Cybersecurity

Noteworthy

 IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.

Blogs

Security Costs Money. So - Who Pays?

Computer security costs money. It costs more to develop secure software, and there's an ongoing maintenance cost to patch the remaining holes. Spending more time and money up front will likely result in lesser maintenance costs going forward, but too few companies do that. Besides, even very secure operating systems like Windows 10 and iOS have had security problems and hence require patching. (I just installed iOS 10.3.2 on my phone. It fixed about two dozen security holes.) more»

WannaCry: Patching Dilemma from the Other Side

WannaCry, originated firstly in state projects but spread by other actors, has touched upon myriads of infrastructure such as hospitals, telecommunication, railroads that many countries have labelled as critical. IT engineers are hastily presenting patching codes in various localized versions. The other patch needed, however, is more than technical. It is normative and legislative. The coding of that patch for a situation like this is in two layers of dilemma. more»

It's Up to Each of Us: Why I WannaCry for Collaboration

WannaCry, or WannaCrypt, is one of the many names of the piece of ransomware that impacted the Internet last week, and will likely continue to make the rounds this week. There are a number of takeaways and lessons to learn from the far-reaching attack that we witnessed. Let me tie those to voluntary cooperation and collaboration which together represent the foundation for the Internet's development. more»

The Criminals Behind WannaCry

359,000 computers infected, dozens of nations affected world-wide! A worm exploiting a Windows OS vulnerability that looks to the network for more computers to infect! This is the most pernicious, evil, dangerous attack, ever... Queue the gnashing of teeth and hand-wringing! Wait, what? WannaCry isn't unprecedented! Why would any professional in the field think so? I'm talking about Code Red, and it happened in July, 2001. more»

8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable

In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their 'brick-and-mortar' counterparts irrelevant. more»

Patching is Hard

There are many news reports of a ransomware worm. Much of the National Health Service in the UK has been hit; so has FedEx. The patch for the flaw exploited by this malware has been out for a while, but many companies haven't installed it. Naturally, this has prompted a lot of victim-blaming: they should have patched their systems. Yes, they should have, but many didn't. Why not? Because patching is very hard and very risk, and the more complex your systems are, the harder and riskier it is. more»

Would You Like Your Private Information to be Available on a VHS or Betamax Tape?

When I was a young child growing up in the late 1980s, my parents were lucky enough to be able to afford to have both a VHS-tape video-recorder in the living room and a Betamax tape recorder in their bedroom. This effectively meant that to me, the great video format wars weren't a decade-defining clash of technologies, but rather they consisted mainly of answering the question "in which room can I watch my favorite cartoons?". more»

In Response to Offensive Destruction of Attack Assets

It is certainly true that DDoS and hacking are on the rise; there have been a number of critical hacks in the last few years, including apparent attempts to alter the outcome of elections. The reaction has been a rising tide of fear, and an ever increasing desire to "do something." The something that seems to be emerging is, however, not necessarily the best possible "something." Specifically, governments are now talking about attempting to "wipe out" the equipment used in attacks. more»

IoT Devices Will Never Be Secure - Enter the Programmable Networks

Harvard Business Review just ran an interesting article on the information security aspects of Internet of Things (IoT). Based on the storyline, the smart city initiatives are doomed to fail unless the security of the IoT devices and the systems will be improved. While security of the digital society is obviously a key concern, I am not entirely convinced that relying on the security of individual devices and systems is the best course of action. more»

Call for Participation - DNSSEC Workshop at ICANN 59 in Johannesburg

Do you have ideas about DNSSEC or DANE that you would like to share with the wider community? Have you created a new tool or service? Have you found a way to use DNSSEC to secure some other service? Do you have new statistics about the growth or usage of DNSSEC, DANE or other related technology? If so, and if you will be in Johannesburg, South Africa, for ICANN 59 in June 2017 (or can get there), please consider submitting a proposal to speak at the ICANN 59 DNSSEC Workshop! more»

Jakarta Declaration Calls on Governments to Recognize Legitimacy of Encryption

Today in Indonesia, media leaders gathered at UNESCO's World Press Freedom Day event issued the "Jakarta Declaration" calling on governments of the world to recognize the importance of a free and independent media in creating "peaceful, just and inclusive societies". The declaration calls on governments to take steps to support the freedom of the press, and, in the midst of the many actions was this statement: Recognise the legitimacy of the use of encryption and anonymisation technologies more»

New Chapter Working Groups Open Closed Doors

One thing was clear from a recent presentation by the new leaders of the SF-Bay Internet Society (ISOC) Chapter Working Groups: inclusion and collaboration will be the key to these groups' success. As Dr. Brandie Nonnecke, the Internet Governance Working Group (WG) Chair said, "We haven't yet cracked the code on what 'multistakeholder' means." But that won't stop her and Dr. Jaclyn Kerr, the Data Protection, Privacy, and Security WG Chair, from trying. more»

Sorry, Not Sorry: WHOIS Data Must Remain Public

In March, I posted a call to action to those of us in the community who have the inclination to fight against a movement to redact information critical to anti-abuse research. Today, I felt compelled to react to some of the discussions on the ICANN discussion list dedicated to the issue of WHOIS reform: Sorry, not sorry: I work every working hour of the day to protect literally hundreds of millions of users from privacy violating spam, phish, malware, and support scams. more»

The Sysadmin's Guide to Securing Your SaaS Apps

As an admin, app security should be a top priority - but SaaS apps represent a difficult challenge in that regard. How can you protect your business from their risks, while enjoying all their rewards? Within the average enterprise, there are 508 unique cloud applications in use. That number's overwhelming enough on its own without considering that 88% of those applications aren't enterprise ready, or the fact that one in five cloud applications has data sharing as a core functionality. more»

M3AAWG Offers Some Sensible Password Advice

M3AAWG is a trade association that brings together ISPs, hosting providers, bulk mailers, and a lot of infrastructure vendors to discuss messaging abuse, malware, and mobile abuse. (Those comprise the M3.) One of the things they do is publish best practice documents for network and mail operators, including two recently published, one on Password Recommendations for Account Providers, and another on Password Managers Usage Recommendations. more»

News Briefs

Bell Canada Discloses Loss of 1.9 Million Email Addresses to Hacker, Says No Relation to WannaCry

WikiLeaks Releases CIA Malware Implants Called Assassin and AfterMidnight

WannaCry Ransomware Cyberattack Spreading to Countries Across the World, 45K Attacks Reported So Far

Trump Signs Cybersecurity Executive Order, Experts Weigh in on the New Draft

FCC Reports Site Attacked Over Net Neutrality Comments, Senators Seek Evidence

French Presidential Candidate Confirms Massive Hack, Emails Dumped Online Two Days Before Election

Germany Investigating Legal Grounds to Destroy Servers Used to Carry Out Cyberattacks

NSA to Stop Collecting American Emails To and From Overseas

A Report on Cyber Espionage Activities of Pawn Storm Over the Past Two Years

Denmark Says Russia Has Been Hacking Its Defense Ministry for Past Two Years

Walden Savings Bank to Switch from .com to a .bank TLD

UK Government Reports Nearly Half of Businesses Identified Cyber Security Breaches in the Past Year

Researches Demonstrate How IPv6 Attacks Can Bypass Network Intrusion Detection Systems

Permanent Denial-of-Service Attacks on the Rise, Incidents Involve Hardware-Damaging Assaults

IRS Reports Hackers Accessed Data of Up to 100,000 People via Financial Aid Site for Students

Google to Distrust Symantec-Issued Certificates Amid Misuse

Cisco Warning Software Used in Hundreds of Its Products Vulnerable to Critical Security Flaw

Over a Billion Email Addresses of Major Spam Operation Exposed via Unprotected Backups

New Cybersecurity Regulations in New York Go Into Effect

Security Researchers Announce First SHA-1 Collision, Confirming Fears About Its Vulnerabilities

Most Viewed

Most Commented

Taking Back the DNS

Fake Bank Site, Fake Registrar

When Registrars Look the Other Way, Drug-Dealers Get Paid

Who Is Blocking WHOIS? Part 2

ICANN Complaint System Easily Gamed

Verisign Updates – Sponsor

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign has just released Q4 2016 DDoS Trends Report providing a unique view into the attack trends unfolding online through observations and insights derived from distributed denial of service (DDoS) attack mitigations, enacted on behalf of Verisign DDoS Protection Services, and security research conducted by Verisign iDefense Intelligence Services. ›››

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

Verisign has released its Q3 2016 DDoS Trends Report providing a unique view into online distributed denial of service (DDoS) attack trends from mitigations enacted on behalf of Verisign DDoS Protection Services and research conducted by Verisign iDefense Security Intelligence Services. ›››

Defending Against Layer 7 DDoS Attacks

Layer 7 attacks are some of the most difficult attacks to mitigate because they mimic normal user behavior and are harder to identify. Verisign's recent trends show that DDoS attacks are becoming more sophisticated and complex, including an increase in application layer attacks. ›››

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

Verisign today released its Q2 2016 DDoS Trends Report providing a unique view into online distributed denial of service (DDoS) attack trends from mitigations enacted on behalf of customers of Verisign DDoS Protection Services, and research conducted by Verisign iDefense Security Intelligence Services. ›››

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign is pleased to announce that it has qualified for the Online Trust Alliance's (OTA) 2016 Honor Roll for showing a commitment to best practices in security, privacy and consumer protection. ›››

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Verisign today released its Q1 2016 DDoS Trends Report, which provides a unique view into online distributed denial of service (DDoS) attack trends from mitigations enacted on behalf of customers of Verisign DDoS Protection Services and research conducted by Verisign iDefense Security Intelligence Services. ›››

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Having a tightly integrated security framework is more critical than ever as cyber-attacks grow and enterprises employ a variety of on-premise and cloud-based computing services to deliver applications. ›››

Industry Updates

Participants – Random Selection