Cybersecurity

Noteworthy

 IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.

Cybersecurity / Recently Commented

Preliminary Thoughts on the Equifax Hack

As you've undoubtedly heard, the Equifax credit reporting agency was hit by a major attack, exposing the personal data of 143 million Americans and many more people in other countries. There's been a lot of discussion of liability; as of a few days ago, at least 25 lawsuits had been filed, with the state of Massachusetts preparing its own suit. It's certainly too soon to draw any firm conclusions... but there are a number of interesting things we can glean from Equifax's latest statement. more»

Not Quite Two Factor, or Is Your Phone Number Really Something You Have?

A recent article in the New York Times Dealbook column reported on phone number hijacking, in which a bad guy fraudulently takes over someone's mobile phone number and used it to reset credentials and drain the victim's account. It happens a lot, even to the chief technologist of the FTC. This reminds us that security is hard, and understanding two-factor authentication is harder than it seems. more»

The IoT Needs a Paradigm Shift from Security to Safety of Connected Devices

Building IoT ventures from scratch by prototyping hardware devices and their backend systems as well as working for a large company that tries to sell IoT devices itself, we learned a lot about the pitfalls and problems concerning security in the IoT. Nearly every connected device out there proved to be vulnerable to attacks. Researchers showed that it's possible to remotely take control over autonomous vehicles, implanted medical devices were manipulated, voting machines compromised and of course all sorts of other "smart" devices... more»

The Internet is Dead - Long Live the Internet

Back in the early 2000s, several notable Internet researchers were predicting the death of the Internet. Based on the narrative, the Internet infrastructure had not been designed for the scale that was being projected at the time, supposedly leading to fatal security and scalability issues. Yet somehow the Internet industry has always found a way to dodge the bullet at the very last minute. more»

Cloud Leak Exposes at least 14 Million Verizon Subscribers, Phone Numbers and Account PINs Included

A Verizon partner is reported to have exposed millions of Verizon customer accounts due to a misconfigured cloud-based file. more»

Phishing: the Worst of Times in the DNS

The Anti-Phishing Working Group has released its latest Global Phishing Survey, written by myself and Rod Rasmussen. This report comprehensively examines a large data set of more than 250,000 confirmed phishing attacks detected in 2015 and 2016. By analyzing this cybercrime activity, we have learned more about what phishers have been doing, and how they have done it. Unfortunately, there's more phishing than ever, and phishers are registering more domain names than ever. more»

Major Flaw Found in WannaCry Raises Questions on Whether it was Really a Ransomware

An extensive analysis of WannaCry seems to indicate attackers would be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis. more»

Security Costs Money. So - Who Pays?

Computer security costs money. It costs more to develop secure software, and there's an ongoing maintenance cost to patch the remaining holes. Spending more time and money up front will likely result in lesser maintenance costs going forward, but too few companies do that. Besides, even very secure operating systems like Windows 10 and iOS have had security problems and hence require patching. (I just installed iOS 10.3.2 on my phone. It fixed about two dozen security holes.) more»

IoT Devices Will Never Be Secure - Enter the Programmable Networks

Harvard Business Review just ran an interesting article on the information security aspects of Internet of Things (IoT). Based on the storyline, the smart city initiatives are doomed to fail unless the security of the IoT devices and the systems will be improved. While security of the digital society is obviously a key concern, I am not entirely convinced that relying on the security of individual devices and systems is the best course of action. more»

The Criminals Behind WannaCry

359,000 computers infected, dozens of nations affected world-wide! A worm exploiting a Windows OS vulnerability that looks to the network for more computers to infect! This is the most pernicious, evil, dangerous attack, ever... Queue the gnashing of teeth and hand-wringing! Wait, what? WannaCry isn't unprecedented! Why would any professional in the field think so? I'm talking about Code Red, and it happened in July, 2001. more»

Patching is Hard

There are many news reports of a ransomware worm. Much of the National Health Service in the UK has been hit; so has FedEx. The patch for the flaw exploited by this malware has been out for a while, but many companies haven't installed it. Naturally, this has prompted a lot of victim-blaming: they should have patched their systems. Yes, they should have, but many didn't. Why not? Because patching is very hard and very risk, and the more complex your systems are, the harder and riskier it is. more»

Jakarta Declaration Calls on Governments to Recognize Legitimacy of Encryption

Today in Indonesia, media leaders gathered at UNESCO's World Press Freedom Day event issued the "Jakarta Declaration" calling on governments of the world to recognize the importance of a free and independent media in creating "peaceful, just and inclusive societies". The declaration calls on governments to take steps to support the freedom of the press, and, in the midst of the many actions was this statement: Recognise the legitimacy of the use of encryption and anonymisation technologies more»

Sorry, Not Sorry: WHOIS Data Must Remain Public

In March, I posted a call to action to those of us in the community who have the inclination to fight against a movement to redact information critical to anti-abuse research. Today, I felt compelled to react to some of the discussions on the ICANN discussion list dedicated to the issue of WHOIS reform: Sorry, not sorry: I work every working hour of the day to protect literally hundreds of millions of users from privacy violating spam, phish, malware, and support scams. more»

While Cyberspace Is Entering an Era of Warring States, There Remains a Chance to Make a Difference

For the non-state actors who are making efforts to approach cybersecurity issue in a different and creative way, the state actors, however, have given clear signs that they have exhausted their patience and insisted on doing things alone by bringing traditional old tricks back into cyberspace. This is exemplified in the bilateral meeting of two cyber sovereigntists - the Chinese and U.S. presidents on April 6-7, and in the multilateral G7 Declaration on Responsible States Behavior in Cyberspace on April 11. more»

Encryption and Securing Our Digital Economy

As G20 leaders from around the world gather this week, Germany wants them to agree to a concrete plan -- one that includes affordable Internet access across the world by 2025, common technical standards and a focus on digital learning. Today, the G20 economies, like so many other economies around the world, are digital and interconnected. Digital services have opened up new avenues for sustainable economic growth. more»