Public participation site

How will the business of existing top-level domains (TLDs) be impacted by the new gTLDs? Someone asked me this simple question and I was very surprised to see that my online searches couldn't easily find many detailed articles or research related to that point. I found a great number of articles about the potential impact of new gTLDs on regular businesses/brands and any number of articles about how great the new gTLDs will be for companies in the domain name industry, but found surprisingly little research or analysis into how the new gTLDs would impact the business of existing TLDs. I found a few examples of analysis at a ccTLD level (such as a report from NIC.AT), but not much looking at the domain name industry overall. Maybe I was just using the wrong search terms, but my searches yielded little with any detailed view.

So I ask you all here… what research or analysis is out there on this topic? Any suggestions and links left in the comments would be greatly appreciated. Thanks.

Written by Dan York, Author and Speaker on Internet technologies

Follow CircleID on Twitter

More under: Domain Names, Top-Level Domains

Towards gender equality

The 7th meeting of the UN Broadband Commission in Mexico City was again a good combination of announcements about new plans, results of previously undertaken activities, and views on the future of broadband. Very noticeable was the enthusiasm and acknowledgement of the impact of ICT, and of broadband in particular.

In September 2012 the Commission launched its working group on gender equality. Research undertaken by the various members of the workgroup provided somewhat similar results:

• Globally there is a 21% gender gap in relation to access to mobile phones, although in South-East Asia this gap is 37%.
• 40% of women in developing economies find a job due to ownership of a mobile phone.
• The global gap for internet access is 25%, while in the sub-Saharan countries this is 45%.
• There are most likely thousands of gender equality pilots. Of these pilots, those that are now delivering results need to move on to the implementation stage.
• Only 29% of the 119 national broadband plans around the world include policies for gender equality.
• Empowering young people to adopt ICT will give them the ability to teach their parents, and the reverse of this will also apply.
• A full half-day of the two-day meeting of the Commission was dedicated to gender equality in broadband. The following day the full Commission endorsed the goal set by the working group calling for global equality in broadband access by 2020. Women are key in household and community development, and gender equality will add between US$13 and US$18 billion to economic GDP (Intel. 2013).

7th Broadband Commission for Digital Development Meeting – Mexico City, Mexico, 16-17 March 2013.
Photo: ITU (Click to Enlarge)The Commission also specifically mentioned that gender equality should not be, or become, a separate single issue. It is not another 'ism'. It should automatically be included in all aspects of ICT, broadband and policies in general. At the moment, technology is not gender-neutral.

An unexpected good news story came from Iraq. In 2011 only 20% of women in that country had access to a mobile phone. Thanks to a new mobile package specifically designed for women by mobile operator Asiacell (part of the Qtel Group) 40% of Asiacell's subscriber base are now women, and an additional 1.8 million of them will have access to a mobile phone by the end of 2014. The package specifically addresses the cultural aspects of womanhood in an Arab country — for example, female sales assistants, access to an all-female call centre, blocking of calls and SMS from certain people — and the way women use mobile — e.g., reduced tariffs for longer calls. It is to be hoped that the ideas and success of this initiative will spread.

The issue of violence against women was highlighted. Worldwide there are most likely hundreds of millions of women who suffer abuse, and this was highlighted with shocking examples from the Syrian refugee camps in Jordan, where girls as young as 12 years will be forced to sell themselves in order to survive. Radio and TV programs are used by the Jordanian government to try and empower these girls, but ICT, and mobile phones in particular, can be used to break through this cycle of abuse.

One million ICT-empowered community workers

In January 2013 the One Million Community Workers program, aimed at providing one million smartphones to community workers — predominantly in the sub-Saharan countries, which has the largest group of least developed countries in the world — was officially launched and adopted by the African Union. Nine countries have already signed up to the program, with another six in the pipeline and more to follow. Both the smartphone vendor community and the mobile operators — MTN in particular — have given their support to this program. This is critical as rural mobile coverage will have to be extended in these countries and low-cost smartphones need to be made available (Huawei announced that by the end of the year there will be a US$50 smartphone).

In relation to healthcare, the UN Foundation (UNF) mentioned that there is huge shift in providing healthcare rather than bringing people to it. Through m-health, healthcare will increasingly be delivered to the people. The UNF recently also launched a report on standards and interoperability in e-health.

New projects of the Commission

New projects that received support from the Commission included:

A commitment to promote digital accessibility for the one billion people with disabilities worldwide, similar to the gender equality goal stimulating the development of policies that will lead to equality in relation to ICT access. Between 30%-50% of people with disabilities do not have access to the internet. In all developing economies, people with disabilities, together with older-aged people, form by far the largest unconnected segment.

Youssou N'Dour – New AfricaCommissioner Youssou N'Dour, the famous African musician and Minister of Tourism of Senegal, received support for his project 'New Africa 2014'. I would like to recommend this very moving video clip to you. His aim is to encourage the use of ICT and broadband by the youth of Africa, through his music. Several Commissioners will attend and speak at his concert in Dakar, Nigeria.

The Commission also launched a new Task Force on the post-2015 development agenda and the future Sustainable Development Goals (SDGs) — or as some prefer to call them Continuous Development Goals. The initiative aims to leverage the huge installed base of mobile handsets to bring new services to communities globally, particularly in the world's poorest countries. ITU's m-Powering Initiative, seeks to act as a catalyst to achieve sustainability, harnessing the power of state-of-the-art ICTs and smart solutions to meet new Sustainable Development Goals.

The Commission's working group on Youth will lead a Global Youth Summit on technology issues, to be held in Costa Rica in November at the invitation of President Laura Chinchilla. Interesting research presented at the meeting by Alcatel-Lucent indicated that in countries with high youth unemployment (Spain, Bangladesh, India, Ghana) 30% of young people indicated a willingness to become an entrepreneur by using their mobile phone and ICT skills.

As young people are quickly becoming tech-savvy it is critical to launch 'train-the-trainer' projects — train community workers, etc. The recently announced educational reforms in Mexico are a good example of a positive direction, as they include a much larger role for ICT in education.

The future of broadband

Last but not least, the future…

While promoting the development of national broadband access and affordability policies continues to be the key goal for the Commission, the focus is starting to shift towards 'broadband as a catalyst for social and economic transformation'. According to Ericsson, 6.5 billion people will be connected to the internet by 2018, and by that time 95% of the global population will have access to mobile technology, with the majority having access to a smartphone.

Several Commissioners were very pleased that access is well and truly underway in many developing countries, and noted that policy development now needs to encompass the demand side (services and applications). While progress has been made in bridging the digital divide, there is now a growing policy gap. This exists particularly in relation to government policies towards the development of e-health, e-education, e-government and e-commerce. There is increased awareness among governments and politicians that their citizens have a right to information, but the problem is that most of that information is not yet available. There is an urgent need to ensure that the supply side in relation to the broadband revolution is addressed as well.

This was demonstrated by an example from India, where the government is presented with one million questions per day. A reply often takes 90 days or more, and, depending upon who answers it, the same question can supply different answers. Imagine the costs that can be taken out of the economy if e-government was widely available.

To illustrate the transformative impact of broadband, Ericsson reports that villages in the Amazon that have a mobile base station saw their GDP increase by 300%. This is done through a completely private project known as Amazon Connect.

On the other hand, the American government has calculated that not being connected to the internet creates an extra cost to the economy of $70,000 per year per family. Internet access allows families and the government to remove costs from their social and economic expenditure.

Another interesting observation is that there has been much faster growth in technology than there has been in the generation of government policies. Governments need to be made aware of the rapidly increasing gap between technology and policy. While this is an international problem — western governments are also struggling with such policies — the gap is growing most quickly in the least developed economies, and the Commission is committed to placing its full network of Commissioners behind the notion of assisting these countries in policy development. The key here is to lower the costs and give these countries complete solutions.

Written by Paul Budde, Managing Director of Paul Budde Communication

Follow CircleID on Twitter

More under: Access Providers, Broadband, Mobile, Telecom

INET Denver is April 17, 2013 — register today to reserve your spot!

You won't want to miss this unique opportunity to join IPv6 networking professionals from across North America, who will attend to learn the latest on IPv4 exhaustion and how to transition to IPv6. The INET Denver agenda will bring together top experts in the networking field to discuss the latest on IPv4 exhaustion in our market, and the TCO of IPv6.

The line up of speakers includes industry experts like:

John Curran, President & CEO, ARIN
Owen DeLong, IPv6 Evangelist, Hurricane Electric
Lee Howard, Director of Network Technology, Time Warner Cable
Dr. Patrick Ryan, Public Policy & Government Relations Counsel, Google

When:

April 17, 2013
Registration: 12:00 - 1:00 PM
INET Denver: 1:00 - 6:00 PM
Refreshments: 6:00 - 7:30 PM

Where:

Grand Hyatt Denver
1750 Welton Street
Denver, CO 80202

Additional Details:

http://www.internetsociety.org/events/inet-denver

Registration:

http://www.internetsociety.org/form/inet

The INET Denver will co-locate with the 2013 North American IPv6 Summit. Take part in this unique opportunity to learn from top experts in the networking field discussing the latest on IPv4 exhaustion in our market and the TCO of IPv6.

Don't delay and register today!

Follow CircleID on Twitter

More under: IP Addressing, IPv6

INET Denver is April 17, 2013 — register today to reserve your spot!

You won't want to miss this unique opportunity to join IPv6 networking professionals from across North America, who will attend to learn the latest on IPv4 exhaustion and how to transition to IPv6. The INET Denver agenda will bring together top experts in the networking field to discuss the latest on IPv4 exhaustion in our market, and the TCO of IPv6.

The line up of speakers includes industry experts like:

John Curran, President & CEO, ARIN
Owen DeLong, IPv6 Evangelist, Hurricane Electric
Lee Howard, Director of Network Technology, Time Warner Cable
Dr. Patrick Ryan, Public Policy & Government Relations Counsel, Google

When:

April 17, 2013
Registration: 12:00 - 1:00 PM
INET Denver: 1:00 - 6:00 PM
Refreshments: 6:00 - 7:30 PM

Where:

Grand Hyatt Denver
1750 Welton Street
Denver, CO 80202

Additional Details:

http://www.internetsociety.org/events/inet-denver

Registration:

http://www.internetsociety.org/form/inet

The INET Denver will co-locate with the 2013 North American IPv6 Summit. Take part in this unique opportunity to learn from top experts in the networking field discussing the latest on IPv4 exhaustion in our market and the TCO of IPv6.

Don't delay and register today!

Follow CircleID on Twitter

More under: IP Addressing, IPv6

Mary Iqbal writes to report that ICANN has released the second round of Initial Evaluation Results on March 29. ICANN is currently reviewing new gTLD applications at a rate of 30 applications per week and has plans to increase that to 100 per week. ICANN is targeting completing Initial Evaluation for all applicants by August 2013. To learn more, visit www.GetNewTLDs.com/news.

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

Mary Iqbal writes to report that ICANN has released the second round of Initial Evaluation Results on March 29. ICANN is currently reviewing new gTLD applications at a rate of 30 applications per week and has plans to increase that to 100 per week. ICANN is targeting completing Initial Evaluation for all applicants by August 2013. To learn more, visit www.GetNewTLDs.com/news.

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

Culminating a year-long policy development process, ICANN today launched its new Blocking Usage Review Panel (BURP). The BURP provides long-needed oversight over services that block Internet traffic.

"While everyone understands that national laws such as the U.S. CAN SPAM define what traffic is or is not elegible to block, legal processes can be slow and cumbersome," said a spokeswoman. "Since the Internet is global and traffic often traverses multiple countries, the array of different laws cause uncertainty."

The BURP is designed to be quick and easy. No signup process is needed, since everyone who sends traffic to or from the Internet is covered automatically. When a complaint is filed, an evaluation panel is selected with a member from each constituency:

• IP based blocklists including Spamhaus, UCEPROTECT, SORBS, and Spamcop
• Major brand advertisers including Kraft, the AARP, and Vistaprint
• Public interest groups such as the Electronic Frontier Foundation, Free Software Foundation, and Stophaus

The BURP panel will meet and promptly produce its decision, typically in no more than six to ten weeks. During that time, to prevent inadvertent damage, any blocking will be suspended.

"While it is possible that a small amount of spam or malware might slip through during the decision period, we're confident that the increased transparency far outweighs any minor inconvenience," noted ICANN.

Spamhaus president Steve Linford, contacted at their temporary headquarters in space subleased from Google in Chapel Hill NC commented:

"Spamhaus welcomes this increased level of detailed oversight. We expect the BURP to increase confidence among major stakeholders including marketers, the press, and developers of installable software."

ICANN disclosed that they have hired a well known specialist in e-mail marketing, who recently completed a multi-year assignment.

"We are fortunate to have been able to retain Mr. Alan Ralsky to oversee the new BURP. His broad industry experience uniquely qualifies him for the role," said ICANN, "and the timing couldn't be better."

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: ICANN

Neil Schwartzman writes to report that U.S. Cert issued Alert TA13-088A on Friday March 29, 2013. "It is a solid how-to guide to test for, and remediate DNS configurations that can be used for Distributed Denial of Service attacks."

From the Alert: "While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack."

Follow CircleID on Twitter

More under: Cyberattack, DDoS, DNS, DNS Security, Security

Neil Schwartzman writes to report that U.S. Cert issued Alert TA13-088A on Friday March 29, 2013. "It is a solid how-to guide to test for, and remediate DNS configurations that can be used for Distributed Denial of Service attacks."

From the Alert: "While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack."

Follow CircleID on Twitter

More under: Cyberattack, DDoS, DNS, DNS Security, Security

In light of the recent submarine cable failures, Doug Madory from Renesys has a detailed report on what has happened to some of the providers in four countries along the route of the cable: Egypt, Saudi Arabia, Pakistan and India.

Madory writes: "It has been a rough few weeks for the global Internet, given numerous submarine cable failures and the largest DDOS attack ever reported. While we're hard-pressed to find evidence of the purported global Internet slowdown due to the DDOS attack, the dramatic impacts of yesterday's SMW4 submarine cable cut were profound. Recent reports that the cable break was the result of sabotage, makes the incident even more intriguing."

Read the full report here.

Follow CircleID on Twitter

More under: Access Providers, Broadband

In light of the recent submarine cable failures, Doug Madory from Renesys has a detailed report on what has happened to some of the providers in four countries along the route of the cable: Egypt, Saudi Arabia, Pakistan and India.

Madory writes: "It has been a rough few weeks for the global Internet, given numerous submarine cable failures and the largest DDOS attack ever reported. While we're hard-pressed to find evidence of the purported global Internet slowdown due to the DDOS attack, the dramatic impacts of yesterday's SMW4 submarine cable cut were profound. Recent reports that the cable break was the result of sabotage, makes the incident even more intriguing."

Read the full report here.

Follow CircleID on Twitter

More under: Access Providers, Broadband

Yesterday Verisign sent ICANN a most interesting white paper called New gTLD Security and Stability Considerations. They also filed a copy with the SEC as an 8-K, a document that their stockholders should know about.

It's worth reading the whole thing, but in short, their well-supported opinion is that the net isn't ready for all the new TLDs, and even if they were, ICANN's processes or lack thereof will cause other huge problems.

The simplest issues are administrative ones for ICANN. In the olden days updates to the root zone were all handled manually, signed email from ICANN to Verisign, who manages the root zone, with a check at NTIA, who oversees it under longstanding contracts. As the number of changes increased, more due to added IPv6 and DNSSEC records than increased numbers of TLDs, the amount of email got unwieldy so they came up with a new system where the change data is handled automatically with people looking at secure web sites rather than copy and paste from their mailboxes. This system still in testing and isn't in production yet; Verisign would really prefer that it was before ICANN starts adding large numbers of new TLDs.

The new domains all have to use the Trademark Clearinghous (TMCH), a blacklist of names that people aren't allowed to register. Due to lengthy dithering at ICANN, the the TMCH operator was just recently selected, and they haven't even started working out the technical details of how registry operators will query it in real time as registrations arrive.

There are other ICANN issues as well, the process for transferring a failed registry's data to a backup provider isn't ready, nor is zone file access for getting copies of zone data, nor are the pre-delegation testing reqiurements done, and the GAC (the representatives from various governments) could still retroactively veto new domains even after they'd been placed in service.

All of these issues are well known, and the technical requirements have been listed in the applicant guidebook for several years, so it does reflect poorly on ICANN that they're so far from being ready to implement the new domains.

Most importantly, Verisign notes that the root servers, who are run by a variety of fiercely independent operators, have no coordinated logging or problem reporting system. If something does go wrong at one root server, there's no way to tell whether it's just them or everyone other than making phone calls. Verisign gives some examples of odd and unexpected things that happened as DNSSEC was rolled out, and again their concerns are quite reasonable.

An obvious question is what is Verisign's motivation in publishing this now. Since they are the registry for .COM and .NET and a few smaller domains, one possibility is FUD, trying to delay all the new domains to keep competitors out of the root. I don't think that's it. Over 200 of the applications say that they'll use Verisign to run their registries, so Verisign stands to make a fair amount of money from them. And everyone expects that to the extent the new TLDs are successful at all, it'll be additional, often defensive registrations, not people abandoning .COM and .NET.

So my take on this is that Verisign means what they say, the root isn't ready for all these domains, nor are ICANN's processes ready, and Verisign as the root zone manager is justifiably worried that if they go ahead anyway, the root could break.

Update: Thu April 4, 2013
A follow up to the discussed Verisign's white paper, New gTLD Security and Stability Considerations, in which they listed a bunch of reasons that ICANN isn't ready to roll out lots of new TLDs. Among the reasons were that several of the services the new GTLDs are required to use aren't available yet, including the Emergency Back End Registry Operators (EBEROs), who would take over the registry functions for a TLD whose operator failed. They were supposed to have been chosen in mid-2012. By complete coincidence, ICANN has announced that they had chosen the three Emergency End Registry Operators. I can't wait to see what happens next week.

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: DNS, DNS Security, ICANN, Security, Top-Level Domains

If you haven't been reading the news of late, venerable anti-spam service Spamhaus has been the target of a sustained, record-setting Distributed Denial-of-Service (DDoS) attack over the past couple of weeks.

Al Iverson over at Spamresource has a great round-up of the news, if you haven't managed to catch the news, go check it out, then come on back, we'll wait ...

Of course, bad guys are always mad at Spamhaus, and so they had a pretty robust set-up to begin with, but whoever was behind this attack was able to muster some huge resources, heretofore never seen in intensity, and it had some impact, on the Spamhaus website, and to a limited degree, on the behind-the-scenes services that Spamhaus uses to distribute their data to their customers.

Some reasonable criticism, was aimed at the New York Times, and Cloudflare for being a little hyperbolic in their headlines and so on, and sure, it was a bit 'Chicken Little'-like, the sky wasn't falling and the Internet didn't collapse.

But, don't let the critics fools you, this was a bullet we all dodged.

For one, were Spamhaus to be taken offline, their effectiveness in filtering spam and malware would rapidly decay, due to the rate at which their blocklists need to be updated. The CBL anti-botnet feed and the DROP list both have many additions and deletions every day. These services are used to protect mail servers and networks against the most malicious criminal traffic. If they go down, a lot of major sites would have trouble staying up, or become massively infected with malware.

There are also a ton of small email systems that use the Spamhaus lists as a key part of their mail filtering (for free as it turns out). Were those lookups prevented, or tampered with, those systems would buckle under the load of spam that they dispense with easily thanks to Spamhaus.

To put it into perspective, somewhere between 80% & 90% of all email is spam, and that's the stuff Spamhaus helps filter. So it doesn't take a Rocket Scientist to figure out that if filters go out, so do the email systems, in short order. AOL's Postmaster famously said, at an FTC Spam Summit a decade ago, before the inception of massive botnets, that were their filtering to be taken offline, it'd be 10 minutes before their email systems crashed.

Due to some poorly researched media reports (hello, Wolf Blitzer!), there is a perception that this is a fight between two legitimate entities, Spamhaus and Stophaus; some press outlets and bloggers have given equal time to the criminals (we use that word advisedly, there is an ongoing investigation by law enforcement in at least five countries to bring these people to justice). Nothing could be further from the truth. The attackers are a group of organized criminals, end of story. There is nothing to be celebrated in Spamhaus taking it on the chin, unless you want email systems and networks on the Internet to stop working.

So yeah, it was a big deal.

Written by Neil Schwartzman, Executive Director, CAUCE North America

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Data Center, DDoS, DNS, DNS Security, Email, Malware, Security, Spam

Last year there was a "threat" by anonymous group to black out Internet by using DNS Reflection/Amplification attack against the Internet DNS Root servers. I even wrote a little article about it: "End of the world/Internet”

In the article I was questioning if this was even possible and what was needed as general interest and curiosity.

Well, looking at the "stophaus" attack last week, we are getting some answers.

I would say it is a real threat now and is a valid attack vector. Seems you only need a couple of ingredients:

Open recursive DNS servers

Many of these are already available, and numbers increase. This not only includes dedicated DNS Server systems, but also any equipment attached to the internet capable of handling DNS requests it seems (like cable-modems, routers, etc). So the risk this will be utilized again, will be greater every day now.

A party that is capable/willing do set it off

Seems that there are more and more parties on the Internet that open to "attack" certain entities on the Internet to defend their believes. In above case, stressing even the Internet and influence the usage of everyone on it.

Infrastructure

Lets call it the "Internet", "Logistics" and "Bandwidth". Looking at the numbers, it is apparent that you need little (in context) and it is possible to do so if you want. Technology, services or other wise it is not really challenging. And it can be done not from a shady area/country either.

I suspect we will see more of this happening now the "proof-of-concept" is done. It still worries me when the real guns are pulled out and focus would shift from particular entities to the root infrastructure of the Internet.

I had a couple of talks with my expertise peers on this how to mitigate this, it is very difficult as it is sheer load coming from every corner of the Internet. We really did not come up with a single solution. Mitigation would probably mean "breaking" some parts of the Internet as collateral damage, which in size would probably be disruptive enough as well.

Main concern in this, again, is the "open resolvers" out there that we cannot control without education and regulation on how DNS is deployed (you know, the thing we are allergic/apathetic about on/about Internet).

The more thoughts I give this, the more I think the solution is not only technical but mostly an organisational/educational/regulation one… Before that is in place, we probably will experience some outages…

Written by Chris Buijs, Head of Delivery

Follow CircleID on Twitter

More under: Cyberattack, DDoS, DNS, DNS Security

The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history. A row between a spam-fighting group and hosting firm has sparked retaliation attacks affecting the wider internet. It is having an impact on popular services like Netflix — and experts worry it could escalate to affect banking and email systems.

Read full story: BBC

Follow CircleID on Twitter

More under: Cyberattack, DDoS, Spam

The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history. A row between a spam-fighting group and hosting firm has sparked retaliation attacks affecting the wider internet. It is having an impact on popular services like Netflix — and experts worry it could escalate to affect banking and email systems.

Read full story: BBC

Follow CircleID on Twitter

More under: Cyberattack, DDoS, Spam

For those of you interested in IPv6 and/or DNSSEC, we'll have a live webcast out of the Internet Society's ION Singapore conference happening tomorrow, March 28, 2013, starting at 2:00pm Singapore time.

Sessions on the agenda include:

• The Business Case for IPv6 & DNSSEC
• Deploying DNSSEC: From End-customer to Content
• Industry Collaboration: Working Together to Deploy IPv6

Joining the sessions are a variety of speakers from across the industry and within the Asia Pacific region. Information about the webcast can be found at:

http://www.internetsociety.org/deploy360/ion/singapore2013/webcast/

We'll also be recording the sessions so you can view them later. For example, given that Singapore time is 12 hours ahead of U.S. Eastern time, I don't expect many of the folks I know there to be up at 2am to watch these sessions!

The ION Singapore conference is produced by the Internet Society Deploy360 Programme and is part of the ICT Business Summit taking place this week in Singapore. I just got to meet some of the panelists at a dinner tonight and I think the sessions tomorrow should be quite educational and also quite engaging and fun. Please do feel free to tune in if you are interested and have the chance to do so.

P.S. In full disclosure I am employed by the Internet Society to work on the Deploy360 Programme and for once a post of mine at CircleID IS related to my employer.

Written by Dan York, Author and Speaker on Internet technologies

Follow CircleID on Twitter

More under: DNS, DNS Security, IPv6, Security

ICANN today launched a database to enable trademark holders register their brands for protection against the upcoming new gTLDs. The Trademark Clearinghouse, according to ICANN, is the only officially authorised solution offering brands a one-stop-foundation for the safeguarding of their trademarks in domain names across the multiple new gTLDs that will go live from summer 2013. The cost of registering a trademark ranges between $95 and $150 a year.

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

ICANN today launched a database to enable trademark holders register their brands for protection against the upcoming new gTLDs. The Trademark Clearinghouse, according to ICANN, is the only officially authorised solution offering brands a one-stop-foundation for the safeguarding of their trademarks in domain names across the multiple new gTLDs that will go live from summer 2013. The cost of registering a trademark ranges between $95 and $150 a year.

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

As attack vectors go, very few are as significant as obtaining the ability to insert bespoke code in to an application and have it automatically execute upon "inaccessible" backend systems. In the Web application arena, SQL Injection vulnerabilities are often the scariest threat that developers and system administrators come face to face with (albeit way too regularly). In fact the OWASP Top-10 list of Web threats lists SQL Injection in first place.

This "in the wild" SQL Injection attempt was based upon the premise that video cameras are actively monitoring traffic on a road, reading license plates, and issuing driver warnings, tickets or fines as deemed appropriate by local law enforcement.
(Click to Enlarge)More often than not, when security professionals discuss SQL Injection threats and attack vectors, they focus upon the Web application context. So it was with a bit of fun last week when I came across a photo of a slightly unorthodox SQL Injection attempt — that of someone attempting to subvert a traffic monitoring system by crafting a rather novel vehicle license plate.

My original tweet got retweeted a couple of thousand of times — which just goes to show how many security nerds there are out there in the twitterverse.

This "in the wild" SQL Injection attempt was based upon the premise that video cameras are actively monitoring traffic on a road, reading license plates, and issuing driver warnings, tickets or fines as deemed appropriate by local law enforcement.

At some point the video captures of the passing vehicle's license plate must be converted to text and stored — almost certainly in some kind of backend database. The hope of the hacker that devised this attack was that the process would be vulnerable to SQL Injection — and crafted a simple SQL statement that could potentially cause the backend database to drop (i.e. "delete") the table containing all of the license plate information.

Whether or not this particular attempt worked, I have no idea (probably not if I have to guess an outcome); but it does help nicely to raise attention to this category of vulnerability.

As surveillance systems become more capable — digitally storing information, distilling meta-data from image captures, and sharing observation data between systems — it opens many new doors for mischievous and malicious attack.

The physical nature of these systems, coupled with the complexities of integration with legacy monitoring and reporting systems, often makes them open to attacks that would be classed as fairly simple in the world of Web application security.

A common failure of system developers is to assume that the physical constraints of the data acquisition process are less flexible than they are. For example, if you're developing a traffic monitoring system it's easy to assume that license plates are a fixed size and shape, and can only contain 10 alphanumeric characters. Meanwhile, the developers of the third-party image processing code had no such assumptions and will digitize any image. It reminds me a little of the story in which reuse of some object-oriented code a decade ago resulted in Kangaroos firing Stinger missiles during a military training simulation.

While the image above is amusing, I've encountered similar problems before when physical tracking systems integrate with digital backend processes — opening the door to embarrassing and fraudulent events. For example, in the past I've encountered similar SQL Injection vulnerabilities within systems such as:

• Toll booths reading RFID tags mounted on vehicle windshields — where the tag readers would accept up to 2k of data from each tag (even though the system was only expecting a 16 digit number).
• Credit card readers that would accept pre-paid cards with negative balances — which resulted in the backend database crediting the wrong accounts.
• RFID inventory tracking systems — where a specially crafted RFID token could automatically remove all record of the previous hours' worth of inventory logging information from the database allowing criminals to "disappear" with entire truckloads of goods.
• Luggage barcode scanners within an airport — where specially crafted barcodes placed upon the baggage would be automatically conferred the status of "manually checked by security personnel" within the backend tracking database.
• Shipping container RFID inventory trackers — where SQL statements could be embedded to adjust fields within the backend database to alter Custom and Excise tracking information.

Unlike the process of hunting for SQL Injection vulnerabilities within Internet accessible Web applications, you can't just point an automated vulnerability scanner at the application and have at it. Assessing the security of complex physical monitoring systems is generally not a trivial task and requires some innovative approaches. Experience goes a long way.

Written by Gunter Ollmann, Chief Technology Officer at IOActive

Follow CircleID on Twitter

More under: Security