A while back KPN launched a few new subscription options that required customers to pay extra for VOIP and Chat applications on their mobile phone network. This raised several worried inquiries as to how KPN thought to distinguish the traffic so that it could determine if customers were using these apps. KPN then told everybody not to worry; that they would only charge people and not close down services, but kept silent about the pertinent question on determining customer traffic.

Well, on may 10th this year at an investor meeting KPN's Director of Mobile Marco Visser played a hefty game of braggadocio by openly admitting to the use of Deep Packet Inspection (DPI) on its networks and being the first operator in the world to do so. DPI essentially means that the operator can now see each packet's origin and destination as well as its content, making it quite the violation of your privacy. Part of that revelation can be seen here on this video stream (fast forward to 3.33m). Proudly mr. Visser admits to having actual penetration figures of popular apps such as WhatsApp, an application that enables users to text and chat using an internet connection (which undermines pay-per-message services such as texting). He adds that they can also determine VOIP usage from their customers and that KPN intends to charge a fee for such services.

That such techniques are a blatant violation of Dutch privacy laws are obvious. Dutch Digital Civil Rights movement Bits of Freedom  (BoF) was shocked to hear about this and in a press statement it urges politicians to bring the (legal) pain to KPN for its actions. What completely befuddles me is how such a high-ranking official can be so proud about violating its customers in every way! Not only is it obviously illegal, its such a bottom-feeding tactic that im surprised nobody has been lynched yet. Its a bit like the record labels using the RIAA to sue downloaders because MP3's have made CD's a dead medium and they're seeing a decline in sales. As a Dutch citizen and (forced) KPN cellular network user I can only hope that KPN is punished so severely that no other operator will ever try this again.

Crossposted from ArgentConsulting.nl

When a major corporation like Sony gets hit then you know we are all vulnerable. Sony is a great company and like many great corporations is under constant attack. The landscape of information security is changing every day and criminals are aiming their cyber-weapons at the biggest targets in the world.

TechNewsWorld reports LastPass, the password manager was under attack last week. “Users rely on it to store the myriad user names and passwords they inevitably collect as they go about their business on the Web. With LastPass, they only have to remember one single master password. LastPass handles the rest — including, presumably, security.”

Simon Cowells X-Factor show was hit too. The Daily Star reports “Closely guarded secrets about media mogul Simon Cowell and his new US ­ X Factor show have been “stolen” by sneaky cyber crooks. The personal information and act ­details of more than 250,000 wannabes have also been exposed”.

In an email to the victims of the breach it stated: “This week, we learned that computer hackers illegally accessed information you and others submitted to us to receive information about The X Factor auditions It is possible, however, that the information you did provide to us, which included your name, email address, zip code, phone number (which was optional), date of birth, and gender, may have been accessed”.

Cybercrooks are jumping on the news of Osama Bin Laden’s demise. Spam campaigns and malware that piggy back on the news and seek to trick unwitting computer users into clicking links or opening attachments are making the rounds and McAfee Labs expects to see more over the coming days. Computer users should be cautious and especially on guard when they receive messages that purport to offer photos of Bin Laden’s body, funeral at sea or any additional details.

It is important to observe basic security precautions to protect your identity. However, the safety of your information with corporations and other entities that you transact business with is very often beyond your control. Consumers should consider an identity theft protection product that offer daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection includes all these features in addition to live help from fraud resolution agents if your identity is ever compromised. For more tips on protecting yourself, please visit http://www.counteridentitytheft.com/

Robert Siciliano is a McAfee Consultant and Identity Theft Expert.

1. Data Breaches: Businesses suffer most often from data breaches, making up 35% of total breaches. Medical and healthcare services are also frequent targets, accounting for 29.1% of breaches. Government and military make up 16.2%, banking, credit, and financial services account for 10.5%, and 9.2% of breaches occur in educational institutes.

Even if you protect your PC and keep your critical security patches and antivirus definitions updated, there is always the possibility that your bank or credit card company may be hacked, and your sensitive data sold for the purposes of identity theft.

2. Social Engineering: This is the act of manipulating people into taking certain actions or disclosing sensitive information. It’s essentially a fancier, more technical form of lying.

At 2010’s Defcon, a game was played in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. Of 135 “targets” of the social engineering “game,” 130 blurted out sensitive information. All five holdouts were women who gave up zero data to the social engineers.

3. Failure to Log Out: Web-based email services, social networking sites, and other websites that require login credentials generally provide an option to “Remember me,” “Keep me logged in,” or, “Save password,” and, once selected, will do so indefinitely. This feature often works with cookies, or codes stored in temp files. Some operating systems also include an “auto-complete” feature, which remembers usernames and passwords.

4. Inside Jobs: With millions losing jobs, there are many opportunities for an insider to plug in a thumb drive and steal client data or other proprietary information. Networks are like candy bars, hard on the outside, soft and chewy on the inside. Insiders who fear layoffs may be easily tempted to use their access to profit while they have the chance.

5. Fraudulent Accounts: Many businesses lay claim to thousands or millions of members or clients who have access to web-based accounts. No matter the nature of the business, social network, dating site, gaming site, or even bank or retailer, some percentage of the accounts are ongoing instigators and repositories for fraud. Troublemaker accounts infect the overall stability of any organization, and flushing them out is essential.

One anti-fraud service getting lots of attention for protecting online businesses from crime and abuse is ReputationManager 360 by iovation Inc. The service is used by hundreds of online businesses to prevent fraud by deeply analyzing the computer, smartphone, or tablet connecting to their online properties.

Robert Siciliano, personal security and identity theft expert contributor to iovation.

In as early as 2004 the various Armed Services of the United States publicly called Cyberspace a new warfighting domain. Now, several years and a whole lot of international incidents later, Cyber Security and Cyber Warfare have become common topics of conversation inside governments, corporations, national laboratories and think-tanks. Over 120 countries worldwide have ramped up efforts to defend themselves against cyber attacks, and are no doubt making sure that they have cyber capabilities of their own.

That cyber attacks are a reality have been made abundantly clear to the US government by outside events as well as multiple successful penetrations of the Pentagon network. Subsequent wargames and reports reveal that the US is very vulnerable to such attacks, and in this they are certainly not the only one. America's military forces are some of the most active entities in the Cyber Warfare scene, with their Department of Defense taking a leading role in creating one of the worlds's first Cyber Commands (USCYBERCOM). Several of the industrial complexes that serve the US Government and its armed forces have also started to smell the proverbial coffee, already making Millions (if not Billions) by actively servicing the many requests they receive by their largest customer. While Europe is slowly moving to a similar state, America is the place where new developments are happening.

Imagine my surprise when rumors reached me of a new movement by the current US government administration to redefine Cyberspace as an Innovative Domain rather than a Warfighting Domain, exactly the opposite of current DoD Doctrine. While I can not reveal them, credible sources have informed me that the Obama administration is going to some lengths to move away from 'Cyber Warfare Terminology'. The reasoning is that if Cyberspace is considered an Innovative Domain (IE. Technological) rather than a Warfighting Domain (IE. Military), the embarrassment of being vulnerable to attack is somehow magically diminished. It would stop being a mostly military matter -no doubt pleasing the various IT Security guru's critical of Cyber Warfare- , Armed Forces investments in cyber warfare might suddenly find a 'better use' and this would eventually require far less of the National budget than is currently allotted. Of course this is just a pipe dream, but there it is.

Seeing as how these are currently just rumors that I can not substantiate with any real proof, there is little more that I can say about it. However, if these rumors turn out to be true then the US military industrial complex may take quite a hit through diminishing requests by its government and interesting times will surely be here. Are there really people daft enough in the US Government to completely ignore the evidence of Cyber Warfare that is already out there? The attacks on the Pentagon networks, the plundering of its email servers, the 2007 attacks on Estonia, the 2008 attacks on Georgia and the 2009 attacks on both the US as well as South Korea should sway any sane person from the notion that denial will solve the problem. I can't safely say that current spending will do anything to lessen the threat, but spending less certainly won't help the situation. Is the Obama Administration really up for an Ostrich Award?

Crossposted from ArgentConsulting.nl

It doesn’t matter if you are young or old, rich or poor, if you have good credit or bad credit, pay with cash or credit card, whether or not you use the Internet, or even own a computer. You can be a maintenance worker or a scientist. It doesn’t matter.

Whether you are alive or even if you are dead, as long as you have a Social Security number, you are a potential identity theft victim.

Reporters tend to be fairly savvy and well informed. Identity theft, however, is a complicated issue, and anyone can be stumped, regardless of your level of security intelligence.

One reporter received an alert about “irregular check card activity.” It was sent late one weeknight, and she didn’t see the email until the following night. At first, she couldn’t believe her bank account could have been compromised, and suspected it was a phishing email designed to trick her into disclosing her account information. But when she called her bank, she learned that nearly all her money had already been stolen.

“I soon discovered I was a victim of identity theft and that a woman posing as me in California was allowed to spend and withdraw all of my family’s money in two linked accounts from my bank, without stealing my debit or credit cards. She took more than $40,000.”

The thief used a fake driver’s license, which replaced the victim’s ID in the bank’s computer, signed documents with a signature that looked nothing like the victim’s, and gave the bank a new phone number and address. She took over and cleaned out two accounts, one of which was a checking account used for family expenses, and the other was an investment account.

After a great deal of stress and aggravation, the victim and her husband managed to get their stolen savings reimbursed by their bank. She still doesn’t know how the thief managed to steal her identity, or if she was ever caught.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee puts victims first and provides live access to fraud resolution agents who work with victims to help restore stolen identities, even from thefts that occurred prior to subscribing to McAfee’s service.

For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert.

On february 24th of this year, a report was released by the Ministry of Security and Justice of the Dutch government with the alluring title "National Risk Assessment 2010" (PDF Alert - Dutch). This is not a new phenomenon, its a yearly recurring report that covers the results of scenarios thought up by the government in order to create or improve their strategies. Whats so special about the 2010 report is that for the first time ever, Cyber Conflict is a scenario being covered by the report.

The Scenario
In the scenario the Netherlands will be hit by a large-scale, coordinated cyber attack organized by an enemy state. These attacks debilitate the functioning of government institutions, parts of the critical infrastructure and commercial ventures. The IT infrastructure of several ministries are paralyzed, the electric grid in the provinces Gelderland and North Holland (think Amsterdam) shut down, telephone traffic is seriously limited and satellite communications are down (limiting the Defence departments´ ability to communicate with units abroad). International commerce and financial institutions are also severely hit.

The Impact
What may surprise the average person, but what seems to be typical in cyber conflicts, is the amount of time it takes for the government to realise that it is being deliberately targeted by an enemy nation through cyber attacks. For a long time the events seem uncorrelated and this leaves the government (and, I would think, the commercial institutions mentioned) fighting the symptoms rather than the cause. The damaged parties limit their response to recovering the damaged systems and to increase security of their networks. The government lacks capacity to deal with the threat and clear and decisive handling of the situation is nowhere in sight. The government loses control over (parts of) its infrastructure because of the attacks and it is acknowledged as a violation of sovereign territory. Though not completely shut down, emergency services such as police, ambulance and fire departments are severely limited. Functioning of large parts of the government is dealt a dramatic blow by the shutdown of its IT networks, including the Second Chamber (Tweede Kamer). The damage to IT services is visible nation-wide and its citizens experience severe problems in direct relation to it. Several vital sectors are hit and recovery seems far away, leading to much uncertainty with the populace. The people are rapidly losing faith in the government to deal with the situation.

Though there are no solid leads that the Netherlands will face such an attack, experts agree that the scenario is technically possible and imaginable. Also, in spite of the extensive security measures put in place, the vulnerability is a big one. The Netherlands is a very ´connected´ nation and though we are but a small nation, the impact of a large scale cyber conflict would be great. In the report, the government acknowledges that several examples can be named where this has happened, such as Estonia (2007) and Georgia (2008). They also mention that 14 factories running Siemens software have been hit by the Stuxnet worm. As technology continues to develop, the Netherlands will become more connected, which makes this scenario more likely. As an appendix the lilelyhood and impact have been assessed of all scenarios. Cyber Conflict has been rated as Probable, with an impact score that ranges from zero to severe. Whats notable is that the damage will be mostly social-psychological in nature.

Points for Improvement
From the analysis it becomes clear that the following points should at least be developed or improved upon:

• Centralized command for cyber security needs to be created
• Interests of National Security should be integrated with international policy
• Gathering, analysis and sharing of information needs to be improved
• National and flexible insertion of cyber security expertise needs to be developed
• A National policy with regards to defensive capacities needs to be developed

The report continues to elaborate on what initiatives have already been taken to assist in improving the Dutch defensive posture, but most of this has already been covered in an earlier article I wrote about the Dutch Cyber Security Strategy that was released a while ago. It is nevertheless good to see that the Dutch government takes the possibility of Cyber Warfare seriously and initiatives are being taken to minimize the damage and secure its citizens. The odds of successfully fending off a large scale cyber conflict are against them, but I don´t believe that there is any other ´connected´ nation who is faring any better. Luckily many of the earlier initiatives with regards to Critical Infrastructure have been about recovering services, and this may very well be our saving grace if we ever do get hit.

Around September last year I wrote an article on the Dutch government promising a Cyber Security doctrine that was to determine the strategy the Netherlands was to follow in the areas of Cyber Crime, Cyber Warfare and generally all things related to Cyber Security. Well this document has finally arrived, and can be found here (PDF alert - Dutch). Its a decidedly vanilla document with not much meat to it, and the approach our government has taken looks a lot like that of the UK. That is to say: defend and extend on the commercial interests, partake in the various international initiatives pertaining to Cyber and don´t rock the boat too much (cost-wise).

The document outlines the following starting points:

• Connect and Strengthen existing initiatives
• Invest in Public-Private collaborations
• Personal responsibility (referring to endusers protecting their own systems)
• Division of Responsibilities of the various Departments
• Active international collaboration
• All actions to be undertaken are proportional
• Selfregulation if possible, legislate if not

The list obviously isn´t anything new or exciting and has the added value of being very low-cost or even free. Its about what you´d expect from a government that has to take a 30 billion spending cut. One has to wonder about the effectiveness of such an approach, seeing as how most of these points have been in place (and followed) for a while and have yet to yield the desired results. Taking a look at the proposed action plan, we see corresponding initiatives:

Creation of a Cyber Security Council and National Cyber Security Center
The cabinet establishes that caring for Cyber Security is now a burden for a multitude of organizations and departments, and so they wish to unify all these efforts into two centers: The National Cyber Security Council and a National Cyber Security Center. The Security Council is the new organization where the strategy will be established by representatives of all involved parties. The Cyber Security Center will essentially be its executing branch, and act as a place where information, knowledge and expertise is shared amongst the participants. The government urges all public and private parties to join in, and is working on a collaborationmodel to this end. They also intend to expand and strengthen GOVCERT, and to make GOVCERT a part of the Security Center.

Create Threat- and Risk analyses
By sharing information, knowledge and expertise, the cabinet aims to build threat- and risk analysis so that they can chart weak spots and strengthen the segments that need fixing. The AIVD and MIVD (Dutch Intelligence communities) will insert their knowledge and if necessary, increase their cyber capabilities. This initiative is to yield a yearly National Threat Assessment, which is to inform the Government on current or pending risks.

Increasing resilience of critical infrastructure
The Dutch approach to Cyber Security has so far always hinged on business continuity rather than prevention or actual security. The document refers to an existing initiative from the ´old days´ called the CPNI (Informatieknooppunt Cybercrime, or Infopoint Cybercrime), and how this initiative is eventually to be folded into the Cyber Security Center. Also, the existing Telecommunications Act will be actualized in 2011 to accomodate for various new factors. Through the following measures, the government hopes to create more Cyber Security momentum:

• A Responder Kit (accompanied by a manual) has been created for Cyber Espionage so that companies can increase their own resilience;
• At the end of 2011, 80% of the departments, agencies and companies in the vital sector Public Order & Security (Openbare Orde en Veiligheid) as well as Public Management (Openbaar Bestuur) should have access to a continuityplan that includes large scale internet connectivity breakdown scenarios;
• This cabinet will establish one security framework of Information Security for all government agencies as well as creating a government-wide control cycle to enforce it;
• Somewhere in 2011 the cabinet will decide if it is possible to include an electronic ID in travel documents that holds up to the highest security standards, so that Dutch citizens can reliably ID themselves over the Internet and digitally sign documents while safeguarding the citizens´ privacy;
• The government will implement the European mandatory reporting of dataleaks in the Telecom sector. They will also draft a proposal for mandatory reporting of all loss, theft or abuse of personal data for all services in the ´Information Society´;
• Choices will be made by the cabinet with regards to processing of personal data. European norms will be guiding these choices;
• The cabinet wishes work with IT vendors to look into increasing security in hard- and software and will also look to joining international efforts in this field. The Netherlands will also play an active role in the Internet Governance Forum to increase global internet security;
• In concert with suppliers, the government wishes to better inform its citizen users with regards to security. The result will be national ad campaigns surrounding current events or threats.

Increase response capabilities to large scale internet downtime or cyber attacks
In extention of the above list of critical infrastructure resilience, the following list of activities aims to increase response capabilities to large scale internet breakdowns or cyber attacks that threaten to disrupt society:

• In the summer of 2011 this cabinet will release a National Crisis Plan for ICT, involving national and international training exercises;
• A public-private collaboration effort for ICT crisis handling called the IRB will be operational in 2011 and implemented into the Cyber Security Center;
• Strengthening of efforts towards the collaboration amongst CERTS as well as the International Watch and Warning Network (IWWN);
• An Alerting system for Counterterrorism will updated to include a cyber component;
• The Department of Defence will look into how information, knowledge and expertise on Cyber Security will be best exchanged, using the Initiative for Civil-Military Collaboration;
• A Cyber Education & Training center (OTC) will be created;
• DEFCERT will be expanded and its personnel will be trained in all things cyber;
• A doctrine for Cyber Operations will be created in order to defend Dutch resources and units;

Intensifying tracking and prosecuting Cybercrime
The cabinet acknowledges that cyber crime is continuously evolving and its international nature makes tracking and prosecuting cyber criminals difficult. The following measures are listed to improve the situation in this area:

• The cabinet wishes to establish an expert register so that what little knowledge there is, is shared as effectively as possible. Also, they wish to create interesting career possibilities so that the pool of experts will eventually grow;
• In law enforcement the cabinet wishes to see even more international collaboration within the EU and connecting partners, and strives towards establishing an international legal framework for cybercrime;
• A national steering committee will be created to establish how best to prosecute priority cybercrime cases. The goal with regards to cybercrime is to establish enough expertise all along the legal chain to adequately prosecute all cybercrime cases. The chairman of this committee will have a place in the Cyber Security Council. The Inspector of Public Order and Security will investigate the functioning of Police in handling cybercrime cases;
• Within this years´ budget for Police, a shift will take place to increase handling of cybercrime cases. This includes detectives and internet surveillance in-country as well as the High-Tech Crime Unit of the KLPD. These various units will partake in the Cyber Security Center;
• The Approach for Cybercrime will take a central role in the next few years, with the creation of a knowledge center for police, reinforcement of police and the effective shift towards cybercrime capabilities. The entire prosecutorial branch will be reinforced with cybercrime-skilled DA´s, bailiffs, judges and ´cyberjudges´.

Stimulation of Research and Education
Research and basic education in the area of Cyber Security are considered essential in securing our digital future. The cabinet will start synchronizing research programs between the scientific centers, corporations and the community through the National Cyber Security Center. If money is available through the EU for this, it will be found and inserted. Also, education on all levels will be reinforced to include cyber security awareness.

And now - The Budget for all this candy
None. Absolutely nothing. Zilch. Zero. Nada. The entire list of initiatives must suffice with what has already been budgetted, which is to say: Too little. As said before, this cabinet has to cut 30 billion euro´s and even though they acknowledge that Cyber Security is important, they just can´t seem to find a few pennies to make it all happen. Reliable sources even inform me that now would be an especially bad time to be working for any of the units or departments that is to be assimilated into this new National Cyber Security Center, as there are bound to be redundancies as soon as everyone is sitting inside the same building. I am all for government efficiency, but if this is indeed the case, wouldn´t that be Constructive Dismissal?

The future will tell. For now, very few experts take these measures seriously and fear that our National cyber defence posture will be weakened rather than strengthened. Let´s hope that this is not the case, because various research papers already point to The Netherlands as a haven for malware.

Source: ArgentConsulting.nl