New MANRS Routing Security Primers for Decision-makers

As a policymaker or executive, do you worry about your data getting stolen or intercepted? Or your website suffering an attack? Or your services being shut down? Today on the MANRS blog, we’re introducing new primers that explain why you should care about routing security and simple steps you can take to decrease routing security […]

The post New MANRS Routing Security Primers for Decision-makers appeared first on Internet Society.

Partnering with Global Cyber Alliance on Open Standards, Routing Security, and More

Our work is strengthened, and our impact magnified, when we collaborate with partners to build a secure and trustworthy Internet for all. That’s why we’re proud to announce we’ve entered into a Memorandum of Understanding (MoU) with the Global Cyber Alliance (GCA) to work together on routing security, open Internet standards, and other areas of joint interest. The Global Cyber Alliance is an international, cross-sector effort dedicated to reducing cyber risk and improving our connected world.

This relationship is not new. The Internet Society and GCA have a long history of working together, from promoting email and Internet of Things (IoT) security to improving routing security, increasing deployment of open standards, and helping stakeholders participate meaningfully in the multistakeholder management of core Internet resources.

Both organizations have emphasized the importance of research, capacity building, and advocacy to develop key technologies and policies. This work helps promote the Internet, its resources, the need for vigilant user-enabled security, and the need for the Internet to remain open, inclusive, and an enabler of opportunities.

“We’re proud to extend and formalize our long-standing relationship with GCA to create real change for network operators and Internet users around the globe. By joining forces, we can promote enhanced Continue reading

A (Fairly) Non-Technical Guide to Routing Security Basics

On the MANRS website, we write about routing security. We dig into the details of technical problems, research the origins of route leaks and hijacks, analyze trends and statistics related to networks around the globe via the MANRS Observatory, and generally get pretty nerdy about how to improve the routing system that underpins the Internet. Last week, we took a step back and published a series of posts regarding Routing Security Basics.

This 5-part series covers the following topics:

• What Is Routing?
• How Does Routing Work?
• What’s Wrong with Routing?
• What Are Routing Incidents?
• What are the MANRS Actions?

While it’s difficult to explain routing security without assuming some baseline knowledge, our intent is for these posts to be as non-technical as possible to help non-experts understand this sometimes-complicated topic.

It all started with a Twitter thread on a Friday afternoon, comparing routing security to online dating. We then expanded this silly analogy into a series of blog posts. Follow along as Juan, Maria, and Bad Guy Chad help us explain the types of routing incidents that happen and how the simple, concrete MANRS actions can help.

We hope you’ll read the Routing Security Basics posts, and if you’re Continue reading

Internet Society and Alliance for Affordable Internet Partner to Promote Community Networks and Expand Access for All

The Internet Society and the Alliance for Affordable Internet (A4AI), an initiative of the World Wide Web Foundation, have entered into a Memorandum of Understanding (MoU) to further their existing partnership to collaborate on promoting community networks to expand meaningful connectivity, and other areas of joint interest.

A4AI is a global coalition working to drive down the cost of Internet access in low- and middle-income countries through policy and regulatory reform. The Internet Society is a member of A4AI, and the two organizations share a vision of an open, globally connected, secure, and trustworthy Internet for everyone.

Both organizations have emphasized the importance of solid research, capacity building, and advocacy to develop the policies needed to reduce the cost to connect and enable everyone, everywhere to access Internet connectivity. A4AI and ISOC believe community networks provide a sustainable solution to address connectivity gaps that exist in underserved urban, remote, and rural areas around the world.

This MoU formalizes a longstanding relationship between the two organizations. In the past, we’ve worked together to collaborate on common policy and regulatory objectives across numerous UN and international fora to promote and advocate for the expansion of public access solutions through community networks, Continue reading

Making the Most of Our MANRS Partnerships – NIC.br and Brazil Lead the MANRS Pack

Read this blog in Portuguese

Improving the state of routing security is no small task. It requires network operators, IXPs, and CDN and cloud providers of all sizes across the globe to work together, improve their own networks, and open lines of communications with both their friends and competitors to make a real difference.

One of the ways we’ve been able to spread the MANRS message so far and wide is through partnerships. We’re lucky to have dedicated, strong partners in several regions of the world. In this post, we’ll talk about one partnership in particular – NIC.br – and how their efforts have changed the landscape for routing security in Brazil and beyond.

A Little History

NIC.br is responsible for the administrative and operational functions related to the .br (Brazil) domain. In addition, NIC.br goes beyond similar entities in other countries, investing in actions and projects that bring a series of benefits to the improvement of activities related to the available Internet infrastructure in Brazil.

In 2017, NIC.br hosted a Safer Internet Program, which the Internet Society supported. NIC.br invited Andrei Robachevsky to speak on a fairly new initiative called MANRS addressing routing security as Continue reading

Working with APRICOT to Improve Routing Security

We’re pleased to announce that the Internet Society and the Asia Pacific Network Operators Group Ltd (APNOG) signed a Memorandum of Understanding (MoU) to cooperate in supporting the MANRS initiative in the Asia-Pacific region.

APNOG is the non-profit entity that runs the annual APRICOT conference, also called the Asia-Pacific Regional Internet Conference on Operational Technologies. APRICOT is the largest meeting of the technical community in the region.

The agreement will see the two undertake initiatives and activities to promote the security of the Internet’s global routing system and Mutually Agreed Norms for Routing Security (MANRS). MANRS is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats.

We agree to tackle routing-related cybersecurity incidents such as route hijacking, route leaks, IP address spoofing, and other harmful activities that can lead to DDoS attacks, traffic inspection, lost revenue, reputational damage, and more.

APRICOT draws many of the world’s best Internet engineers, operators, researchers, service providers, and policy enthusiasts from around the world to share the technical knowledge needed to run and expand the Internet securely. The partnership will allow MANRS to better leverage the platform to promote routing security to conference participants, Continue reading

Announcing the 2020 U.S. Presidential Campaign Audit

Today, the Internet Society’s Online Trust Alliance released a new report, the “2020 U.S. Presidential Campaign Audit,” analyzing the 23 top current presidential campaigns and their commitment to email/domain protection, website security, and responsible privacy practices. OTA evaluated the campaigns using the same methodology we used to assess nearly 1,200 organizations in the main Online Trust Audit released in April.

An alarming 70% of the campaign websites reviewed in the audit failed to meet OTA’s privacy and security standards, potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. The 2020 campaigns, taken together as a sector, lagged behind the Honor Roll average of all other sectors (70%) in the 2018 Online Trust Audit, and were far short of the Honor Roll achievement of 91% by U.S. federal government organizations.

To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with no failure in any of the three categories examined. The campaigns who made the Honor Roll are:

• Pete Buttigieg
• Kamala Harris
• Amy Klobuchar
• Beto O’Rourke
• Bernie Continue reading

Celebrating National Cybersecurity Awareness Month

Every October, we mark National Cybersecurity Awareness Month. From the U.S. Department of Homeland Security website, “Held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.”

We believe in an Internet that is open, globally connected, secure, and trustworthy. Our work includes improving the security posture of producers of Internet of Things (IoT) devices, ensuring encryption is available for everyone and is deployed as the default, working on time security, routing security through the MANRS initiative, and fostering collaborative security.

The Online Trust Alliance’s IoT Trust Framework identifies the core requirements manufacturers, service providers, distributors/purchasers, and policymakers need to understand, assess, and embrace for effective security and privacy as part of the Internet of Things. Also check out our Get IoT Smart pages for get more consumer-friendly advice on IoT devices.

Much of OTA’s work culminates in the Online Trust Audit & Honor Roll, which recognizes excellence in online consumer protection, data security, and responsible privacy practices. Since that report’s release in April Continue reading

Online Trust Audit Updates & Translations Now Available

A slightly updated version of the Online Trust Audit & Honor Roll is now available in English, French, and Spanish.

Changes include:

• Accidentally marked Google Play as top scorer in Appendix C (instead of Google News)
• Missing bar in graph on page 5
• Several minor spacing, grammar, and miscellaneous edits

The Online Trust Audit & Honor Roll assesses nearly 1,200 organizations, recognizing excellence in online consumer protection, data security, and responsible privacy practices. This Audit of more than 1,200 predominantly consumer-facing websites is the largest undertaken by OTA, and was expanded this year to include payment services, video streaming, sports sites, and healthcare.

This is the first time in the Audit’s 10-year history that we’ve translated it, and we’re proud to bring it to a wider audience. Going forward, we will work toward adding more global sectors and regions into the report findings.

The Trust Audit Planning Committee, open to Internet Society organization members, has already had its first meeting to discuss the methodology for next year’s Audit. A public call for comment on the draft methodology will come later this year, so watch this blog or follow us on Twitter or Facebook to keep up with our Continue reading

Talking Internet of Things in Canada at IoT613 This Week

This week, 8-9 May, we’ll be at IoT613 in Ottawa, Canada, talking about our work on “Trust by Design” – the idea that privacy and security should be built into Internet-connected products, and not just an afterthought. We have been working with manufacturers to embrace the Online Trust Alliance’s IoT Trust Framework, which identifies the core requirements manufacturers, service providers, distributors/purchasers and policymakers need to understand, assess and embrace for effective IoT security and privacy. We also work to encourage consumers to demand security and privacy and to help policymakers create a policy environment that strengthens trust and enables innovation.

This week in Ottawa, we’ll have an Internet Society booth at the event both days, and on 9 May, Mark Buell, North American Bureau Director, will be part of an “IoT in Canada” panel that will “explore current IoT trends in Canada, identify the benefits of IoT for businesses and citizens and find out how Canada’s IoT ecosystem stacks up compared to the rest of the world.” Mark will speak about the Canadian Multistakeholder Process: Enhancing IoT Security, an Internet Society-led initiative to develop a broad-reaching policy to govern the security of the IoT for Continue reading

Do You Want Privacy With That?

You may have heard about CloudPets being pulled off shelves for recording kids’ voices and that data being leaked, or the EU recalling kids’ smart watches for giving away children’s location in real time. If you’re shopping for any sort of Internet-connected device, you should be worried about your privacy and investigating how much data your new gadget is collecting. That’s why we’ve joined Mozilla in calling on big retailers in the US like Target, Walmart, Best Buy, and Amazon to publicly endorse and apply our minimum security and privacy guidelines and stop selling insecure connected devices.

From the letter: “Given the value and trust that consumers place in your company, you have a uniquely important role in addressing this problem and helping to build a more secure, connected future. Consumers can and should be confident that, when they buy a device from you, that device will not compromise their privacy and security. Signing on to these minimum guidelines is the first step to turn the tide, and build trust in this space.”

In total, the letter is co-signed by 11 organizations: Mozilla, Internet Society, Consumers International, ColorOfChange, Open Media & Information Companies Initiative, Common Sense Media, Story of Continue reading

Webinar: Can Consumers Trust Retailers’ Email? Findings from OTA’s Email Marketing & Unsubscribe Audit

Cybersecurity, Data Protection, and IoT Events in November & December

The end of the year has been very busy, with Internet Society staff members speaking at many events on data protection, security-by-design, and the Internet of Things (IoT). First, to recap the last month, you might want to read the Rough Guide to IETF 103, especially Steve Olshansky’s Internet of Things post. Dan York also talked about DNSSEC and the Root KSK Rollover at ICANN 63, and there were several staff members involved in security, privacy, and access discussions at the Internet Governance Forum. In addition, we submitted comments on NIST’s white paper on Internet of Things (IoT) Trust Concerns; the NTIA RFC on Developing the Administration’s Approach to Consumer Privacy; and the NIST draft “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks”.

We also have several speaking engagements coming up in the next few weeks. Here’s a quick rundown of the events.

6^th National Cybersecurity Conference
27-28 November
Mona, Jamaica

The Mona ICT Policy Centre at CARIMAC, University of the West Indies is hosting the 6th National Cyber Security Conference. The Conference theme this year is “Data Protection – Securing Big Data, Understanding Biometrics and Protecting National ID Systems.” Continue reading

Announcing the Online Trust Audit & Honor Roll Methodology for 2018

The Online Trust Alliance (OTA) is an Internet Society initiative that aims to enhance online trust, user empowerment, and innovation through convening multistakeholder initiatives and developing and promoting best practices, ethical privacy practices, and data stewardship. One of OTA’s major activities is the Online Trust Audit & Honor Roll, which promotes responsible online privacy and data security practices and recognizes leaders in the public and private sectors who have embraced them. This morning, we released the methodology we’ll use for this year’s audit.

The report will analyze more than 1,000 websites on consumer protection, site security, and responsible privacy practices. Based on a composite weighted analysis, sites that score 80 percent or better overall, without failing in any one category, will be recognized in the Honor Roll.

Building largely on past criteria, this year’s updates include GDPR compliance and other security and privacy standards and practices, as well as adding a healthcare sector. From the press release:

Key changes to this year’s Audit include:

• Consumer Protection (email authentication, domain security and anti-phishing technologies) – more granular assessment of Domain-based Message Authentication, Reporting and Conformance (DMARC) support, and increased weight for use of opportunistic Transport Layer Security (TLS), which Continue reading

Registration Open for “Cyber Diplomacy Meets InfoSec and Technology” Alongside IETF 102

As we recently announced, the Global Commission on the Stability of Cyberspace (GCSC) will host a lunch panel on “Cyber Diplomacy Meets InfoSec and Technology” alongside IETF 102 on Tuesday, 17 July. Registration opens today in two time slots for global time zone fairness, at 08:00 UTC and 20:00 UTC. Register here.

The Global Commission on the Stability of Cyberspace is developing norms and policy initiatives that intend to counter the risk to the overall security and stability of cyberspace due to rise of offensive cyber-activities, and especially those by states. During this session, the Commission wants to inform and engage with the IETF community on its work so far and the work that is in the pipeline.

The Internet Society is assisting with logistics. Internet Society Chief Internet Technology Officer and GCSC Commissioner Olaf Kolkman will moderate the panel. The panelists are:

• Irina Rizmal, researcher at the DiploFoundation specialized in policy analysis in matters pertaining to national security and defense.
• Bill Woodcock, Commissioner and Executive Director at Packet Clearing House, the non-profit agency that supports critical Internet infrastructure.
• Jeff Moss, Commissioner, founder of Black Hat and Defcon, member of the DHS security council, Continue reading

Tracking DNSSEC: See the Deployment Maps

Did you know the Internet Society Deploy360 Programme provides a weekly view into global DNSSEC deployment? Each Monday, we generate new maps and send them to a public DNSSEC-Maps mailing list. We also update the DNSSEC Deployment Maps page periodically, usually in advance of ICANN meetings.

DNS Security Extensions — commonly known as DNSSEC — allow us to have more confidence in our online activities at work, home, and school. DNSSEC acts like tamper-proof packaging for domain name data, helping to ensure that you are communicating with the correct website or service. However, DNSSEC must be deployed at each step in the lookup from the root zone to the final domain name. Signing the root zone, generic Top Level Domains (gTLDs) and country code Top Level Domains (ccTLDs) is vital to this overall process. These maps help show what progress the Internet technical community is making toward the overall goal of full DNSSEC deployment.

These maps are a bit different from other DNSSEC statistics sites in that they contain both factual, observed information and also information based on news reports, presentations, and other collected data. For more information about how we track the deployment status of TLDs, please read our page Continue reading

At IETF 102: The Global Commission on the Stability of Cyberspace – Cyber diplomacy meets InfoSec and Technology

On Tuesday, 17 July, during IETF 102 in Montreal, the Global Commission on the Stability of Cyberspace (GCSC) will host a lunch panel on “Cyber Diplomacy Meets InfoSec and Technology.” During this session, the Commission wants to inform and engage with the IETF community on its work so far and the work that is in the pipeline.

The Global Commission on the Stability of Cyberspace is developing norms and policy initiatives that intend to counter the risk to the overall security and stability of cyberspace due to rise of offensive cyber-activities, and especially those by states.

Session Abstract

In this global environment we see conflict between states takes new forms, and cyber-activities are playing a leading role. There is an increasing risk of undermining the peaceful use of cyberspace and a growing for need norms and policies to enhance international security and stability.

The Global Commission on the Stability of Cyberspace, with commissioners from diverse backgrounds, sets out to develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace.

During this lunch panel we want to engage with the IETF community to discuss the norms the commission Continue reading

Routing Security & IPv6 at NANOG 73 in Denver

We’ll be at NANOG 73 in Denver, CO, USA this week talking about routing security, MANRS, and IPv6.

The North American Network Operators Group (NANOG) is the professional association for Internet engineering, architecture and operations. Its core focus is on continuous improvement of the data transmission technologies, practices, and facilities that make the Internet function. NANOG meetings are among the largest in the region, bringing together top technologists on a wide range of topics.

Routing Security

On Tuesday, 26 June, at 1:30PM, Andrei Robachevsky will give a talk called, “Routing Is At Risk. Let’s Secure It Together.”

From the session abstract:

“Stolen cryptocurrency, hijacked traffic blocking access to whole countries, derailing vital Web resources for thousands of people. Routing used to fly under the radar. As long as incidents weren’t too bad, no one asked too many questions, and routing security never made it to the top of the to-do list. But these days, routing incidents are regularly making the news, executives are getting nervous, and engineers are under pressure to make sure their network isn’t next. The problem is, you cannot secure your own network entirely by yourself. But you can help secure the global routing system Continue reading

New Video Explains Routing Security and How MANRS Can Help

Routing security can be a difficult topic to explain. It’s technical. It’s filled with industry jargon and acronyms. It’s, well, nerdy. But routing security is vital to a stable and secure future Internet, and we here at the Internet Society have been supporting the Mutually Agreed Norms for Routing Security (MANRS) initiative for several years now. To help explain, at a very high level, some of the major routing security issues and how MANRS can help address them, we’re pleased to announce a new explanatory video.

Available with English, French, and Spanish subtitles, this short new video explains three major incidents that can lead to things like denial of service attacks, surveillance, and lost revenue:

• Route Hijacking – when one network operator or attacker impersonates another
• Route Leak – when a network operator unintentionally announces that it has a route to a destination
• IP Address Spoofing – when fake source IP addresses hide a sender’s identity

Network operators of all sizes have a role to play in securing the Internet’s routing infrastructure. By implementing the four simple MANRS Actions, together we can make significant improvements to reduce the most common routing threats. Those four actions are:

• Filtering – making Continue reading

What is BGP Hijacking, Anyway?

Two weeks ago, we learned about yet another routing security incident, namely the hijack of BGP routes to the Amazon DNS infrastructure, used as a stepping stone to steal about $150,000 of Ethereum cryptocurrency from MyEtherWallet.com. We’ve been talking a lot lately about BGP hijacking, digging into the details of what happened in this post. But maybe we need to back up a minute and answer: What in the world is BGP hijacking, anyway, and why does it matter? Here, we’ll explain the basics and how network operators and Internet Exchange Points can join MANRS to help solve the problem.

What is BGP?

BGP, or Border Gateway Protocol, is used to direct traffic across the Internet. Networks use BGP to exchange “reachability information” – networks they know how to get to. Any network that is connected to the Internet eventually relies on BGP to reach other networks.

What is BGP Hijacking?

In short, BGP hijacking is when an attacker disguises itself as another network; it announces network prefixes belonging to another network as if those prefixes are theirs. If this false information is accepted by neighboring networks and propagated further using BGP, it distorts the “roadmap” of the Continue reading