Security

Noteworthy

 IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.

Blogs

Doing Crypto

The recent discovery of the goto fail and heartbleed bugs has prompted some public discussion on a very important topic: what advice should cryptologists give to implementors who need to use crypto? What should they do? There are three parts to the answer: don't invent things; use ordinary care; and take special care around crypto code. more»

Verisign's Preliminary Comments on ICANN's Name Collisions Phase One Report

Verisign posted preliminary public comments on the "Mitigating the Risk of DNS Namespace Collisions" Phase One Report released by ICANN earlier this month. JAS Global Advisors, authors of the report contracted by ICANN, have done solid work putting together a set of recommendations to address the name collisions problem, which is not an easy one, given the uncertainty for how installed systems actually interact with the global DNS. However, there is still much work to be done. I have outlined the four main observations... more»

Blocking Amplification Attacks: Sometimes the Incentives Work Against You

Since the end of last year, amplification attacks have been increasingly used by attackers and received heavy media coverage. Everyday protocols not given much thought before, like Network Time Protocol (NTP), can be asked in a very short remote command to send a very large response (list of 600 clients last connected to the NTP server) to a spoofed IP address (the target) by the requestor/attacker. more»

Open Source Software Is the Worst Kind Except for All of the Others

Heartbleed, for anyone who doesn't read the papers, is a serious bug in the popular OpenSSL security library. Its effects are particularly bad, because OpenSSL is so popular, used to implement the secure bit of https: secure web sites on many of the most popular web servers such as apache, nginx, and lighttpd. A few people have suggested that the problem is that OpenSSL is open source, and code this important should be left to trained professionals. They're wrong. more»

Heartbleed: Don't Panic

There's been a lot of ink and pixels spilled of late over the Heartbleed bug. Yes, it's serious. Yes, it potentially affects almost everyone. Yes, there are some precautions you should take. But there's good news, too: for many people, it's a non-event. Heartbleed allows an attacker to recover a random memory area from a web or email server running certain versions of OpenSSL. The question is what's in that memory. It may be nothing, or it may contain user passwords (this has reportedly been seen on Yahoo's mail service), cryptographic keys, etc. more»

Is Your Organization Prepared for a Cyberattack?

Infamous heavyweight boxer Mike Tyson once said "everyone has a plan until they get punched in the face." As any organization that has faced a cyber attack will tell you, it is a lot like getting punched in the face, and if you're not ready, you might get knocked out. You've likely read recent headlines of major retailers, financial institutions, and now even universities, being hit with data breaches. As some of them have learned the hard way, it's not a question of if your organization will be attacked; it's a question of when. more»

A Bad Year for Phishing

Here at the Anti-Phishing Working Group meeting in Hong Kong, we've just released the latest APWG Global Phishing Survey. Produced by myself and my research partner Rod Rasmussen of Internet Identity, it's an in-depth look at the global phishing problem in the second half of 2013. Overall, the picture isn't pretty. There were at least 115,565 unique phishing attacks worldwide during the period. This is one of the highest semi-annual totals we've observed since we began our studies in 2007. more»

Proceedings of Name Collisions Workshop Available

Keynote speaker, and noted security industry commentator, Bruce Schneier (Co3 Systems ) set the tone for the two days with a discussion on how humans name things and the shortcomings of computers in doing the same. Names require context, he observed, and "computers are really bad at this" because "everything defaults to global." Referring to the potential that new gTLDs could conflict with internal names in installed systems, he commented, "It would be great if we could go back 20 years and say 'Don't do that'," but concluded that policymakers have to work with DNS the way it is today. more»

Cloud Computing Can Make You More Secure

The number one concern cited for avoiding cloud computing is security. And there is a reason for that. Cloud providers have demonstrated some spectacular failures in the past, including Amazon's near total shutdown of an entire region, Dropbox's authentication snafu, and innumerous cloud providers that go belly-up. However, in the long run, cloud computing is destined to become more secure than in-house IT. I will briefly describe two dynamics in the industry that point in that direction, with substantiating evidence. more»

The Name Collision Conference

Earlier this week Verisign sponsored a two day conference on name collisions in the DNS. Despite the very short time frame in which it was organized, only a month from announcement to meeting, there were some very good presentations. I'll just hit some highlights here; all of the papers and slides are on their web site at namecollisions.net. Sunday morning started with a keynote by Bruce Schneier, who is not a DNS expert (and doesn't claim to be) but had some interesting observations on names in general. more»

Dynamic DNS Customers, Check Your Router Settings!

There have been quite a few news stories released over the last 24 hours regarding a wide-scale compromise of 300,00 Internet gateway devices. Here's the executive summary of what happened, how to check if you are vulnerable, and what you can do to fix it... If you use any of these devices, you should check it to ensure your device has not been compromised. more»

Jeff Schmidt to Present Name Collision Management Framework at Research Workshop

I'm delighted to announce that the name collisions workshop this weekend will include Jeff Schmidt, CEO of JAS Global Advisors, presenting the Name Collision Occurrence Management Framework that his firm just released for public review. Jeff's presentation is one of several on the program announced by the program committee for the Workshop and Prize on Root Causes and Mitigations of Name Collisions (WPNC). more»

More Denial of Service Attacks

There are quite a lot of NTP-amplified denial of service attacks going around at the moment targeting tech and ecommerce companies, including some in the email space. What does NTP-amplifed mean? NTP is "Network Time Protocol" - it allows computers to set their clocks based on an accurate source, and keep them accurate. It's very widely used - OS X and Windows desktops typically use it by default, and most servers should have it running. more»

Papers Now Available Publicly for W3C/IAB "Strengthening the Internet" Workshop

Want to read a wide range of views on how to strengthen the security and privacy of the Internet? Interested to hear how some of the leaders of the open standards world think we can make the Internet more secure? As I wrote about previously here on CircleID, the W3C and the Internet Architecture Board (IAB) are jointly sponsoring a workshop on "Strengthening The Internet" (STRINT) on February 28 and March 1 in London just prior to the IETF 89 meeting happening all next week. more»

Keynote Speaker for Name Collisions Workshop: Bruce Schneier

There may still be a few security practitioners working in the field who didn't have a copy of Bruce Schneier's Applied Cryptography on their bookshelf the day they started their careers. Bruce's practical guide to cryptographic algorithms, key management techniques and security protocols, first published in 1993, was a landmark volume for the newly emerging field, and has been a reference to developers ever since. more»

News Briefs

Sophia Bekele: The AUCC Debate on Cybersecurity Needs to Involve All Stakeholders

European Standardization Organizations Discuss Role of Standards for EU Cybersecurity Strategy

US House Hearing Scheduled on Internet Stability, IANA Transition

Secure Domain Foundation Launched to Help Internet Infrastructure Operators Fight Cybercrime

Widespread Compromised Routers Discovered With Altered DNS Configurations

A Research Finds Banking Apps Leaking Info Through Phones

Significant Uptick Reported in Targeted Internet Traffic Misdirection

Upcoming Latin America and Caribbean DNS Forum

IETF Reaches Broad Consensus to Upgrade Internet Security Protocols Amid Pervasive Surveillance

IETF Looking at Technical Changes to Raise the Bar for Monitoring

John Crain Named ICANN's New Chief Security, Stability and Resiliency Officer

Israeli Tunnel Hit by Cyberattack Causing Massive Congestion

US Government Releases Cybersecurity Framework Proposal

Rodney Joffe on Security Vulnerabilities of Modern Automobiles

Paul Mockapetris to Serve as Senior Security Advisor to ICANN's Generic Domains Division

DDoS Awareness Day - Oct 23, Register Today for Live Virtual Event

Close to a Quarter of ZeroAccess Botnet Disabled, Reports Symantec

ANA: Concerns About ICANN's New gTLD Plans Growing and Very Serious

Bruce Schneier: Government and Industry Have Betrayed the Internet, and Us

Dotless Domains Considered Harmful, Says IAB

Most Viewed

Most Commented

Taking Back the DNS

Fake Bank Site, Fake Registrar

When Registrars Look the Other Way, Drug-Dealers Get Paid

Who Is Blocking WHOIS? Part 2

Not a Guessing Game

Verisign Updates – Sponsor

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

At Verisign, we focus on protecting companies from increasingly complex cyber threats, and this relationship should only raise the bar higher, as it will provide a different, more integrated approach than what's used today, to help ensure faster and more efficient detection and mitigation. ›››

Motivated to Solve Problems at Verisign

As the world keeps changing, so do the requirements for products and services and the ways to achieve them most effectively. Our researchers and engineers continue to innovate and adapt to those changes, while also anticipating the next ones. ›››

Diversity, Openness and vBSDcon 2013

Diversity is a central design principle of the Domain Name System; diversity is one reason the DNS industry in general, and Verisign in particular, doesn't do everything the same way and in the same place. ›››

What's in a Name Server?

With the domain name space continuing to expand and new service providers entering the market, there has been a lot of discussion about the different types of DNS services available today. ›››

Frost & Sullivan Recognizes Verisign iDefense for Its Innovative Security Intelligence Services

Based on its recent analysis of the vulnerability research market, Frost & Sullivan recognizes Verisign iDefense with the 2012 North American Frost & Sullivan Award for Product Differentiation Excellence. ›››

Internet Grows to More Than 225 Million Domain Names in the Fourth Quarter of 2011

Nearly six million domain names were added to the Internet in the fourth quarter of 2011, bringing the total number of registered domain names to more than 225 million worldwide across all domains, according to the latest Domain Name Industry Brief, published by VeriSign, Inc. ›››

Verisign to Award New Infrastructure Research Grants

VeriSign, Inc. today announced the expansion of a grant program designed to promote cutting-edge research into strengthening and improving the Internet's global infrastructure. This year's program will focus specifically on fostering infrastructure improvements that support safe and secure Internet access for users around the globe, especially in the developing world. ›››

Industry Updates

Participants – Random Selection