Cybersecurity

Sponsored
by

Noteworthy

IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.

Cybersecurity / Recently Commented

Analysis Report Recommends Key Security Changes to ICANN's Pending Registry Proposals

A report released today ("DNS - A System in Crisis," commissioned by Network Solutions) has concluded that in proposals for the .com, .biz, .info and .org registries, the Internet Corporation for Assigned Names and Numbers (ICANN) has failed to ensure adequate security safeguards. The report, written by security technology expert Jerry Archer, recommends that oversight, planning and testing provisions be implemented in the proposals to run these registries before they are finalized. more

Phishing Reaching Record Numbers in 2006

The Anti-Phishing Working Group (APWG) is reporting a record number of legitimate "brands" were hijacked in July 2006. ...They also report to have found 23,670 total phishing websites used to commit identity theft, fraud and other malicious activity in July 2006. This number is second only to the record 28,571 phishing sites found in June 2006, and is nearly double the 14,135 phishing sites found in July 2005. more

The DNSSEC "Onus of Reality Check" Shifted to gTLD Administrations by ICANN

Last month, there was an exchange of letters between a gTLD administration and ICANN about DNSSEC deployment. This gTLD administration is PIR or Public Interest Registry, the gTLD administration for the .org TLD. Interestingly, PIR is a non-profit organization that makes significant contributions to ISOC (Internet Society) initiatives: thus, both ICANN and PIR are organizations dedicated to the well-being of the Internet. more

ICANN Names DNS Security Experts

The Internet Corp for Assigned Names and Numbers yesterday named the 25 domain name system security experts that will be responsible for deciding whether proposed domain registry services could cause internet security and stability problems. The 25 people, who hail from all over the world, would be selected in five-person panels to decide on a case-by-case basis whether services proposed by the likes of .com registry VeriSign Inc or .biz registry NeuStar Inc constitute a problem to the internet. more

With Tropical Strom Ernesto Comes the Domain Storm

With tropical storm Ernesto now blowing off the coast of Florida, Internet security experts are warning that fraudsters may be hard at work claiming Ernesto-related Web site domains. On Tuesday, 18 domains related to the storm became live, said Johannes Ullrich, chief research officer at the SANS Institute. They include such names as Ernestoinsurance.com, Ernestomoney.com and Ernestodamage.com. more

Data Can Bypass Most Network Security via IPv6

An independent security researcher showed off an early version of a tool for creating covert channels that, he claims, can pass undetected through most firewalls and intrusion detection systems.

Joe Klein, network security expert, North American IPv6 Task Force The tool, dubbed VoodooNet or v00d00n3t, uses the ability of most computers to encapsulate next-generation network traffic, known as Internet Protocol version 6 (IPv6), inside of today's network communications standard, or IPv4. more

China Betting on IPv6 and First Mover Advantage

The United States' reluctance to invest in IPv6 makes it more likely that China will be in a position to gain the first-mover advantage it seeks. ...Liu Dong, president of the Beijing Internet Institute sums it up succinctly: "We think we can develop the killer applications," he says. China plans to show the rest of the world just how advanced its Internet is at the 2008 Olympics in Beijing. CNGI will control the facilities -- everything from security cameras to the lighting and thermostats -- at the Olympic venues, and events will be broadcast live over the Internet. Even the taxis in Beijing's snarled traffic will connect to CNGI via IPv6 sensors so that dispatchers will be able to direct their drivers away from congestion. more

OpenDNS Possible Alternative to Spotty DNS Services

Paul Mockapetris, the inventor of DNS and chief scientist at secure DNS provider Nominum, said DNS is like the water of the Internet. In that analogy, OpenDNS is like bottled water. If you use it, you don't have to trust the local water, which may be polluted or diseased, Mockapetris said.

"Of course, you have to trust the OpenDNS folks, and I suspect they are looking forward to showing you advertising. So maybe it is more like Gatorade, and maybe they will fluoridate their DNS and add stuff that will kill your prized fish in the aquarium as well as the phish they are looking for," he said. more

Phishing: Competing on Security

The UK today is one of the main attack targets by phishing organized crime groups, globally. Phishing damages will amount to about two billions USD in 2006 worldwide -- not counting risk management measures such as preventative measures, counter-measures, incident response and PR damages. In most cases, phishing is caused by the fault of the users, either by entering the wrong web page, not keeping their computers secure or falling for cheap scams. Often this is due to lack of awareness or ability in the realm of Internet use rather than incompetence by the users... more

Net Security an Oxymoron, Interview with SRI Principle Scientist

At a time when threats to the Internet and other computer networks loom from teenage hackers and terrorists alike, Neumann (pronounced "Noy-muhn") is sounding an alarm that computer security advocates agree has fallen on deaf ears. The trouble, Neumann warns, is that the Internet is populated by computers that were not designed with network security in mind. As a result, security is addressed on a patch-by-patch basis, but an effective solution would require redesigning systems from scratch. more

Security Experts Warn VoIP Attacks May Be Just Around the Corner

It's become a familiar pattern in online security. A groundbreaking way to communicate emerges, spreads like wildfire, and then hackers find a way to use it to their advantage. Security companies react--but not before the problem has succeeded in wreaking havoc. It happened with e-mail and is happening now with instant messaging and mobile devices.

The next area that could be targeted: Voice over Internet Protocol, or VoIP, which lets people make low-priced phone calls using the same technology that delivers e-mail. And the results could be just as damaging, if not worse, than with other technologies, some security experts warn.  more

Email Security an Ongoing Battle, Focus on Manageable Risk Instead

The IT industry will never eradicate security threats to email systems and organizations should take a holistic approach to securing their communication systems to the level where they believe risk is at a manageable state, according to panelists at this week's Inbox email conference in San Jose...

At a packed panel session on email accreditation and reputation, the panelist told audience members that reputation services have taken off rapidly. These services profile the sender's behavior to determine the likelihood that a message is legitimate or spam. The sender's reputation is determined based on multiple criteria then assigned to categories, or lists. more

DNSSEC Deployment at the Root

The DNSSEC is a security protocol for providing cryptographic assurance (i.e. using the public key cryptography digital signature technology) to the data retrieved from the DNS distributed database (RFC4033). DNSSEC deployment at the root is said to be subject to politics, but there is seldom detailed discussion about this "DNS root signing" politics. Actually, DNSSEC deployment requires more than signing the DNS root zone data; it also involves secure delegations from the root to the TLDs, and DNSSEC deployment by TLD administrations (I omit other participants involvement as my focus is policy around the DNS root). There is a dose of naivety in the idea of detailing the political aspects of the DNS root, but I volunteer! My perspective is an interested observer. more

Storing VoIP Conversation along with Email as Next Regulation

IT chiefs have been warned to prepare for the possibility of new corporate governance rules that would require them to keep records of voice-over-IP (VoIP) conversations alongside email, instant messaging and other forms of communication.

Speaking at the Symantec user event in San Francisco last week, Jeremy Burton, a senior vice-president at the security specialist, said, "Financial institutions in the US already need to keep voicemail because it is stored on disk. As soon as the regulators figure out that VoIP is a digital stream, they will probably try to force that to be kept as well." more

Security Professionals at Major Financial Institutions Shunning VoIP

Internet telephony is still not mature enough a platform to support business communications, according to senior security professionals.

In a debate at the Infosecurity conference in London last Wednesday, an audience of security and IT pros voted that Voice over Internet Protocol (VoIP) wasn't able to support mission critical communications at the moment. Banking security professionals argued that the expense of implementing current VoIP solutions coupled with the risk of security holes and network downtime did not make IP telephony an attractive business proposition. more