Annemiek's weblog

Something big has happened today: The ICANN (body overseeing the internet domain names) has given green light to non-Latin URLs

This means a real change in history, not only from a technical perspective. From November 16 onwards, top-level domain names using non-Latin URLs can be registered, i.e. Chinese, Russian and more characters can from that moment on be used. This is due to the approval of the new Internationalized Domain Name Fast Track Process.

According to Tina Dam, ICANN’s Senior Director for IDNs:

The launch of the Fast Track Process will be an amazing change to make the Internet an even more valuable tool, and for even more people around the globe.

Some more quotes from ICANN include:

1) One world - One internet - With everyone connected.

2) It will now become possible to use native languages and script on the internet

Major questions that have to be answered are:
Will this affect the ability to search for cyberspace criminals?
Do we have to expand our policies?
Will this development ensure even more people joining the internet and only writing in their languages which are for many of us not understandable and thus hard to track?
Will terrorists increasingly start/expand using the internet as they now can use their own language?

(see the ICANN movie.)

Posted by Annemiek Moraal at 03:04 PM | Permalink | Comments (0) | TrackBacks (0)

A bit unrelated entry this time, but definitely worth-while to put down on this blog imho.

On October 21, a seminar about Protecting Against Targeted Attacks was held at the International Spy Museum in Washington DC, featuring speakers like Chris Brenton (Security consultant & SANS instructor), Dave Merkel (Mandiant) & Brian Seaberg (Bit9 Inc.)
Chris Brenton is one of the guys who started honeynet, a project founded in 1999, dedicated to improving the security of the Internet.

Some of the speakers addressed issues already known to us in the field, however, being confronted with technical issues as well as statistics and stories, makes you wonder why we are still connected to the internet. Or worse, why are we or do we want to be connected to another pc which is connected to the internet ?

Some stuff I scribbled down:
* Today, a lot of attacks are state sponsored or coming from organized crime
*State sponsored attacks are a delicate issue: is there any proof? For example regarding Russia attacking Georgia or Estionia? Not really. (“Plausible Deniability”)
* In ‘99 “attackers” were mainly scrip kids with a childish motivation.
* Technical modes used and the vulnerabilities which are exploited are somewhat the same. However, it is the motivation that is different.
*Phases of security mentioned by Dave from Mandiant are prevent-detect-respond. White-listing is a current approach to prevent (apps which are on the white-list can be installed/used).
* A lot of things do go wrong at the end-point, i.e. the end users. A nice story was told:

A department has been coaching itsl end users regarding internet security( i.e. never click on e-mails or links without knowing from whom/what they are). However, when an e-mail was sent to employees that some parking spaces would become available, many employees forgot about the coaching and opened the .pfd which contained malicious ware.

Many more things were discussed and the company hosting the event had some good points and told about their product. Even though not really interested in this, the things mentioned make you start thinking about it all.

If a lot of attacks are directed towards end-users: how to go about this issue? What kind of policy should one put in place when the end-users are not at all interested in computer or listening to comp geeks and “just” want to do their jobs?

To see all the slides of the talk from Chris Brenton, click here

Posted by Annemiek Moraal at 10:45 AM | Permalink | Comments (0) | TrackBacks (0)

Before continuing any discussion relating to whether or not an offensive policy should be put in place, it is of importance to acknowledge structures, strategies and decisions taken by USG. In addition, how severe is actually the threat to cyber security?

A search for interesting facts and figures to get a better grip on current cyber security steps made by the USG strategists provides some background information for analysis and discussion.

According to a Review of the department of Homeland Security (DHS) of the year 2008, cyber threat was a clear underreported homeland security issue.

The Presidential Security Directive (PSD-1) (Feb, 29 2009) states something interesting as well:

“My highest priority is to keep the American people safe. I believe that Homeland Security is indistinguishable from National Security. They should be thought of together than separately.”

One of Obama’s viewpoints regarding this PSD is the fact that this administration will see any serious gaps and will do their best to fix these. According to him, the biggest is cyber warfare.

The budget focus of DHS for FY 2010 reveals indeed that for the current administration Cyber security is # 1 on the list of functional areas:

1. Cyber security
2. Bio security
3. Coordinating process fed-state-local

Another current interesting fact: a three-year grant of $ 2.7 million is given to the Cyber Security Education Consortium to “help train a new generation of cyber warriors whose job it will be to prevent potentially crippling Internet-based attack”.

Finally, DHS has a National Cyber Security Division (NCSD). Part of the NCSD is the National Cyberspace Response System. According to their website:

“The National Cybersecurity Division seeks to protect the critical cyber infrastructure 24 hours a day, 7 days a week. The National Cyberspace Response System coordinates the cyber leadership, processes, and protocols that will determine when and what action(s) need to be taken as cyber incidents arise.”

This is interesting that this Response system team will decide when and what actions need to be taken when an incident arises. What is their vision on offensive counter attacks?

Posted by Annemiek Moraal at 05:00 PM | Permalink | Comments (0) | TrackBacks (0)

Those of us who are looking into the issues of Cyber Security will probably know that October is the 6th annual National Cyber Security Awareness Month. More specifically, the theme of this year is “Our Shared Responsibility” and is sponsored by the department of Homeland Security (DHS).

The goal of this national campaign is to increase awareness of cyber security/cyber crime. One of the activities offered to increase this awareness is initiated by the Multi-State Information Sharing and Analysis Center, sponsoring the Kids Safe Online web cast. On October 17, an interactive play will take place to learn kids about safety issues when using the computer.

However, it is doubtful whether this monthly campaign will have the intended outcome, i.e. that not only government and public sector but also end-users will take precautionary steps. Sofar, people in my surrounding never heard of this special month and barely know where cyber security stands for. Of course, steps have to be taken and this is a good way to start. But, we are definitely not there yet…

Interested in joining any of the awareness events? Go!

Posted by Annemiek Moraal at 10:16 AM | Permalink | Comments (0) | TrackBacks (0)

Futurology is used by many, including the US government (USG), as a way of predicting how our future will look like. Policy makers are among the people who use the outcomes, or at least consider, of futurology to decide upon a national strategy for upcoming years.

One of the many predictions made by famous futurologists is a scenario whereby a huge cyber war will take place in this world. Whether or not one believes in these kind of predictions, or sees its real value for policy making, it is a scenario worth while to consider. Especially, as cyber attacks take place everyday.

Colin Gray states in his article The 21st century security Environment and the Future of War (Winter 08-09) that thus far, the US has not taken the cyber system vulnerability seriously enough. According to Gray

It is a law of war: The greater the dependency on a capability, the higher the payoff to an enemy who can lessen its utility, in effect turning our strength into a weakness.

Does all of the above lead us to decide to implement a national offensive cyber security policy?

This blog will look critically at current issues, debates and policy decisions with regard to the question of an offensive cyber security policy.

In case you have any interesting stuff that you think should be on this blog or any criticism, please feel free to comment on my entries.

Posted by Annemiek Moraal at 04:49 PM | Permalink | Comments (0) | TrackBacks (0)