US lawmakers investigate telecom 'traffic pumping'

Three high-profile U.S. lawmakers have begun an informal investigation into high access charges that some rural telephone carriers charge to competitors, on the heels of complaints about the practice from Google and some large carriers. In some cases, the rural carriers partner with adult sex chat lines and conference calling services that take advantage of the high access fees to drive traffic to the small carriers, critics say. The letter, from Representative Henry Waxman, chairman of the House Energy and Commerce Committee, and two other leaders on the committee, comes after the U.S. Federal Communications Commission announced last Friday that it was investigating Google for refusing to connect some calls through its Web-based Google Voice service to rural carriers with high access charges. The practice is sometimes called access stimulation or traffic pumping.

An investigation into Google's decision to block calls to carriers with high access charges "must also examine the existing access charge regime and purported abuses of that system," said the letter, also signed by subcommittee chairmen Rick Boucher, a Virginia Democrat, and Bart Stupak, a Michigan Democrat. "Just last month, the Iowa Utilities Board found that eight local exchange companies had engaged in a traffic pumping scheme in which they were providing free calling services for indecent or pornographic content. The lawmaker letters, sent to Qwest Communications International, AT&T, Sprint Nextel, and Verizon Communications, ask the large carriers about the access fees charged by rural carriers and the ways the large carriers are trying to resolve traffic pumping disputes. These companies were attempting to increase access charge revenues by 10,000 percent." Some large carriers have been complaining about traffic pumping for years. AT&T is happy to see Congress interested in the issue, said Michael Balmoris, a spokesman. "We are happy to assist them in their investigation," he said. "We are especially eager to provide Members of Congress with information related to VoIP providers who are still blocking calls with impunity, which is crucial to understanding the scope of the harm to consumers and businesses in rural America." Qwest also said it would be glad to cooperate with the Commerce Committee's investigation. "Traffic pumping is an unlawful practice that has harmed and misled consumers, regulators, and long distance providers like Qwest," Steve Davis, Qwest's senior vice president of public policy and government relations, said in a statement. "Traffic pumping costs American consumers millions of dollars and denies parents the ability to safeguard their children from obscene and inappropriate material." Google, in a statement, said Congress should encourage the FCC to fix access charges rules. "We agree that the current carrier compensation rules are broken," a spokeswoman said. In April 2007, AT&T sent a letter to the FCC, asking the agency to investigate high access fees.

Google has defended its practice of blocking calls to some rural exchanges by saying it's offering a free online service that's not intended to compete with traditional voice service. AT&T has complained that Google is violating net neutrality rules it supports by refusing to connect the calls. Also, Google Voice is only available to a limited number of people invited to preview the service, the company said.

Sneaky Microsoft plug-in puts Firefox users at risk

An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves that browser open to attack, Microsoft's security engineers acknowledged earlier this week. Numerous users and experts complained when Microsoft pushed the .NET Framework 3.5 Service Pack 1 (SP1) update to users last February, including Susan Bradley, a contributor to the popular Windows Secrets newsletter. "The .NET Framework Assistant [the name of the add-on slipped into Firefox] that results can be installed inside Firefox without your approval," Bradley noted in a Feb. 12 story. "Although it was first installed with Microsoft's Visual Studio development program, I've seen this .NET component added to Firefox as part of the .NET Family patch." What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update. "While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox." The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site.

The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including Annoyances.org . Annoyances also said the threat to Firefox users is serious. "This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC," said the hints and tips site. "Since this design flaw is one of the reasons [why] you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste." Specifically, the. Microsoft reacted to criticism about the method it used to install the Firefox add-on by issuing another update in early May that made it possible to uninstall or disable the .NET Framework Assistant. NET plug-in switched on a Microsoft technology dubbed ClickOnce, which lets .NET apps automatically download and run inside other browsers. It did not, however, apologize to Firefox users for slipping the add-on into their browsers without their explicit permission - as is the case for other Firefox add-ons, or extensions. According to Microsoft, the vulnerability is "critical," and also can be exploited against users running any version of IE, including IE8. This week, Microsoft did not revisit the origin of the .NET add-on, but simply told Firefox users that they should uninstall the component if they weren't able to deploy the patches provided in the MS09-054 update.

How registrars tackle domain name abuse

Cybercriminals worldwide are amassing domain names to keep their botnet and phishing operations a step ahead of authorities America's 10 most-wanted botnets To obscure their tracks, the criminals register the domain names using phony information, pay with stolen credit cards and hack into legitimate domain-name accounts. The target is usually "a consumer in America." Accredited by ICANN for the .info generic top-level domain (gTLD), Afilias helped organize the Registry Internet Safety Group to find ways to improve security. Adding to the problem of domain-name abuse, some rogue registrars often look the other way as the money rolls in. (See related story, "Domain-name abuse proliferates; rogue registrars turn a blind eye")  Today's cosmopolitan criminals might use "a registrar in China and a Web-hosting company in Russia and a registry in Ireland," says Ram Mohan, CTO at Dublin-based registry services provider Afilias. Mohan says Afilias has seen about 250,000 domain names taken down in the past 2.5 years because they were deemed to be maliciously used.

In the past, standard contracts between ICANN and registrars didn't address domain-name abuse head-on. (Mohan estimates there about 2,000 registrars and retail channels for domain names globally today.) But Afilias successfully lobbied to have the standard contracts amended so that stringent actions against domain-name abuse could be taken, he says. At first the registrars Afilias works with were not too happy to see domain names suspended, but many have come around to see the wisdom in taking action to stop perceived criminal activity, he says. Registry services provider Neustar (accredited by ICANN for the .biz gTLD) is also a big believer in tackling domain-name abuse, which after all, hurts the bottom line. Under its contracts with registrars and ICANN, Neustar can proactively say to a registrar, with a full report, "you have 12 hours to take down that domain name or we will do it," he says. Three years ago, Neustar hired a legal team to handle domain abuse questions and set up an internal, isolated networking lab to make determinations to a "near certainty" about a domain name being used for objectionable purposes, says Jeff Neuman, vice president of law and policy at Neustar.

ICANN has a more informal process for trying to curb domain-name abuse, but that may eventually change, Neuman believes. For instance, .cn, the country-code domain for the People's Republic of China, has emerged as a popular choice for domain-name abuse. Many security researchers today are inclined to blame a lot of domain-name abuse on "rogue registrars" around the world that are said to look the other way when dealing with criminals. For country-code top-level domains, each country through a designated organization directly accredits registrars for the ccTLD, though those registrars may also be accredited by ICANN for gTLDs like .com and .info. ICANN says complaints it received related to inaccurate or missing Whois database information and Beijing Innovative - which initially failed to respond to ICANN inquiries in a timely manner - led ICANN to issue the Chinese registrar a "notice of breach" decision last September, and a remediation plan.

Two ICANN-accredited registrars, Beijing-based Xin Net Technology Corp. and Beijing Innovative Linkage, among other registrars based in China, have gained reputations in some circles as rogue registrars because of the large amount of malicious domains being traced to them over the past year. Mohan says it's important do the analysis to understand the source of domain-name abuse, but critics should also consider evidence that Chinese registrars are being targeted because there's a lot of growth in China and "criminals are hiding in that growth." Mohan was in Beijing just a month ago discussing cybercrime for three hours with Mao Wei, the director of China Internet Network Information Center, the state-run registry for .cn, which is under the control of the Ministry of Information Industry. Just this week, McAfee touched on the China question in a report about e-mail spam that found high-volume, Chinese URL-based "Canadian Pharmacy" spam has started getting blocked amazingly fast, something McAfee never saw happen before. Mohan also spent time with Chinese registrars. "The Chinese government is very strongly aware of this problem," Mohan says. This newsletter-looking spam has used about 1,235 domains on .cn each day in fast-flux mode, but it's "getting black-holed as soon as they come in," says Adam Wosotowsky, principal engineer in messaging tactical response at McAfee. Nonetheless, some say it's hard to escape the impression that around the world, there are places where registrars and others providing domain names look the other way.

This countermeasure makes the spam dead-on-arrival with no Web URL to use. "We're guessing it's Chinese government influence," Wosotowsky says, adding he thinks the pharmacy spam is being used to sell pharmaceutical knock-offs out of Hong Kong. Even governments may be ignoring it, as money changes hands in the lucrative domain-name business. "The moment the bad guys find out something is going on, they move from Estonia to Ukraine,'" says Mohan by way of example. "The kingpins aren't identified. There must be advance notice going to these criminals, or compromised law enforcement." It's big money, big business.

Critical Zero-Day Flaw Opens Holes in IE 6 and 7

A newly discovered threat that doesn't yet have any patch can allow for a Web-based attack against up-to-date Internet Explorer 6 and 7 browsers, according to security companies. The site could be a specifically created malicious site, or one that was hijacked and had the attack code inserted. Both Symantec and Vupen Security have posted alerts about the bug, which involves the way IE handles cascading style sheets, or CSS. According to the posts, browsing a Web site with embedded attack code would trigger the assault.

According to Vupen's post, the flaw affects both IE 6 and 7 on a fully patched XP SP3 computer and could allow for running any command on a vulnerable system, such as installing malware. Symantec's post says its tests confirm the published exploit works, but that it "exhibits signs of poor reliability," ie. it doesn't always work. There aren't yet any reports of active attacks, but exploit code is publicly available. An additional e-mail from Symantec says that Vista is affected as well, but Microsoft has not yet confirmed the vulnerability. According to Vupen, disabling Active Scripting in the Internet and Local intranet security zones will block attacks against this flaw, but doing so would likely block Web site functionality as well. Zero-days that affect IE are typically major threats, so attackers will likely begin hiding attacks that target this flaw on compromised Web sites, and spewing out e-mails and online comments with links to sites that contain attacks.

Current reports do not list IE 8 as vulnerable, but Symantec warns that "there are possibilities that other versions of IE and Windows may also be affected." Your best bet may be to use an alternate browser such as Firefox until a patch is available.

AMD settlement won't blunt Intel R&D, exec says

Today's settlement of all antitrust litigation between Intel Corp. and Advanced Micro Devices Inc. should benefit both firms - and shouldn't hurt Intel's R&D operation, Intel CTO and senior fellow Justin Rattner told Computerworld today. "As a legal matter, it only concerned a very small part of the company," Rattner said. "From an R&D perspective, there aren't really any changes as a result of the agreement. For its part, AMD agreed to drop all pending litigation against Intel, including an upcoming case in U.S. District Court in Delaware and two cases pending in Japan. For the legal people at Intel, it's a big change but I don't think the rest of us will be terribly affected." The deal, which settles both antitrust litigation and patent cross license disputes, specifies that Intel will pay rival AMD $1.25 billion . Intel also agreed to abide by a set of business practice provisions. AMD also will withdraw all of its regulatory complaints filed against Intel with government agencies around the world. "It's good for everyone that it's over," said Martin Reynolds, an analyst at Gartner Inc. "These long-term court battles are no good for anybody.

The latest antitrust suit against Intel was filed in federal court last week by the state of New York, which alleges that Intel threatened computer makers, made payoffs and engaged in a "worldwide, systematic campaign of illegal conduct." An Intel spokesman downplayed that lawsuit, contending at the time it was a repackaging of the AMD case. This will make AMD a more attractive target for investors and it's certainly good news for Intel." Reynolds said the settlement could portend that Intel will reach similar deals with other court foes. Therefore, Reynolds suggested, it's likely the AMD settlement will lead to the dropping of the New York lawsuit. "With AMD withdrawing all complaints, it's likely all these suits will dry up," he added. "It will be hard to go forward." The settlement should provide significant benefits to Intel over the long term, Reynolds said. "The $1.25 billion is a downside [for Intel], but that's about it. They won't be in as many courtrooms. Intel can stand down in gathering all this evidence.

They can let go of some of their attorneys." The settlement could also blunt any plans by the U.S. Federal Trade Commission to jump into the antitrust fray against Intel, said Rob Enderle, an analyst with the Enderle Group. And Intel will be able to focus on business and not do brand damage control, discovery, [and the like]," Enderle said. "Like Microsoft discovered, this doesn't necessarily stop New York or the FTC but it removes a lot of the momentum behind those efforts and effectively lowers their priority." Enderle also noted that while $1.25 billion is a lot for Intel to pay out, the settlement is likely less than a court would have forced the company to pay had it lost an antitrust trial. "I was estimating a judgment between $2 billion and $5 billion with penalties so this was a good deal from Intel and AMD needs the money," said Enderle. "[Intel] already looked guilty. The FTC had launched an antitrust investigation into Intel more than a year ago and had been expected to take some kind of antitrust action against the firm soon. "This means AMD will stop pushing on the FTC and states to pound on Intel. This reduces the long-term impact from their actions substantially."

India to set up automatic monitoring of communications

India plans to set up a centralized system to monitor communications on mobile phones, landlines and the Internet in the country, a minister told the Rajya Sabha, the upper house of Parliament, on Thursday. A pilot of the new Centralized Monitoring System (CMS) is to be started by June next year, subject to clearances by other government agencies, Gurudas Kamat, Minister of State for Communications and Information Technology told the Rajya Sabha, according to an announcement by the government's Press Information Bureau. Indian laws allow the interception and monitoring of communications under certain conditions, including to counter terrorism. The CMS will have central and regional databases to help central and state-level enforcement agencies intercept and monitor communications, the government said.

It will also feature analysis of call data records and data mining of these records to identify call details, location details, and other information of the target numbers. It will also have direct electronic provisioning of target numbers by government agencies without any intervention from telecom service providers, it added. The current system used by the government for call monitoring can be easily compromised because of the requirement of manual intervention at many stages, the minister said. The statement by Kamat comes on the anniversary of a terrorist attack on a number of sites in Mumbai, including two premium hotels, a railway station, and a Jewish community center. Interception using the new system will also be instant, he added.

The terrorists are believed to have used mobile communications and the Internet extensively to plan and execute their attacks. Some experts have argued that the government should set up an organization like an ombudsman to ensure that information collected during surveillance is not misused. The government brought into force earlier this year the Information Technology (Amendment) Act 2008, an amendment to an earlier law, which broadened the government's powers to intercept and monitor communications.

Do you know where your employees are working?

It's time for ad hoc telework programs to be brought up to snuff. In some cases, disaster recovery plans have spawned well-structured and documented telework programs. Technology has enabled telework programs to evolve beyond images of people dialing up in pajamas to remote workers tapping advanced collaboration tools that increase productivity and ensure business continuity. But at the majority of companies, there are no formal telework policies in place, even as more and more workers go mobile.

Almost everyone today teleworks in one way or another," says Chuck Wilsker, president and CEO of The Telework Coalition. "Half of the workers know they do it, close to another half don't realize they do it when they check e-mail from a hotel room or a BlackBerry, for instance, and a small percentage of certain types of employees might not do it at all. How to deck out your home office "Telework is not just working from home; it is working from a location that is not the corporate office. But easily 75% of companies don't have official telework policies, despite employees working remotely often, which could be a problem." Here are 10 simple steps that can help organizations advance their telework programs from ad hoc to admirable. 1. Survey employeesThe best place to start when establishing policies for remote work is with employees. Also consider the environment to determine if the type of positions could be supported remotely. "It is critical for an organization to ask employees if they are interested in telework and what they would like to see in such a program," says Cindy Auten, general manager for Telework Exchange. "Such surveys also help to lay a foundation for what degree of telework a company can support. Companies should survey staff to understand who would want to work remotely and why. The responses will help organizations establish a program suited to their employees and work environment." 2. Perform cost analysisThe benefits of telework can range from lessened real estate and power costs for employers to fewer dollars spent commuting for employees.

That's why companies should invest some time upfront understanding how they can save money and increase productivity, experts say. "The main driver for a successful, policy-based telework program is often the cost savings a company can realize," says Lawrence Imeish, principal consultant for Dimension Data. "But companies need to understand how they can save costs, for instance in real estate, and implement the needed steps to achieve those savings." For example, if 10% of the workforce will be working remotely, companies could invest up to 10% less in corporate real estate or cut back on LAN expenditures, and instead invest that capital in technology to support remote work. "Telework can become valuable and strategic if companies follow through with a program from start to finish," Imeish says. "Understanding there could be savings but not changing investment plans could lessen the cost-savings benefit of telework." 3. Get management supportOne would think that positive employee feedback and potential cost-savings would guarantee management support for a remote work program, but telework advocates must secure executive buy-in before moving the policies to the next level. (See related story, "Five signs your telework program is a bust.")  "There are some in management that simply don't buy into telework and can't easily be swayed," Wilsker says. "I have seen successful telework programs come to a screeching halt when new management takes over. But depending on the business, the benefits of implementing a telework program might not immediately outweigh the costs. Take, for instance, AT&T." Program advocates must also provide ongoing updates showing the success or challenges of the telework program, helping to maintain management support. "Businesses change, conditions change. Either can work, but documented policies will help organizations avoid confusion or problems when something goes awry. "Telework is a program, and like all programs, the better it is developed and documented, the better it will work," says Ben Rothke, a New York-city based senior security consultant with BT Professional Services. "Successful teleworking programs don't just happen. Ongoing assessments will help management understand how telework continues to support current business operations," Wilsker adds. 4. Document policiesFor many, telework programs can be as simple as working from home during a snowstorm or as involved as sharing shifts with others and rotating remote work days based on multiple schedules.

They are the results of significant planning, testing and training." Documentation also can help avoid upset when employees and cultures clash over remote workers. Companies must pick and choose which workers are eligible, communicate it clearly and keep it documented to avoid future upset over restrictions," Dimension Data's Imeish says. 5. Acquire technologyGranting permission to work remotely isn't going to guarantee a successful telework program. Not all jobs are suited for remote access, and companies need to establish clear guidelines regarding which positions can support telework and how often. "A prison guard obviously cannot be a teleworker. Remote workers will also need the tools and technology to enable them to work productively in other environments and collaborate with co-workers as though they were sitting in the next cube. (See related story, "Secure telework without a VPN.")  Instant messaging, e-mail, Web cameras, video conferencing and Web conferences are a few collaboration tools that could enable remote workers to operate as though they were in the office. For instance, instead of having employees use whatever they find, companies should select a few options for home workers and mobile workers.

And technologies such as routers that enable home workers to segregate corporate and personal traffic can help reduce security risks and speed helpdesk calls. "Home users with their kids on the same link could actually become quite the nightmare for support," Imeish says. "You can't just send people home to work without providing them the right tools to be productive and to mitigate risk to the company." It can also help to standardize on technology. Employees can choose from the options, which will enable the company to better secure its environment and helps support teams to more easily address remote worker issues. "You don't want users tapping any technology they have. Also be sure to establish early who pays for the home office equipment or the local broadband connection, Wilsker adds. To make telework successful, companies should standardize on VPNs and encrypted tunnels, for instance." Imeish says. Companies could offset costs with telework, but employees should not be incurring additional costs because they agree to work remotely. "It's not a case in which the employee pays to work from home. In the same vein as segregating traffic and determining eligible positions, companies must understand what information employees have access to and ensure if working remotely the data is always secure. "Are the files secure in the remote location or are they lying around someone's house?

Organizations need to establish the rules for who pays for what and how much is in the budget for telework technology," he says. 6. Secure dataCorporate intellectual property and client data, for instance, also need to be considered when moving work outside of the office. Is the employee logging out of secure systems or leaving applications open?" Telework Exchange's Auten asks. "There are too many stories of laptops gone missing with critical data already. Learning remote access technologies and understanding security policies are just two reasons organizations should require employees who wish to work remotely to complete telework training programs. "Employee screening and training – including managers that may not know how to manage remote workers – should be mandatory for those involved in the telework program" Wilsker says. "Understanding how to communicate and keep the lines open is essential for telework to succeed. Companies must set strong security policies and ensure they can be enforced." 7. Require trainingJust as employees often must be trained on a new phone system or e-mail application, experts advise companies to mandate telework training. Training on collaboration tools and the policies around staying in touch with the office is critical." Companies can even offer a resource guide of sorts for those employees who telework.

Some kinks might need to be worked out and employees re-trained over time," she says. 8. Measure employee performanceTo ensure employees remain productive when they're remote, companies can baseline worker output prior to telework and measure performance following the transition. Create a checklist for employees to follow daily, weekly and monthly to keep the program on track, Auten adds. "When organizations are supporting telework, they should review the program on a regular recurring basis. While some managers might measure work by attendance, experts say there are better metrics to understanding how much gets done outside of the office. "If a company is focused on output rather than process, they are going to care about presence," Imeish says. "But it can be a difficult premise to overcome." For instance, instant messaging programs can be configured to show when users are idle, but if that feels too Big Brother for some organizations, policies can be used to prove presence – remotely. "Managers can require workers check in at certain times, provide work progress updates and show results," Imeish says. "It's best to define success criteria upfront and measure results as you go. While many in management might worry about under-achieving workers, experts says often the opposite happens. Companies should get a little bit more productivity out of telework." The productivity responsibility doesn't just fall to employees either.

Auten says managers must be in tune with employee performance and try to help them sustain a work-life balance, despite being able to work 24-7. "Managers have to be very accountable for their employees' work output. Because many remote workers also take advantage of flexible schedules, support might not be readily available at all hours. "IT needs to know what people are working remotely and where. Telework requires a work-life balance, and a program can go south if employees aren't stepping away from their desk to take lunch or logging off at a reasonable hour," she says. "Telework can quickly lead to employee burnout if a balance is not established." 9. Provide supportNot only does the remote work require technology to succeed, but helpdesk teams need to understand who works off-site and how to best support their needs. There will be different time zones and different work habits they will need to deal with, which could be seen as more work for support, but shouldn't," Wilsker says. "Insufficient tech support could hamper telework. Telework programs can leave employees feeling left out of the team, which is why program advocates must be sure to incorporate cultural needs into their plans. "Technology can bridge the intimacy gap employees experience with telework to a certain degree. Be transparent with IT so they can understand how to meet the needs of remote workers." 10. Cultivate work cultureRemotes workers want to feel connected to their companies, despite being located elsewhere.

It won't feel like they are in the office, but use video conferencing or inexpensive Web cameras to keep employees from feeling isolated," Imeish says. "If you can't help employees feel like part of a team, telework could result in turnover." Do you Tweet? Follow Denise Dubie on Twitter