Cyveillance: How did the idea for ShodanHQ come to you?

Matherly: I thought scanning the entire Internet would be an interesting problem to solve – I thought it would be fun! I had just written a basic network scanner and as I started using it I realized that sharing and indexing those results might be interesting to others. It started as a hobby during college and have rewritten it over the years until I reached the version it’s at now. Originally, I envisioned Shodan as a service similar to Netcraft but it would cover more services and provide greater access to users. My expectation was that market researchers would enjoy Shodan as a source of empirical data on software usage. The security community picked it up instead, and since then it has developed into a global network of servers that collect data in real-time on a dozen services/ ports from devices around the world.

Cyveillance: Tell us about the scope of the data in ShodanHQ. If an average user comes along, how likely is it that the find what they’re looking for if it exists, and how recent would that data be?

Matherly: Shodan currently includes data on the following services:

• HTTP(S)
• Alternate HTTP
• SSH
• SNMP
• SIP
• MySQL
• RDP
• FTP
• Oracle Web
• MongoDB Admin
• Telnet

Data is constantly collected and on average 5-9 million new records get added to the database each month. Shodan brute-forces the entire IP space to ensure uniform coverage of the Internet and make sure it doesn’t miss subnets due to any algorithm bias. If a device is connected to the Internet, Shodan should have it indexed.

Cyveillance: Would you describe ShodanHQ as a penetration testing tool?

Matherly: It was designed as an intelligence gathering tool, but it gained traction in the penetration testing community. As such I would consider it a penetration testing tool, though it’s best coupled with other tools that can consume Shodan data via the API (see FOCA).

Cyveillance: Let’s pretend I’m part of an information security team at a large corporation. What are the first three queries you recommend I make using Shodan to help protect my company?

Matherly:

1. Look at the Most Popular Searches on Shodan from your dashboard and select a few of them to get a feeling for how Shodan works.
2. Run a search using the ‘net’ filter, where your network IP range is provided as the argument (ex: net:123.123.123.0/24).
3. If your company provides a product that could be facing the Internet, search for it on Shodan. Depending on the product you can identify misconfigured devices, where they’re located and what version is most popular.

Cyveillance: Much has been written about internet-based vulnerabilities found in civil critical infrastructure environments like water and electrical power. Based on what you have seen in ShodanHQ, how real is the threat? How insecure are these SCADA systems?

Matherly: There are several issues of concern, but I will take a glance at the following: exposure and software vulnerability.

With regards to exposure, the majority of critical infrastructure devices aren’t connected to the Internet and aren’t subject to malicious online attacks. Unfortunately, a substantial amount of SCADA devices haven’t been properly configured as the research paper by Eireann Leverett has pointed out. And realistically this is a lower-bound on the potentially vulnerable computers, as Shodan at the time was mostly focused at looking for web servers. I suspect that scanning for SCADA-specific protocols, such as Modbus, would reveal a lot more devices.

The developers of SCADA products have a poor history of responding to security advisories by penetration testers. There are numerous incidents of security professionals being ignored repeatedly when contacting SCADA vendors about vulnerabilities in their software.

Cyveillance: The “internet of things” boils down to making everyday items connected to the internet, like one’s refrigerator or other appliances. This new generation of internet-enabled devices is being designed from the beginning with security in mind… no?

Matherly: You would hope so, but that is unlikely to be the case. For example, just a few days ago an exploit was posted that would let anybody control a Samsung TV that’s connected to the Internet This isn’t an isolated incident, and as more of them get connected to the Internet more people will try to find vulnerabilities. Many companies that develop appliances haven’t faced the security threats that the Internet opens them up to. As such, I doubt they will be prepared for the Internet of things that might be coming soon.

Cyveillance: What type of outreach do you offer to help organizations secure their exposed devices? I understand ShodanHQ has been working with some universities…?

Matherly: Yes! For universities and non-profit organizations I provide increased access to Shodan, greater API options and other custom features. I’ve written new filters and created new API plans to help security researchers get what they need out of the data. Often this results in them finding exposed devices, which then forward the Shodan data to the relevant CERT. And system administrators are using Shodan to make sure there aren’t internal systems exposed to the outside world. If you’re a student, professor or work in IT at a university send me an email!

Cyveillance: Does the inevitable increase in the number of systems using IPV6 present any problem to a system like ShodanHQ that visits systems based on their IP address?

Matherly: I foresee slight changes in the Shodan IP selection algorithm to accommodate the increased search space, but the scanning won’t change fundamentally. On the flipside, a lot of new devices will be exposed to the Internet that currently aren’t. I look forward to expanding Shodan to IPv6 and seeing what devices can be found.

Cyveillance: What’s next for ShodanHQ? Are there any new projects or features on the way anytime soon?

Matherly: Lots of stuff! The Shodan crawling software has received a major overhaul recently, and it has let me scale the architecture more effectively as well as add a lot more services to scan. Over the next year, I want to vastly expand the number of services/ software that Shodan indexes. And very importantly, I will begin storing data on ports that are open but don’t return any searchable data. At the moment, every service I scan has to return some form of text that users can search. In the future, it will be possible to find computers simply based on publicly visibile ports.

And I’m also developing a new website that will make it easier to analyze and create reports out of Shodan data. It’s fun to search Shodan and find devices, but it can be challenging sometimes to find exactly what you want. To solve that issue I’m working on a new project that has been designed from the ground up with knowledge of all the data Shodan contains. This means you can browse your search results on a Google Maps-style map, select areas in charts to filter down search results and perform analysis on aggregate search queries.

Cyber crime never quits. Just this week the DEA made the impressive announcement that it had arrested several individuals who it claims were responsible for selling LSD, ecstasy, ketamine, and other hard core illegal drugs using the Tor anonymity network at a destination called “The Farmer’s Market”. Technology-based schemes like these that put others at risk for serious physical and financial harm are a reminder that we can’t rest when it comes to fighting cyber crime.

One mechanism to help minimize online criminals’ chances of success is for actors in the private sector to band together across corporate lines. The Anti-Phishing Working Group is one such platform for collaboration. Cyveillance was one of the earliest members of the APWG and managed the development of translations for one of the APWG’s first operational projects called the Phishing Education Landing page. This program is now helping redirect tens of thousands of at-risk users to counter-ecrime resources every single month.

The APWG will soon hold the sixth annual Counter-eCrime Operations Summit (CeCOS VI) in Prague. Some of the presentations during the April 24-27th meeting include:

• How a Financial Institution Utilizes Cyber Intelligence to Reduce Risk
• Digital Crimes in Russia and Criminal Prosecution
• Mapping the Cyberfelons’ Homelands: The Most Criminogenic National Networks
• Budapest Convention on Cybercrime: Transborder Law Enforcement Access to Data

In the same way Cyveillance strongly encourages corporate security professionals to take part in organizations like the U.S. Secret Service’s Electronic Crimes Task Force, we can’t recommend participation at events like CeCOS enough. These small, trusted forums are where the rubber meets the road and meaningful teams can be formed to put a dent in the dangerous activity of criminals online. Together we are stronger.

Full details:

​
Anti-Phishing Working Group Counter-eCrime Operations Summit (CeCOS VI)

The focus of this year’s event is the shifting nature of cybercrime and the attendant challenges of managing that dynamic threatscape.

When:
April 24, 10:00AM—
April 27, 3:30PM

Where:
​
​Mövenpick Hotel Prague
​
Mozartova 1 150 00 ,
Prague,
Czech Republic

While the modification of content we view on the fly at a hotel so the hotel can profit (again!) from our use of their wifi is concerning, a more serious issue faces business and leisure travelers. Consider the image below.

This is a screenshot taken in January 2012 at the Marriott Marquis Times Square location (not the same site as mentioned above, but nearby) during the International Conference on Cyber Security held by the FBI and Fordham University. You can see the list of available wifi networks that are available to guests.

Which one should you join? The ones that are not password protected maybe? The one that mentions Marriott? The one that reads “Hotel Internet”?

The question is important because the traffic you send from your computer onto the internet at large can contain sensitive information like passwords, credit card numbers, and maybe even confidential documents. Attackers can set up fake wifi networks that may behave as if they’re simply allowing you access to the internet but are actually intercepting and collecting information you send.

What can you do to reduce the likelihood that your traffic is compromised?

• Make sure you join the network that is officially recommended by the hotel itself. There is generally one, and only one correct network you should use. Don’t be tempted by ones that don’t ask for passwords just because they seem free!
• Use a VPN when you are online to encrypt your online communications. That way if your traffic is intercepted, it will be difficult or impossible for attackers to read.
• Use browser plugins like HTTPS Everywhere to force your communications with certain websites to be encrypted. It doesn’t ensure that all your data is completely safe, but it will create a secure connection or “tunnel” between you and many popular destinations.

To be clear, the Marriott Marquis in Times Square is not in a position to prevent other wifi networks from being offered to their guests. Times Square is a very busy, crowded area where the large range of some wifi networks might “spill over” into their guests’ space. Nor are they able to block rogue wifi signals that may originate within their premises.

The onus is on internet users in such congested areas to be informed about safely connecting online. Consider yourself informed!

By now you are likely familiar with Google+, also written Google Plus. While some regard the service as Google’s response to Facebook’s seemingly endless reach into our social world online, here is how it’s officially described:

Google+ makes connecting on the web more like connecting in the real world. Share your thoughts, links and photos with the right circles. Use easy, spontaneous video chat to strike up conversations with as many as nine people at once.

Google+ is many things, including another avenue to reach an audience for your company’s marketing team. In this post however, we’re not going to expound on all the ways you can use Google+ for marketing purposes. There are dozens of places to read those online already. We want to share some ways to prevent abuse of your company and its brand in Google+ as it gains in popularity.

We’re going to show you:

1. How to create an official Google+ page for your company so there’s an official, legitimate “stake in the ground” identifying your company on this platform.
2. How to “close the loop” with Google and cement its understanding of what entity out there on the web should be identified with your Google+ page.
3. How to report fake or impersonation pages that divert traffic or hijack Google+ users away from your official pages.

Time Required: Less than one hour

What You’ll Need

• The login credentials for the gmail or Google account that your company uses for managing other services you probably already have in place like Google Analytics, Feedburner, or Google Webmaster Tools
• A person at your company who can modify the HTML code of your corporate website(s).

STEP ONE: Create an Official Google Plus Page for your Company or Brand

Using the login credentials used for other Google services described above, log in at plus.google.com. Once inside, look towards the lower right on the page where it reads, “Create a Google+ Page”.

You’ll then be guided through the next steps to create your official Google+ page, including being able to select whether you’re creating a page for brand, local business, company, or other entity. Go ahead and follow the instructions there and make sure you fill in the section of your page’s Profile where it allows you to enter your Website. Don’t worry about putting all the finishing touches on a fully operational, content-rich page yet. If you must, you can upload a corporate logo to represent your organization there but the only thing we really need is to create the Google+ page itself. You can invite the brand manager to contribute later!

Before moving on to the next step, copy and paste the URL of the newly-created Google+ page someplace handy. You’ll need it in the next step. It should look something like this, which is Cyveillance’s Google+ page:

https://plus.google.com/100288787145411637689/

STEP TWO: Link to your newly-created Google+ page from your corporate website

There’s an easy way to tell Google that a specific website like acmecompany.com “belongs” to a its respective Google Plus page. In the end we always want to reduce the guessing Google has to do, translating into a tighter “identity” from Google’s perspective about your company or brand. So here’s what you do…

Swapping out the URL below for the URL to your company’s new Google+ page, insert the following code into the HTML HEAD section of the page you entered as your Website of your Google+ profile in Step One a moment ago.

Don’t worry! This will not create any visible change to the website that people will notice but when the Google search engine comes and visits the site it’ll see the feedback loop confirming that this website “belongs to” the same entity as your newly-created Google Plus page.

For reference, Google’s official instructions for this tip is found at this page. Google strongly prefers that you use the method where you include a visual link to your Google+ right on your homepage. You have that option if you want too, but this gets the job done without changing anything about the design your company’s web team has worked so hard on.

STEP THREE: Monitor Google+ for activity that can damage your company or brand and report offenders to Google

It doesn’t matter if it’s twitter, Facebook, MySpace – Cyveillance sees impersonators and fraudsters on every social media platform that comes along. While it may not be inevitable that someone sets up a fake Google+ page for your company, if that does happen Google has a handy reporting tool you can use to quickly communicate the problem.

Congratulations, you’ve now covered your bases defensively for successful Google+ use. The stage is set for your marketing team to put Google+ to work for you now!

Let’s say you find a website you like about something you really enjoy, like cupcakes. The cupcakes you see on the site are pink and full of frosting and you absolutely must contact the owner of the website to complement them on how heavenly they look. But no matter where you look, you can’t find a way to contact the site owner using their site. What do you do now?

Your best bet is looking at the site’s WHOIS information.

WHOIS information is established for a website when its domain is registered. If you wanted to register a domain for your new website the business you buy the domain from – called a registrar – will ask you to fill out a form with the contact information for the domain. This will become the WHOIS information for the domain and is visible anytime someone performs a WHOIS search.

How do I search for WHOIS contact information?

So you want to find out how to contact the person who ran the site which showed those pink cupcakes. There are many places on the internet where you can look up WHOIS data, which is free. Here are a few handy ones you may want to bookmark:

• GoDaddy WHOIS
• InterNIC WHOIS
• Network Solutions WHOIS

Now that you know where to find WHOIS data, try a few examples. Continuing with our pastry theme, take a look at these WHOIS records, courtesy of GoDaddy…

MarthaStewart.com WHOIS
MarthaStewart.co.uk WHOIS
MarthaStewarteverydaliving.com WHOIS

While those three domains are run by different entities, did you notice how different the results for each looked? That brings us to…

What can affect the integrity of WHOIS information?

• Local policy: Depending on what type of domain is registered, different information may be shown to the public when they do a WHOIS search on a domain. For example, some WHOIS results for domains from overseas provide very little more than a name and an email address. Other times you’ll be shown the name, address, email address, telephone and fax numbers for the domain’s registrant (the domain owner), the technical contact they want the world to see, and its administrative and billing points of contact. But there is no standard set of details that you can always count on seeing when you make a WHOIS request.
• Registrant truthfulness: Unfortunately, WHOIS information you read may not be true. When you register a domain name you must accept the terms and conditions which state that the information you provide in the domain’s WHOIS details are accurate and up to date. ICANN even requires that “at least annually, a registrar must present to the registrant the current Whois information, and remind the registrant that provision of false Whois information can be grounds for cancellation of their domain name registration. Registrants must review their Whois data, and make any corrections.” Unfortunately there is not really any service in place which checks on the accuracy of WHOIS data out there. You may come across WHOIS records from those who list their name as Mickey Mouse (when it isn’t) or list their address as the White House (when it isn’t). As Wikipedia notes, “The Federal Trade Commission has testified about how inaccurate WHOIS records thwart their investigations.”
• Anonymization: For a reasonable fee, registrants can often opt to have the information they provide for WHOIS listings be anonymized. That is, their real contact information would be replaced by a generic set of contact information provided by a third party proxy, so you would be shown 123345@domainnamesbyproxy.com instead of pinkcupcakewizard@bestpinkcupcakesiteever.com. This third party will forward communications to the domain registrant if any is received. WHOIS anonymization is often a valuable option for those who want to maintain their privacy and do not want their public identity to be connected with a site they run. However it is also a helpful tool for criminals that want to make it harder for law enforcement to determine who may be responsible for a given website.

If you come across a domain’s WHOIS information that you think is inaccurate, you can report it using the WHOIS Data Problem Reporting System. That site offers a step-by-step wizard that will walk you through reporting bad WHOIS data. The registrar will receive your report, and they’ll reach out to the registrant. As they put it: “Reports submitted through [the] system will be forwarded to the appropriate registrar for handling, and the progress of your report will be tracked.”

When a website doesn’t offer contact information and you perform a WHOIS request to find the owner of the domain, the WHOIS information may be immediately available, but given factors like those listed above, the information you are looking for may remain not be offered, may be false, or may be anonymized. But it is the first step in tracking down how to reach out and find that recipe for pink cupcakes which started you on this quest to begin with.

Further reading:

“Knujon’s Abused Domains Study: KnujOn reviewed nearly one million WHOIS records from domain names advertised with spam in 2011 and found that 22.8% of the rogue registrations could be blocked with fundamental validation.”

ICANN’s Response to its WHOIS Accuracy Study: “The Study found (and most public comment submissions agreed) that the levels of inaccuracy are unacceptable.”

How many gTLD requests is ICANN expecting in this first round of applications?
ICANN is expecting between 200 and 1,000 applications. Some experts are predicting that, based upon the number of applications it receives, ICANN may not hold another application round for several years after this initial offering.

What if someone else applies for the same gTLD that I apply for?
ICANN is encouraging resolution between the parties. If the parties cannot come to an agreement, the last resort will be an auction. See Section 1.1.2.10 gTLD Applicant Guidebook.

What is the cost of owning a gTLD?
Estimates are high – up to $2 million per year at first. The application cost starts at $185,000, which does not factor in additional costs related to dealing with objections, auctions, extended evaluations, legal issues, and technical issues. ICANN will charge a fixed quarterly fee of $6,250. Additionally, each domain name registered or renewed to that gTLD in excess of 50,000 will cost an additional $0.25 per domain. Domains transferred from other registrars will be counted. See Draft New gTLD Registry Agreement Section 6.1. Add on the expense of running and maintaining the registry for the 10 year life of the contract, and the costs can be very high.

How can running a gTLD benefit my company?
You will have more control over which, if any, franchisees or other partners can use your brand on the Internet. Moreover, customers will have more trust when navigating through a site that they know is authentic. Experts predict that gTLD’s will make it easier for consumers to find products and services.

What are some of the risks?
After committing to a ten year contract with ICANN, consumers may not gravitate toward the new gTLDs. If that is the case, then the cost of running a gTLD may outweigh the enhancement to your brand. There is also a risk associated with waiting on the sidelines. It is not clear when ICANN will hold another round of applications, so your company may get shut out if you decide to wait.

What if someone tries to take a gTLD that infringes my brand?
Public portions of applications will be posted on ICANN’s website around May 1, 2012. Although some companies out there are offering services to monitor the new domain name registrations, paying for what ICANN is giving out for free would be a waste of money. If someone applies for a gTLD with your trademark, then you can file a “legal rights” objection with a dispute resolution service provider (DRSP). You will have seven months to file an objection, and you will have to wait approximately five or more months for the decision. The cost, depending on the DRSP, will be approximately $1,000-$5,000 per party to file an objection and $32,000 – $122,000 to adjudicate the claim.

Will the new gTLD’s open my brand up to a whole new set of possible infringements?
ICANN has built in several protections for trademark holders, in addition to the existing Uniform Domain Name Dispute Resolution Procedure (UDRP). First, every gTLD will be required to register with a trademark clearinghouse that will provide a trademark claims service and a sunrise process. If a trademark holder registers with the clearinghouse, then the trademark claims service will notify a trademark holder if someone else tries to register a gTLD with its trademark. The sunrise process will give trademark holders the first opportunity to register domain names before registration opens to the general public. Second, the Uniform Rapid Suspension System (URS) will give trademark holders a fast remedy in clear cut cases of infringement. The URS will cost about half of the time and money the UDRP would cost; however, the prevailing party only gets the option to renew the domain name for a year after the current registration period expires. Third, the Post Delegation Dispute Resolution Procedure (PDDRP) will provide redress for trademark holders against a registry that engages in a pattern of abuse. Finally, ICANN will look at applicants’ criminal histories, will require robust WhoIS records, and will have a centralized zone file access system.

Companies must take an in depth look at whether the protections ICANN is offering will be sufficient and whether the cost of running a gTLD will enhance its brand.

Examples of technical locks and controls are mechanisms on DVDs and video games that prevent people from copying the content. Additionally, sections of web sites that are protected by passwords are also considered controls under the DMCA. The DMCA prohibits people from working around any of these protections in order to copy the content without authorization from the copyright owner.

Just as the Copyright Act has “fair use” exceptions, the DMCA has exceptions too. Fair use exceptions provide for instances in which a copyrighted work can be copied or reproduced without violating a copyright holder’s rights. For example, a news reporter quoting a speech in a news report would probably be deemed a fair use of that copyrighted speech.

Currently, the seven exceptions where the DMCA does not apply are:

• Libraries, archives, and educational institutions for acquisition purposes;
• Law enforcement and intelligence gathering activities;
• Reverse engineering in order to develop inter-operable programs;
• Encryption Research;
• Protecting minors from material on the Internet;
• Protecting the privacy of personally identifying information; and
• Security testing.

In order to ensure that the DMCA does not prohibit any fair uses of copyrighted works, the Library of Congress updates the DMCA exceptions every three years. The number of exceptions approved at each update may vary as there is no required number of exceptions. For example, the Copyright Office approved six exceptions in 2006 and 2010. The Library of Congress is accepting suggestions on new exemptions until February 10, 2012. Submissions received on or before December 1, 2011 are posted on the Library of Congress website.

Comments
Advocacy organizations from around the country have begun to submit their proposals for new safe harbor provisions. As the use of safe harbor provisions become more prevalent, organizations and interest groups search for ways to protect their respective interests. These proposals generally reflect the organizations’ specific interests and few have the breadth necessary to be implemented. However, several of the proposed exceptions discussed below and are likely to be persuasive to the Library of Congress.

The first proposed class of works includes “literary works in the public domain that are made available in digital copies.” According to the Open Book Alliance’s supporting comment, Google requires many libraries throughout the world to impose these technological protection measures (“TPMs”) and/or others like them on digital files of public domain works. The restrictions placed by companies like Google limit access based on copyright protections under Section 1201 of the Copyright Act. The Open Book Alliance contends that copyright protection was not designed to protect works in the public domain, so in order to promote dissemination of public works and prevent misuse of Section 1201, this class of works should be protected under safe harbor provisions. Works in the public domain are supposed to be accessible by the public for use and can be used to promote creativity; thus, barriers to access can be viewed as a hindrance to the purpose of copyright protections.

The second proposal from the American Council for the Blind and the American Federation for the Blind seeks to add electronically distributed literary works that have currently have restrictions that limit accessibility by blind or other persons with print disabilities as protected class of works under the safe harbor provisions. These organizations assert that, “[w]ithout an exemption, people who are blind or otherwise have print disabilities are at risk for significant legal sanctions simply for finding a way to read material they have otherwise legally obtained.” They seek to rectify what they view as an oversight that has caused an avenue for discrimination. Lack of access and the opportunity for unintentional discrimination will make this proposal one to really consider.

Lastly, proposals were submitted by the Software Freedom Foundation and the Electronic Frontier Foundation. These proposals seek to allow computer programs that enable smartphones and other personal computing devices to use legally obtained software. These proposals contend that smartphones and other personal computing devices derive their value from the software they are able to run. Limits placed on use of software on certain devices not only limit the abilities and options of the consumer, but exclude small developers from the market. These limitations lead to numerous development issues and limitations in functionality of the devices. Smartphones and other personal computing devices are rapidly becoming a staple in American society. Addressing gaps in access and development are issues that should be considered carefully as this technology continues to permeate society.

There are quite a few proposals not addressed here. The topics range from motion pictures and other digital media to educational uses of copyrighted works. Cyveillance encourages you to educate yourself on all of the proposals and monitor how DMCA safe harbor provisions may change and affect your business.

Cyveillance: Can you explain briefly what DNSSEC is using non-technical terms, and why it’s so important?

Richard Lamb: DNSSEC (DNS Security Extensions) secures the Internet’s global “phone book” (the DNS or Domain Name System). Every time you enter a web site (www.google.com) or email (foo@bar.com), your computer uses the DNS to convert the domain name (www.google.com or bar.com) into a number (IP address) which is what is actually used to connect to and communicate (just like a phone number) with web or email server on the Internet. The protocols behind DNS were designed back in 1983 and have little in the way of security built into them. Increased network and computer performance have made it easy to falsify DNS responses to return the wrong “phone number” and possibly send you to an impersonator. Dan Kaminsky, in 2008, demonstrated the ease to which this can be done and recent attacks on 4M computers have driven the point home. DNSSEC adds digital signatures to existing records that allow machines to validate DNS responses so that this sort of attack can’t happen.

Cyveillance: This sounds like a fundamental change in the way the Internet operates. Is that accurate?

Richard Lamb: Not really. DNS operates as it did before except now cryptographically generated digital signatures (just a few more bytes) are transferred alongside existing records to allow systems to detect any changes in the original record. However, for the Internet whose protocols have not changed for decades it’s a big change. So it was/is being deployed very carefully.

Cyveillance: Exactly who is going to be responsible for helping to get DNSSEC adopted as quickly as possible? Government? ISPs? Website owners? End users? Among those you mention, which do you prioritize when trying to get the word out?

Richard Lamb: End user demand is what will drive DNSSEC deployment and its eventual success. However, selling security to the end user has always been an uphill battle. Awareness building of domain name holders / website owners (content provider for the eyes) is therefore a key part of the adoption effort.

Organizations like ICANN continue to do a good job building awareness among ISPs and top level domain (e.g., .com, .se) operators and our own DHS has played a pivotal role in pressing for DNSSEC adoption in government through the funding of initiatives and the creation of a 2008 OMB mandate for all agencies under .gov. Other governments (e.g., Sweden, Brazil) also have initiatives encouraging the deployment of DNSSEC.

ISPs and Registrars (where you buy domain names from) have little incentive to support DNSSEC until it is widely deployed. This has led to a chicken and egg scenario with these entities often pointing to the lack of deployment as reasons for not supporting DNSSEC themselves. This has placed a priority on Website owners and end users to deploy DNSSEC on their web sites and demand greater security from providers. The hope is that market forces will then prevail resulting in wider support amongst Registrars and ISPs. COMCAST is an example of a large ISP that has fully deployed DNSSEC to help protects their customers. GoDaddy is an example of a large Registrar that supports DNSSEC for their domain name holders who want it.

Cyveillance: Do you think the average end user will ever notice the change?

Richard Lamb: Ideally, improved security should not be noticed by the end user. However, with the new source of trust that DNSSEC creates on the Internet, the end user should expect to see a range of applications that ease access control (e.g., login, WiFi roaming, etc…) and improve web site and email security.

Cyveillance: Is there any similarity in the push to move from IPV4 to IPV6? Which do you see happening first – complete IPV6 adoption or complete DNSSEC adoption?

Richard Lamb: That’s a great question. DNSSEC is often grouped with IPv6 and they are similar in the sense that they are both big protocol changes for the Internet. However, IPv6 is not backward compatible with IPv4. DNSSEC is. DNSSEC secures the DNS. IPv6 updates the routing layer.

Experts have said that IPv6 and IPv4 will coexist for many years to come.

The same will likely be true for DNSSEC as well. While many sites will have DNSSEC deployed on them, there will always be a portion of the web site owners who have little interest in security. Currently, I believe DNSSEC deployment has a slight lead over IPv6 deployment. The key is that for those organizations that do have an interest in maintaining the integrity of the information disseminated by their web site – DNSSEC is a big step.

Cyveillance: What advice would you give to those who are evangelizing within their organization for DNSSEC adoption?

Richard Lamb: Deploying DNSSEC on domain names owned by their organization and turning on DNSSEC on their internal resolvers would not only help protect staff from DNS redirection attacks but also demonstrate to the public that the organization takes security seriously. I would also point out that large ISPs like COMCAST have stepped up to support DNSSEC as well and point to the recent reports on the DNSChanger attacks. Finally, DNSSEC deployment on an organization’s domain names need not be expensive as demonstrated by various Registrar offerings like those from GoDaddy, VeriSign, and others.

Cyveillance: Any last thoughts?

Richard Lamb: I think two of the most interesting things about DNSSEC are 1) how it can be a platform for entrepreneurs from around the world to create a whole new range of innovative security applications and 2) how it is a classic example of the Internet’s borderless, bottom-up, cooperative approach to solving problems.

Despite laws enacted in 2001 to combat digital-related incidents, cyber crime is still pervasive in Algeria. This is due not only to a lack of detection tools, awareness and training courses, but also to the negligence of private and public institutions in protecting their intellectual properties online. In 2010, the Center for Judicial and Judiciary Research (a branch of the Algerian Department of Justice) began developing and implementing cyber security laws. Until then, the field went mostly unregulated. Since 2010, 12 cases have been reported and to-date there has been eighty-eight cases brought to Justice.

Technological innovations in the world of cyber criminals have made the traditional bank robbery seem almost prehistoric. Computer and Internet access now replace the gun; surreptitious locations replace the need for an actual physical presence to confront the victim. Hacking, phishing, spear phishing, spamming, 419 scams, malware, web piracy and cyber terrorism, can all take place from the comfort of one’s cubicle – far from and invisible to the intended target.

A variety of those cyber crimes mentioned above are already affecting Algeria. In 2010, individuals suspected of operating from China infiltrated Algeria Telecom and hacked their servers, thus gaining control over their internet traffic in order to monitor digital communications among its citizenry.

There are other reasons why cyber criminals thrive. First, many law enforcement agencies lack the latest technological tools essential to tackling the problem. Second, the victims lack basic IT skills and an awareness of what has happened to them until it is too late. Yet if we are to address the growing threat of cyber crimes, there needs to be significant improvement in both of these areas. Expertise in the many forms of cyber attacks, training the audience on computer security, and a campaign of educational awareness must be instituted across private and public organizations. Information fliers, posters, e-mails, and videos are simple but vital tools in the war against cyber crime.

Now step back from the fact that these things are happening in Algeria, because while it may seem we are leaps and bounds in front of Algeria on the technology spectrum, the same holds true for organizations and consumers in the United States. We are so enamored with the cool new technologies that allow us to connect and share information from anywhere that we often forget that there are online criminals out there counting on us to have our guard down. We can’t simply rely on technology to protect us completely, because the criminals have found ways around technology – human error. The more people, employees and senior management understand the complexities of the cyber environment, the better off they will be in protecting their personal security and the security of their organization. Don’t become complacent with cyber security; make sure you and your organization are fully aware of the dangers and how to address them.

As a result, in October 2007, the United States, the European Community, Switzerland and Japan simultaneously announced that they would negotiate a new intellectual property enforcement treaty, the Anti-Counterfeiting Trade Agreement, or ACTA. ACTA represents a significant achievement in the fight against the infringement of intellectual property rights, particularly against the proliferation of counterfeiting and piracy on a global scale, and provides a mechanism for the parties to work together in a more collaborative manner to achieve the common goal of effective Intellectual Property Rights (IPR) enforcement. When it enters into force with all participants, ACTA will formalize the legal foundation for a first-of-its-kind alliance of trading partners, representing more than half of world trade.

Highlights

• On Saturday, October 1, 2011, Representatives of the U.S., Japan, Australia, Canada, the E.U., South Korea, Mexico, Morocco, New Zealand, Singapore and Switzerland met in Japan for the signing ceremony for the Anti-Counterfeiting Trade Agreement (ACTA).
• ACTA – initially designed to be a treaty, thus requiring Senate ratification in the U.S. — will likely be an “executive agreement” that cannot alter or supersede U.S. law. Fortunately, ACTA is consistent with existing U.S. law and does not require any change to U.S. law prior to implementation in the United States. In particular, ACTA is consistent with U.S. copyright, patent, and trademark laws. For example, the application of injunctive relief as provided for in the Digital Millennium Copyright Act (17 USC §512j) and other provisions of U.S. law is consistent with and implements the obligations of ACTA. The United States may therefore enter into and carry out the requirements of the Agreement under existing legal authority, just as it has done with other trade agreements.
• ACTA provides for: (1) enhanced international cooperation; (2) promotion of sound enforcement practices; and (3) a legal framework for IPR enforcement in the areas of criminal enforcement, enforcement at the border, civil and administrative actions, and distribution of IPR infringing material on the Internet. Listed below are the most notable provisions:
  • ACTA will require that border enforcement authorities be empowered to act on their own initiative (“ex officio”) against both imports and exports of counterfeit and pirated goods.
  • ACTA will require that criminal authorities be able to act on their own initiative in piracy and counterfeiting cases, rather than waiting for a complaint.
  • ACTA will further clarify existing international requirements for the availability of criminal penalties when piracy or counterfeiting is carried out for commercial advantage.
  • ACTA will require criminal remedies for the importation or use of labels or packaging for counterfeit goods
  • ACTA will include new rules on criminal seizure and destruction of counterfeit goods, seizure of the equipment and materials used in their manufacture, and seizure of the criminal proceeds from piracy and counterfeiting offenses.
  • ACTA will clarify existing international requirements to protect against circumvention of digital security technologies (such as passwords or encryption).
  • ACTA will require parties to address copyright piracy on digital networks, while preserving principles such as freedom of expression, fair process, and privacy.
  • ACTA will enhance the international framework for civil enforcement provisions dealing with issues such as damages, provisional measures, recovery of costs and attorneys’ fees, and destruction of infringing goods.
• With respect to the legal framework, ACTA establishes a strengthened standard, as demonstrated in the highlighted parts above, that builds on the minimum standards of the WTO Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS). This marks a considerable improvement in international trade norms for effectively combating the global proliferation of commercial-scale counterfeiting and piracy in the 21st Century.
• What ACTA is NOT about:
  • Seizing portable music players and laptops at the border
  • Extending the term of protection for copyrights
  • Preventing “parallel” imports
  • Filtering internet traffic for infringing copyright works
  • Limiting access to generic pharmaceuticals
  • Reducing the court’s involvement in determining infringement
  • Weakening privacy laws
  • Lowering evidentiary standards for injunctions
  • Freezing bank accounts of suspected infringers
• Not all participants are completely satisfied with the final version of ACTA. Critics in the E.U. have suggested the trade agreement doesn’t comply with Europe’s data privacy laws, and have questioned its compatibility with E.U. law.

Commentary

Critics claim that ACTA has several features that raise significant potential concerns for consumers’ privacy and civil liberties, for innovation and the free flow of information on the Internet, for legitimate commerce, and for developing countries’ ability to choose policy options that best suit their domestic priorities and their level of economic development.

Additionally, the secrecy of the negotiation process has left the public with many concerns and questions. Gigi Sohn, Public Knowledge’s president and co-founder, called the ACTA negotiations an “extremely flawed” process. “ACTA should have been considered a treaty, and subject to public Senate debate and ratification or, in the alternative, debated in an open and transparent international forum such as the World Intellectual Property Organization,” she said. “Instead, public interest groups and the tech industry had to expend enormous resources to force the process open to permit public views to be presented and considered.”

The Impact

Although this agreement does not change U.S .law, it will alter international law. Companies engaging in business on an international level will need to educate themselves on the effects of ACTA. Critics of ACTA in the U.S. have said the treaty could allow foreign organizations to target U.S. companies and websites that don’t comply with overseas copyright laws. The truth of this statement has not been proven. However, ACTA leaves the door open for countries to introduce the so-called “three-strikes rule”, which would see Internet users cut off if they download copyrighted material, as national authorities would be able to order the ISPs to disclose personal information. This concern about the privatization of enforcement has the potential to impact the operations of U.S. companies.