, Cyveillance

Question to consider: What are you doing to pro-actively monitor and prevent unauthorized access to information on your network?

I tell them that it’s not really about some highly advanced but ill-intended technological strategy. It actually boils down to a simple concept: building and exploiting trust.

That’s right. Yesterday’s hacker spent all of his time looking for holes in the network to exploit, to penetrate and trigger a malware attack. They cultivated legendary status as whiz kids of the tech underground who routinely outsmarted corporate IT security pros at their own game.

Today, these would-be intruders still command a high level of technological aptitude (not to mention unsavory attitude). But they are cultivating another highly useful skillset: the ability to manipulate the human behavior.

That’s because social media has changed everything.

Individuals and Organizations are now embracing the use of Facebook, Linkedin, Twitter and other outlets. As well they should. These sites are remarkably effective when it comes to peer networking and connecting with customers to get product feedback, test marketing strategies and build brand loyalty. However, not surprisingly, cyber crooks are flocking to social-media sites to plot their next attack. Why wouldn’t they? That’s where they can pinpoint executives and employees who hold key positions within the organizations that they seek to compromise. Because the very concept of social media encourages these professionals to display their business associations publicly, their corporate background is highly valued data that’s easy for the bad guys to find.

Once they zero in on which employees to target, they then work on the “trust” factor.

For certain, taking advantage of the human capacity for trust is nothing new. The term for the computer virus, Trojan, refers to the legendary deception of the city of Troy on the part of the Greeks, with that “gift” of a large, wooden horse. During Pontiac’s Rebellion, European soldiers were said to have given Indian natives blankets outside Fort Pitt, blankets that were intentionally infected with small pox. And Bernie Madoff is far from the first Ponzi artist to destroy personal fortunes by promoting a financial house of cards built upon the concept of trust.

Today’s cyber attacker – at least from a psychological standpoint – operates in very similar fashion. He’s a phisher who finds individuals who can lead him to where he wants to go within the network and emails them with some kind of message that, on the surface, brings something of value to the intended victim and raises sufficient curiosity to take some action. If that intended victim is a high-level finance executive, for example, the email could contain a URL to click on to find out about a new accounting regulation that’s in the works. A sales staffer could get an online invitation to download online coupons for discounts at a local golf club.

Only the URLs are simply disguised links to malware. Since anti-virus technology is typically based upon blocking signatures, it’s useless against this kind of tactic. That’s because the chances that the hacker’s signature hasn’t been seen before is greater than 99 percent. And if you haven’t seen it before, your anti-virus technology won’t block it. Web proxies are also generally ineffective as well. They’re intended to serve as gatekeepers to distinguish “good” URLs from “bad” ones. But they’re too often outdated, and it doesn’t take much effort for a phisher to come up with newer “bad” URLs that won’t get tripped up by the proxy solution.

Once inside the network, these hackers execute their intrusion in a manner very unique to the modern era. In the recent past, such intrusions were all about disruption. Today, they’re about stealth. The hacker doesn’t want to announce his presence. He’ll lay low for days, weeks and even months at a time, quietly looking for backdoor channels to gain credentials, so he can access more and further secure entry points within.

To fight this, education/training of enterprise users is necessary if not sufficient. They need to know how to spot suspicious messages, and to resist the natural inclination to click on a link that looks benign but really is a hidden front for malware. In addition to training, IT security staff must remain on top of phishing trends and pro-actively monitor their traffic for high-risk behaviors. And above all, next generation security systems must examine the content and context of the email along with the methods and behavior of embedded Web Page links to judge the trustworthiness of the emails

Ultimately, organizations need to realize that their weakest link is a curious employee who also happens to be a trusting one.

Manoj Srivastava , Chief Technical Officer, Cyveillance

Question to consider: How much training/education does your organization conduct with internal users on detecting and avoiding intrusion attempts?

The content management system WordPress is a fantastic tool. Its ease of use has has helped it become the most popular blogging tool out there. Its most recent version has been downloaded more than 5.7 million times as of this writing.

The popularity of WordPress has made it a very attractive target for cyber attackers. Like most software, eventually security holes are found that allow hackers inside. Once a site is breached, it can be used for many illegal purposes like distributing malware, hosting phishing attacks, and marketing counterfeit pharmaceuticals. Blog owners need to be ever vigilant to ensure there software is current with all updates including blog software to plug security holes.

WordPress developers have been great about patching those holes quickly. Despite being on top of vulnerabilities, there are still some steps that should not be tough to implement but should make the web a safer place.

• Please stop advertising the version number in the source code. In 2008 Google’s Matt Cutts made the recommendation to WordPress webmasters to delete the part of the software’s code that advertises which version of the software is being run. This information is used by hackers to determine which attacks might work against a given website. Removing this announcement will make hackers’ work much harder.
• Please email the blog’s owner until they upgrade to the newest version.

  

  In recent years, WordPress began notifying site admins in the tool’s dashboard view with a message saying that a new version of WordPress was available, and offered a link to upgrade immediately. This is very helpful.

  But often blogs are abandoned out there and site admins never see this message. Why wait until a webmaster returns? Like a beeping car when your seat belt is unbuckled, WordPress could email the admin on a regular basis to remind them that they have to upgrade, reducing the number of vulnerable websites out there online. WordPress already emails site owners when blog comments are awaiting approval, so this should be pretty easy to implement.

Note that out of date WordPress installs are not the only pieces of software contributing to web server infections. Shopping cart software, forum software, and photo gallery software all tend to be targeted. WordPress installs are likely more common than all of those, so it would make sense to make its security a priority.

Make no mistake, we love WordPress. We use it on this very site. But there are a couple of steps that would appear to be low-hanging-fruit that Matt Mullenweg and the WordPress development crew could take to make an impact on hacked sites on the web.

If you run WordPress and suspect your site’s been hacked, please see this official FAQ from the WordPress team!

The amount of attacks seen monthly is down compared to the first half of the year and could be related to the recent decline in spam, but the overall volume confirms that the problem of phishing is still easily one of the top threats on the Internet. Specifically, the use of more sophisticated and targeted attacks result in greater success and lucrative opportunities for online criminals. A recent story regarding socially-engineered attacks against High Value Targets (HVTs) in the Canadian government provides a great example of the danger this new breed of attack poses to organizations.

Organizations should continue to monitor for suspicious activity related to the attack described in the article above as well as educate their users on the latest threats that plague the Internet. Users can minimize the potential for falling victim to email and Web-based attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.