US lawmakers investigate telecom 'traffic pumping'

Three high-profile U.S. lawmakers have begun an informal investigation into high access charges that some rural telephone carriers charge to competitors, on the heels of complaints about the practice from Google and some large carriers. In some cases, the rural carriers partner with adult sex chat lines and conference calling services that take advantage of the high access fees to drive traffic to the small carriers, critics say. The letter, from Representative Henry Waxman, chairman of the House Energy and Commerce Committee, and two other leaders on the committee, comes after the U.S. Federal Communications Commission announced last Friday that it was investigating Google for refusing to connect some calls through its Web-based Google Voice service to rural carriers with high access charges. The practice is sometimes called access stimulation or traffic pumping.

An investigation into Google's decision to block calls to carriers with high access charges "must also examine the existing access charge regime and purported abuses of that system," said the letter, also signed by subcommittee chairmen Rick Boucher, a Virginia Democrat, and Bart Stupak, a Michigan Democrat. "Just last month, the Iowa Utilities Board found that eight local exchange companies had engaged in a traffic pumping scheme in which they were providing free calling services for indecent or pornographic content. The lawmaker letters, sent to Qwest Communications International, AT&T, Sprint Nextel, and Verizon Communications, ask the large carriers about the access fees charged by rural carriers and the ways the large carriers are trying to resolve traffic pumping disputes. These companies were attempting to increase access charge revenues by 10,000 percent." Some large carriers have been complaining about traffic pumping for years. AT&T is happy to see Congress interested in the issue, said Michael Balmoris, a spokesman. "We are happy to assist them in their investigation," he said. "We are especially eager to provide Members of Congress with information related to VoIP providers who are still blocking calls with impunity, which is crucial to understanding the scope of the harm to consumers and businesses in rural America." Qwest also said it would be glad to cooperate with the Commerce Committee's investigation. "Traffic pumping is an unlawful practice that has harmed and misled consumers, regulators, and long distance providers like Qwest," Steve Davis, Qwest's senior vice president of public policy and government relations, said in a statement. "Traffic pumping costs American consumers millions of dollars and denies parents the ability to safeguard their children from obscene and inappropriate material." Google, in a statement, said Congress should encourage the FCC to fix access charges rules. "We agree that the current carrier compensation rules are broken," a spokeswoman said. In April 2007, AT&T sent a letter to the FCC, asking the agency to investigate high access fees.

Google has defended its practice of blocking calls to some rural exchanges by saying it's offering a free online service that's not intended to compete with traditional voice service. AT&T has complained that Google is violating net neutrality rules it supports by refusing to connect the calls. Also, Google Voice is only available to a limited number of people invited to preview the service, the company said.

Sneaky Microsoft plug-in puts Firefox users at risk

An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves that browser open to attack, Microsoft's security engineers acknowledged earlier this week. Numerous users and experts complained when Microsoft pushed the .NET Framework 3.5 Service Pack 1 (SP1) update to users last February, including Susan Bradley, a contributor to the popular Windows Secrets newsletter. "The .NET Framework Assistant [the name of the add-on slipped into Firefox] that results can be installed inside Firefox without your approval," Bradley noted in a Feb. 12 story. "Although it was first installed with Microsoft's Visual Studio development program, I've seen this .NET component added to Firefox as part of the .NET Family patch." What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update. "While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox." The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site.

The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org . Annoyances also said the threat to Firefox users is serious. "This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC," said the hints and tips site. "Since this design flaw is one of the reasons [why] you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste." Specifically, the. Microsoft reacted to criticism about the method it used to install the Firefox add-on by issuing another update in early May that made it possible to uninstall or disable the .NET Framework Assistant. NET plug-in switched on a Microsoft technology dubbed ClickOnce, which lets .NET apps automatically download and run inside other browsers. It did not, however, apologize to Firefox users for slipping the add-on into their browsers without their explicit permission - as is the case for other Firefox add-ons, or extensions. According to Microsoft, the vulnerability is "critical," and also can be exploited against users running any version of IE, including IE8. This week, Microsoft did not revisit the origin of the .NET add-on, but simply told Firefox users that they should uninstall the component if they weren't able to deploy the patches provided in the MS09-054 update.

How registrars tackle domain name abuse

Cybercriminals worldwide are amassing domain names to keep their botnet and phishing operations a step ahead of authorities America's 10 most-wanted botnets To obscure their tracks, the criminals register the domain names using phony information, pay with stolen credit cards and hack into legitimate domain-name accounts. The target is usually "a consumer in America." Accredited by ICANN for the .info generic top-level domain (gTLD), Afilias helped organize the Registry Internet Safety Group to find ways to improve security. Adding to the problem of domain-name abuse, some rogue registrars often look the other way as the money rolls in. (See related story, "Domain-name abuse proliferates; rogue registrars turn a blind eye")  Today's cosmopolitan criminals might use "a registrar in China and a Web-hosting company in Russia and a registry in Ireland," says Ram Mohan, CTO at Dublin-based registry services provider Afilias. Mohan says Afilias has seen about 250,000 domain names taken down in the past 2.5 years because they were deemed to be maliciously used.

In the past, standard contracts between ICANN and registrars didn't address domain-name abuse head-on. (Mohan estimates there about 2,000 registrars and retail channels for domain names globally today.) But Afilias successfully lobbied to have the standard contracts amended so that stringent actions against domain-name abuse could be taken, he says. At first the registrars Afilias works with were not too happy to see domain names suspended, but many have come around to see the wisdom in taking action to stop perceived criminal activity, he says. Registry services provider Neustar (accredited by ICANN for the .biz gTLD) is also a big believer in tackling domain-name abuse, which after all, hurts the bottom line. Under its contracts with registrars and ICANN, Neustar can proactively say to a registrar, with a full report, "you have 12 hours to take down that domain name or we will do it," he says. Three years ago, Neustar hired a legal team to handle domain abuse questions and set up an internal, isolated networking lab to make determinations to a "near certainty" about a domain name being used for objectionable purposes, says Jeff Neuman, vice president of law and policy at Neustar.

ICANN has a more informal process for trying to curb domain-name abuse, but that may eventually change, Neuman believes. For instance, .cn, the country-code domain for the People's Republic of China, has emerged as a popular choice for domain-name abuse. Many security researchers today are inclined to blame a lot of domain-name abuse on "rogue registrars" around the world that are said to look the other way when dealing with criminals. For country-code top-level domains, each country through a designated organization directly accredits registrars for the ccTLD, though those registrars may also be accredited by ICANN for gTLDs like .com and .info. ICANN says complaints it received related to inaccurate or missing Whois database information and Beijing Innovative - which initially failed to respond to ICANN inquiries in a timely manner - led ICANN to issue the Chinese registrar a "notice of breach" decision last September, and a remediation plan.

Two ICANN-accredited registrars, Beijing-based Xin Net Technology Corp. and Beijing Innovative Linkage, among other registrars based in China, have gained reputations in some circles as rogue registrars because of the large amount of malicious domains being traced to them over the past year. Mohan says it's important do the analysis to understand the source of domain-name abuse, but critics should also consider evidence that Chinese registrars are being targeted because there's a lot of growth in China and "criminals are hiding in that growth." Mohan was in Beijing just a month ago discussing cybercrime for three hours with Mao Wei, the director of China Internet Network Information Center, the state-run registry for .cn, which is under the control of the Ministry of Information Industry. Just this week, McAfee touched on the China question in a report about e-mail spam that found high-volume, Chinese URL-based "Canadian Pharmacy" spam has started getting blocked amazingly fast, something McAfee never saw happen before. Mohan also spent time with Chinese registrars. "The Chinese government is very strongly aware of this problem," Mohan says. This newsletter-looking spam has used about 1,235 domains on .cn each day in fast-flux mode, but it's "getting black-holed as soon as they come in," says Adam Wosotowsky, principal engineer in messaging tactical response at McAfee. Nonetheless, some say it's hard to escape the impression that around the world, there are places where registrars and others providing domain names look the other way.

This countermeasure makes the spam dead-on-arrival with no Web URL to use. "We're guessing it's Chinese government influence," Wosotowsky says, adding he thinks the pharmacy spam is being used to sell pharmaceutical knock-offs out of Hong Kong. Even governments may be ignoring it, as money changes hands in the lucrative domain-name business. "The moment the bad guys find out something is going on, they move from Estonia to Ukraine,'" says Mohan by way of example. "The kingpins aren't identified. There must be advance notice going to these criminals, or compromised law enforcement." It's big money, big business.

Critical Zero-Day Flaw Opens Holes in IE 6 and 7

A newly discovered threat that doesn't yet have any patch can allow for a Web-based attack against up-to-date Internet Explorer 6 and 7 browsers, according to security companies. The site could be a specifically created malicious site, or one that was hijacked and had the attack code inserted. Both Symantec and Vupen Security have posted alerts about the bug, which involves the way IE handles cascading style sheets, or CSS. According to the posts, browsing a Web site with embedded attack code would trigger the assault.

According to Vupen's post, the flaw affects both IE 6 and 7 on a fully patched XP SP3 computer and could allow for running any command on a vulnerable system, such as installing malware. Symantec's post says its tests confirm the published exploit works, but that it "exhibits signs of poor reliability," ie. it doesn't always work. There aren't yet any reports of active attacks, but exploit code is publicly available. An additional e-mail from Symantec says that Vista is affected as well, but Microsoft has not yet confirmed the vulnerability. According to Vupen, disabling Active Scripting in the Internet and Local intranet security zones will block attacks against this flaw, but doing so would likely block Web site functionality as well. Zero-days that affect IE are typically major threats, so attackers will likely begin hiding attacks that target this flaw on compromised Web sites, and spewing out e-mails and online comments with links to sites that contain attacks.

Current reports do not list IE 8 as vulnerable, but Symantec warns that "there are possibilities that other versions of IE and Windows may also be affected." Your best bet may be to use an alternate browser such as Firefox until a patch is available.

AMD settlement won't blunt Intel R&D, exec says

Today's settlement of all antitrust litigation between Intel Corp. and Advanced Micro Devices Inc. should benefit both firms - and shouldn't hurt Intel's R&D operation, Intel CTO and senior fellow Justin Rattner told Computerworld today. "As a legal matter, it only concerned a very small part of the company," Rattner said. "From an R&D perspective, there aren't really any changes as a result of the agreement. For its part, AMD agreed to drop all pending litigation against Intel, including an upcoming case in U.S. District Court in Delaware and two cases pending in Japan. For the legal people at Intel, it's a big change but I don't think the rest of us will be terribly affected." The deal, which settles both antitrust litigation and patent cross license disputes, specifies that Intel will pay rival AMD $1.25 billion . Intel also agreed to abide by a set of business practice provisions. AMD also will withdraw all of its regulatory complaints filed against Intel with government agencies around the world. "It's good for everyone that it's over," said Martin Reynolds, an analyst at Gartner Inc. "These long-term court battles are no good for anybody.

The latest antitrust suit against Intel was filed in federal court last week by the state of New York, which alleges that Intel threatened computer makers, made payoffs and engaged in a "worldwide, systematic campaign of illegal conduct." An Intel spokesman downplayed that lawsuit, contending at the time it was a repackaging of the AMD case. This will make AMD a more attractive target for investors and it's certainly good news for Intel." Reynolds said the settlement could portend that Intel will reach similar deals with other court foes. Therefore, Reynolds suggested, it's likely the AMD settlement will lead to the dropping of the New York lawsuit. "With AMD withdrawing all complaints, it's likely all these suits will dry up," he added. "It will be hard to go forward." The settlement should provide significant benefits to Intel over the long term, Reynolds said. "The $1.25 billion is a downside [for Intel], but that's about it. They won't be in as many courtrooms. Intel can stand down in gathering all this evidence.

They can let go of some of their attorneys." The settlement could also blunt any plans by the U.S. Federal Trade Commission to jump into the antitrust fray against Intel, said Rob Enderle, an analyst with the Enderle Group. And Intel will be able to focus on business and not do brand damage control, discovery, [and the like]," Enderle said. "Like Microsoft discovered, this doesn't necessarily stop New York or the FTC but it removes a lot of the momentum behind those efforts and effectively lowers their priority." Enderle also noted that while $1.25 billion is a lot for Intel to pay out, the settlement is likely less than a court would have forced the company to pay had it lost an antitrust trial. "I was estimating a judgment between $2 billion and $5 billion with penalties so this was a good deal from Intel and AMD needs the money," said Enderle. "[Intel] already looked guilty. The FTC had launched an antitrust investigation into Intel more than a year ago and had been expected to take some kind of antitrust action against the firm soon. "This means AMD will stop pushing on the FTC and states to pound on Intel. This reduces the long-term impact from their actions substantially."