The 15 companies will be announcing on Monday DMARC.org, which stands for Domain-based Message Authentication, Reporting, and Conformance–a system for verifying that e-mails are coming from legitimate companies and not imposters trying to trick people into clicking a phishing link. Basically, the system offers a common way for companies to authenticate their legitimate communications with customers.

Also in the DMARC working group are AOL, Bank of America, Fidelity Investments, American Greetings, LinkedIn, and e-mail security providers Agari, Cloudmark, eCert, Return Path, and Trusted Domain Project.

Google, Microsoft, Yahoo, AOL, and Agari announced in November that they were doing this authentication coordination for Facebook, YouSendIt, and a few dozen other e-commerce companies and social networks. Now the effort is being expanded to include more participants. The antiphishing collaboration has been going on for 18 months between various partners, DMARC members said.

“About 15 percent of all e-mail in the Gmail in-boxes comes from these organizations that have published these DMARC records,” said Adam Dawes, a Gmail product manager. “That means that these records can not be domain spoofed.”

DMARC.org plans to submit the DMARC specification to the Internet Engineering Task Force for standardization.

The New Paper
Tuesday, Jan 24, 2012

A new form of bullying is taking place in South Korean schools.

Victims are forced to subscribe to Wi-Fi access that costs about US$40 (S$50) a month and then turn on the Wi-Fi function on their smartphones, Reuters reported.

This allows the bullies to take over the phone’s wireless connection, permitting them to surf the Web for free and draw down the phone’s battery because there are multiple users at one time.

“I am very worried my beloved smartphone may be worn out,” one 16-year-old boy old wrote anonymously in an online bulletin this month.

“I really want to cry. I am posting this because seriously, I don’t know what I am supposed to do after the semester starts.”

While new technology has expanded the range of rewards for bullies, the act itself is an old problem in South Korea’s rigid school system.

A survey by the Korean Federation of Teachers’ Association and the Chosun newspaper reported that 4.1 per cent of schoolchildren said they had been bullied, with some even taking their own lives.

But the new bullying methods may take some tackling, with traditional responses lacking teeth, experts said.

“New schemes such as Wi-Fi stealing are blurring the boundaries of school violence,” said a teacher who is part of a teachers’ group that researches bullying.

“Some people say this is not a threat nor violence. But we need a new definition for school violence in terms of laws and norms,” he added.
This article was first published in The New Paper.

Written by: PanArmenian

January 23, 2012

If a user follows the link, their browser will attempt to establish thousands of connections to the US Department of Justice server

In the past, when carrying out attacks of this kind the loose collection of activists has principally relied on the Low Orbit Ion Cannon (LOIC), which users participating in the attack must first download and run. In some countries, including the UK and Germany, this can be construed as a case of computer sabotage and therefore constitutes a criminal offence. In this case, however, the situation is less clear, as the JavaScript is executed without any user interaction and launches its attack as soon as the user opens the web page containing it.

Users have no way of knowing beforehand what will happen when they visit the page. Anonymous sympathisers have been diligently disseminating links to the web page via Twitter, frequently using any of a number of link shortening services to obscure the actual URL. In order to maximum the number of hits, Twitter users are in many cases being enticed to visit the page under false pretences.

The attack is part of #OpMegaupload, launched by Anonymous following the arrest in New Zealand of Kim Schmitz, founder of the MegaUpload service which was shut down yesterday in a worldwide operation by the authorities. Last night, the Department of Justice web site was indeed offline for some periods, but things now appear to have quietened down, with the web site currently freely accessible.

Last week, the Lords of Dharmaraja made headlines by exposing their work to the world, after claiming to have breached systems used by India’s military intelligence. They released old source code from Symantec, and API documentation as proof. However, over the weekend it was learned that they also released a memo documenting India’s intercept program, and the role that Research in Motion, Apple, and Nokia play in it.

Symantec confirmed with SecurityWeek on Friday that hackers did access source code from Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2. According to a Symantec spokesperson, “SEP 11 was four years ago to be exact.”

In addition, Symantec Antivirus 10.2 has been discontinued, though the company continues to service it.

“We’re taking this extremely seriously and are erring on the side of caution to develop and long-range plan to take care of customers still using those products,” Cris Paden, Senior Manager of Corporate Communications at Symantec told SecurityWeek.

Over the weekend, the story expanded.

The Lords of Dharmaraja released a memo outlining the intercept program known as RINOA, which earns its name from the vendors involved – RIM, Nokia, and Apple. The memo said the vendors provided India with backdoors into their technology in order to them to maintain a presence in the local market space.

India’s Ministry of Defense has “an agreement with all major device vendors” to provide the country with the source code and information needed for their SUR (surveillance) platform, the memo explains.

These backdoors allowed the military to conduct surveillance (RINOA SUR) against the US-China Economic and Security Review Commission. Personnel from Indian Naval Military Intelligence were dispatched to the People’s Republic of China to undertake Telecommunications Surveillance (TESUR) using the RINOA backdoors and CYCADA-based technologies.

The memo also included proof of the intercept operation, by quoting transcripts captured by the naval staff. Overall, India’s Military Intelligence was pleased with the RINOA SUR platform.

Security and privacy researcher Christopher Soghoian commented, “Due to export control [requirements], NSA (and until 2010, Commerce Dept) have source code for all US made enterprise security/communications products…”

“Instead of worrying about hackers getting access to 5+ year old Norton code we should worry about what NSA/US Military does with recent code.” The U.S. government, as well as other nations around the world, each have some form of intercept and monitoring operation. However, getting them to actually confirm the scope of such operations and what they’re used for is another matter entirely.

Symantec would not disclose what it has done for any specific government, but did explain its policy on the issue to SecurityWeek.

“On a case-by-case basis and upon request, Symantec shares how our code operates to prove the functionality of our code with governments for compliance and software assurance purposes,” the company said. “We consider each request on a case by case basis, we engage in a lengthy vetting process with appropriate government trade agencies involving our Legal departments, our CTO’s office, our IT departments and our government relations team. We are compelled by law in some cases by governments to share the effectiveness of our code in order to sell our products in that given country.”

“Governments need to and have the right to check on the safety and validity of the safety of products that enter and are sold in their country, whether it is information security software, food products, drugs, etc.,” Symantec explained.

In 2010, RIM came under fire for their cooperation with the Indian government. Despite what they said to the press, it would seem that while they didn’t hand over encryption keys, they did offer India other levels of access.

In fact, reading their release from the time, RIM essentially said they would allow backdoors to a point. Because, RIM’s cooperation can be fully expected, as long as the requirements “be limited to the strict context of lawful access and national security requirements as governed by the country’s judicial oversight and rules of law.”

“RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries.”

Given that what India was doing is legal by India’s own laws, RIM would have no problems helping when ordered, especially if it means being able to do business in the country. The same can be said for Apple and Nokia.

In the meantime, the Lords of Dharmaraja have promised to release more information. So it is possible that additional intercept details will emerge. Time will tell.

By Bill Ray • Get more from this author

Posted in CIO, 6th January 2012 14:39 GMT

Canadian police have apparently used BlackBerry communications to arrest murder suspect Raynald Desjardins in a move seen as an unprecedented use of intercepted data.

However, it is unclear whether or not the data was really intercepted or whether it was provided to cops via wiretap warrants.

The cuffed bloke has been charged with the murder of Salvatore Montagna, who was killed in November last year and was heavily involved in the New York criminal fraternity according to the Global Montreal. The raid involved searching 14 locations and the arrest of three other suspects, but it’s the interception of BlackBerry data that has attracted most attention:

RIM is making the usual noises about respecting users’ privacy and working with law enforcement, but anyone familiar with how RIM’s network operates shouldn’t be surprised by the abilities of prying detectives.

The Canadian police seized at least one BlackBerry during the raid, and once one has possession of the handset then extracting the onboard data is relatively easy, especially if the plod remember not to turn it off, and secure it in a radio-proof bag, as they’re supposed to.

But the Canadians probably had access to the communications before they got the handset. RIM’s architecture only secures email communications when routed through a privately-owned BlackBerry Enterprise Server (BES). We don’t know if this lot were routing things though their own server, but if not then everything would be routed though RIM’s own servers which are open to lawful intercept like any telecommunications hub.

But it is BlackBerry’s instant messaging service (BBM) that most people seem to (inappropriately) trust, and which is alluded to in the report.

BBM is indeed encrypted end-to-end, so should be resistant to intercept, if it weren’t for the fact that it relies on a single, shared, secret which is embedded in every BlackBerry device. That secret is also know to RIM, which can (be obliged to) decrypt traffic just like everyone else.

These days everyone from London rioters to New York Mafiosi should know that electronic communications is rarely secure from court-backed eavesdropping, but perhaps it’s better they don’t.

Canadian coppers told the AFP they would not confirm whether they had cracked BlackBerry’s encryption or whether RIM had given them access to its secure servers. The prosecutor in the case was reported by La Presse as saying (French) that he would “advocate for preventing the disclosure of wiretap warrants” and refuse questions from defence attorneys on the subject. ®

PSIC delivers innovation, integration and interoperability in public security for end-users worldwide. As an independent and open platform for innovative technologies and services in public security, we offer a vast network of integrated security solutions, linking vendors to government, businesses, NGO’s and the public. We offer professional security advisors as well as complete training packages.

Our mission is to bring the best of breed security solutions from all over the world to end-users: government, critical infra structure and NGO’S in a purely ethical way.

Philosophy
The PSIC philosophy is simple: security challenges all over the world have a lot in common. The scale can differ, there are variations per country, but no issue is unique. This means that for most problems, a solution is already invented somewhere in the world. It is PSIC’s goal to find these solutions and, when none seems to exist, create a solution. In a multi stakeholder environment and using cross industry specialists, we believe that there is no challenge that cannot be met, even if sometimes only partially. Integration of existing technology is often the answer, or use of technology from another industry. Technologies from the space industry, medical technology, gaming, all have been used to increase security and to mitigate security challenges.

Team
CEO Emmie van Halder has created a unique team with security specialists in the broadest sense. Chairman of the PSIC Advisory Board is former Chairman National Operational Staff, Chief National Dutch Police Agency Peter van Zunderd, who was responsible for the UEFA Euro 2000 Holland/Belgium Cup as Director General. Former Chief of Defense and Commander in Chief of the Dutch Armed Forces, General Dick Berlijn, also serves on the board, as well as the ex CEO of Siemens International, Mr. Martin van Pernis. This team brings police and military expertise together as well as security technology knowledge. The security specialists and associates in PSIC all have their expertise: counter terrorism, VIP protection, CBRNE, border security, surveillance technology etc. Associated specialists have been vetted and are the top of their field: senior ex-Israeli secret service officers, ex-Shell security specialist for critical infra structure protection, special forces for marine and anti-piracy issues, intelligence officers for lawful interception and surveillance, air and ground marshals, VIP protection.

Innovation Forum
Our forum links public security technology and service providers with end-users. Thus, it is not about research or innovation in a vacuum. End-users (governments, Police, NGO’s and commercial companies) can bring their specific needs to PSIC and have a solution developed or adapted for them. They can experience the technologies at the PSIC Demonstration Center in The Hague, The Netherlands, or they can meet and interact with tech providers in innovation jam sessions and bespoke workshops. PSIC security specialists can carry out quick scans and risk analyses, followed by detailed security plans and training programs. PSIC is in constant discussion with the end-users. Our client relationships are often classified, but to mention a few of our projects in the public domain: security planning for the London Olympics, a social security project for a Dutch city, security strategy for the FIFA world cup, anti-piracy services for a petrochemical multinational, innovation sessions with the Netherlands Police, security advise to the Somaliland government, security awareness sessions with a Counter Terror group.

Training Programs
PSIC offers bespoke training programs for security officials, police and rescue workers. In our demo center in The Hague we have state-of-the-art facilities to either have classroom sessions or, more often than not, in a virtual reality environment in real scenarios. The virtual reality training can be especially developed by one of the PSIC partners, or can be bought off-the shelf. Scenarios include large events, natural disasters, VIP hostage situation and left luggage scenarios.

PSIC in Public Security
• PSIC employs technologies created for and used by public security organizations, governments at all levels, businesses and industries, NGO’s and the public.
• PSIC addresses scenarios of all types of hazards – natural disasters, technological failures and terrorist attacks.
• PSIC enables improvement in the major functions of public security – assess, decide, resource, monitor, manage and evaluate.
• PSIC challenges companies to innovate through technology development and information sharing to achieve more effective prevention, protection, response and recovery management.

PSIC was founded in 2008 as an initiative of the Netherlands Ministry of Economic Affairs and the City of The Hague, The City of Peace, Justice and Security. PSIC is part of the “Pieken in de Delta”-subsidy programme to support collaborative use of commercial technologies in public security.

Lawful Interception (LI) implementation is required by the European Union International User Requirements 19951 which allows for LI to prevent crime, including fraud and terrorism.

The ETSI specifications are now in use in other countries that require the Lawful Interception of telecommunications.

Official Journal C 329 , 04/11/1996 p. 0001 – 0006 Council Resolution of 17 January 1995 on the lawful interception of telecommunications

ETSI technical committee Lawful Interception (LI) covers the whole spectrum of interception aspects working closely with other ETSI committees and with the 3rd Generation Partnership Project (3GPPTM).

At the core of an ALL IP NGN network is the IP Multimedia Subsystem (IMS) which provides an access independent platform for a variety of access technologies. IMS is being developed in 3GPPs Service and System Aspects Group, with the handover interface for lawful interception being developed in LI.

In 2006 the Terms of Reference of LI were extended to include work on Retained Data and the committee has started work on two relevant specifications: one on requirements and a second on the Retained Data Handover Interface.

A major achievement of ETSI work in this area has been publication of the specifications for the handover procedure: TS 101 671 and ES 201 671. These specifications illustrate the flow that the intercepted data should follow in telecommunication networks or services. Among other activities, ETSI LI is currently working on Retained Data, producing two specifications: Requirements of Law Enforcement Agencies for handling of Retained Data and Handover Interface for Retained Data.

The ETSI Model for LI is specified in TS 101 671, TS 101 331 and ES 201 158