Security

Noteworthy

 IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.

Blogs

A Brave New World or Do We Need to Discuss IT and Ethics?

Every day comes with another digital security breach, surveillance disclosure and what not. The world seems to have grown used to it and continues its business as usual. It doesn't seem to be bad enough to really act. Every day comes with new stories about the end of the Middle Class, IT taking over jobs in places where up to very recently that was inconceivable, not in people's wildest dreams would these jobs disappear. more»

Domain Name Abuse Is a 4 Letter Word

There has been a lot of back and forth recently in the ICANN world on what constitutes domain abuse; how it should be identified and reported AND how it should be addressed. On one side of the camp, we have people advocating for taking down a domain that has any hint of misbehaviour about it, and on the other side we have those that still feel Registries and Registrars have no responsibility towards a clean domain space. (Although that side of the camp is in steady decline and moving toward the middle ground). more»

If It Doesn't Exist, It Can't Be Abused

A number of outlets have reported that the U.S. Post Service was hacked, apparently by the Chinese government. The big question, of course, is why. It probably isn't for ordinary criminal reasons: The intrusion was carried out by "a sophisticated actor that appears not to be interested in identity theft or credit card fraud," USPS spokesman David Partenheimer said. ... But no customer credit card information from post offices or online purchases at usps.com was breached, they said. more»

Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia

In Internet Draft draft-lee-dnsop-scalingroot-00.txt, I described with my coauthors a method of distributing the task of providing DNS Root Name Service both globally and universally. In this article I will explain the sense of the proposal in a voice meant to be understood by a policy-making audience who may in many cases be less technically adept than the IETF DNSOP Working Group for whom the scalingroot-00 draft was crafted. I will also apologize for a controversial observation concerning the addition of new root name servers... more»

Customer Confusion over New(ish) gTLDs Targeting Financial Services

For the last decade and a bit, banking customers have been relentlessly targeted by professional phishers with a never-ending barrage of deceitful emails, malicious websites and unstoppable crimeware -- each campaign seeking to relieve the victim of their online banking credentials and funds. In the battle for the high-ground, many client-side and server-side security technologies have been invented and consequently circumvented over the years. Now we're about to enter a new era of mitigation attempts... more»

New MANRS Initiative Aims to Improve Security of Internet Routing

How can we work together to improve the security and resilience of the global routing system? That is the question posed by the "Routing Resilience Manifesto" site with the suggested answer launched today of the "Mutually Agreed Norms for Routing Security (MANRS) document, to which a number of network operators have already signed on as participants, including: Comcast, Level 3, NTT, RUNNet, ClaraNet, SURFnet, SpaceNet, KPN and CERNET. more»

Scaremongering from Spy Agents

In an article for the Financial Times, Mr Hannigan -- the chief of the British spy agency GCHQ said: "I understand why they [US technology companies] have an uneasy relationship with governments. They aspire to be neutral conduits of data and to sit outside or above politics." "But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism."... more»

An Open Letter to the Prime Minister of India, from Within India, Through an Internet Blog

Hon' Prime Minister, Why would India table Proposal 98 for the work of the ITU Plenipotentiary Conference? Contribution 98 wants the ITU to develop an IP address plan; wants it to be a contiguous IP address platform so as to enable the Governments to map and locate every Internet user; suggests that the ITU may coordinate the distribution of IP addresses accordingly; instructs the ITU Secretary General to develop policies for... naming, numbering and addressing which are [already] systematic, equitable... more»

DNSSEC Workshop Streaming Live From ICANN 51 On Wednesday, Oct 15

Want to learn about the state of DNSSEC usage in North America? Or what is new in DNS monitoring? Or where DNSSEC fits into the plans of operating systems? Or how DANE is being used to bring a higher level of security to email? All those questions and much more will be discussed at the DNSSEC Workshop at ICANN 51 happening on Wednesday, October 15, 2014, from 8:30 am to 2:45 pm Pacific Daylight Time (PDT, which is UTC-7). more»

.trust Technical Policy Launch

Whenever I examine the technical elements of the various Internet security certifications and standards that organisations are clamouring to achieve compliance against, I can't help but feel that in too many cases those businesses are prioritising the wrong things and wasting valuable resources. They may as well be following a WWI field guide on how to keep cavalry horses nourished and bayonets polished in a world of stealth aircraft and dirty bombs. more»

Some Observations from NANOG 62

NANOG 62 was held at Baltimore from the 6th to the 9th October. These are my observations on some of the presentations that occurred at this meeting. .. One of the more memorable sides in this presentation was a reference to "map" drawn by Charles Minard in 1869 describing the statistics relating to the Napoleonic military campaign in Russia, and the subsequent retreat. more»

If Compliance Were an Olympic Sport

It probably won't raise any eyebrows to know that for practically every penetration tester, security researcher, or would-be hacker I know, nothing is more likely to make their eyes glaze over and send them to sleep faster than a discussion on Governance, Risk, and Compliance (i.e. GRC); yet the dreaded "C-word" (Compliance) is a core tenet of modern enterprise security practice. more»

Privacy and Security - Five Objectives

It has been a very busy period in the domain of computer security. With "shellshock", "heartbleed" and NTP monlink adding to the background of open DNS resolvers, port 445 viral nasties, SYN attacks and other forms of vulnerability exploits, it's getting very hard to see the forest for the trees. We are spending large amounts of resources in reacting to various vulnerabilities and attempting to mitigate individual network attacks, but are we making overall progress? What activities would constitute "progress" anyway? more»

Web Encryption - It's Not Just for E-Commerce, Anymore

Last week, I re-tweeted Cloudflare's announcement that they are providing universal SSL for their customers. I believe the announcement is a valuable one for the state of the open Internet for a couple of reasons: First, there is the obvious -- they are doubling the number of websites on the Internet that support encrypted connections. And, hopefully, that will prompt even more sites/hosting providers/CDNs to get serious about supporting encryption, too. Web encryption -- it's not just for e-commerce, anymore. more»

Cigarette Smuggling and Cyber Security: Low-Tech Crimes Fund High-Tech Threats

You may not connect the cheap cigarettes sold under the counter (or out of a trunk, bodega or by a street vendor) with the mysterious charges on your credit card that you don't remember making or the cash that has, somehow, just disappeared from your bank account. You also may not connect that website selling cheap cigarettes made in second and third world countries with Shellshock or whatever the fashionably scary cyber-threat of the day is when you're reading this. more»

News Briefs

A Survey of Internet Users from 24 Countries Finds 83% Consider Affordable Access Basic Human Right

DNS Based DDoS Attacks Using White House Press Releases

Group Announces Certificate Authority to Encrypt the Entire Web, Lunching in 2015

European Data Breaches Have Resulted in Loss of 645 Million Records Since 2004

A Look at the Security Collapse in the HTTPS Market

TCP Stealth Aims to Keep Servers Safe from Mass Port-Scanning Tools

Google Announces Project Zero to Secure the Internet

DDoS Attacks Shutdown Several World Cup Websites

Popular RSS Reader Feedly Suffers Back to Back DDoS Attacks, Held for Ransom

Paul Vixie on How the Openness of the Internet Is Poisoning Us

Sophia Bekele: The AUCC Debate on Cybersecurity Needs to Involve All Stakeholders

European Standardization Organizations Discuss Role of Standards for EU Cybersecurity Strategy

US House Hearing Scheduled on Internet Stability, IANA Transition

Secure Domain Foundation Launched to Help Internet Infrastructure Operators Fight Cybercrime

Widespread Compromised Routers Discovered With Altered DNS Configurations

A Research Finds Banking Apps Leaking Info Through Phones

Significant Uptick Reported in Targeted Internet Traffic Misdirection

Upcoming Latin America and Caribbean DNS Forum

IETF Reaches Broad Consensus to Upgrade Internet Security Protocols Amid Pervasive Surveillance

IETF Looking at Technical Changes to Raise the Bar for Monitoring

Most Viewed

Most Commented

Taking Back the DNS

Fake Bank Site, Fake Registrar

When Registrars Look the Other Way, Drug-Dealers Get Paid

Who Is Blocking WHOIS? Part 2

Not a Guessing Game

Verisign Updates – Sponsor

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

Verisign just released its Q3 2014 DDoS Trends Report, which details observations and insights derived from distributed denial of service attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services from July through September of this year. ›››

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Andrew G. West, a Research Scientist in Verisign Labs, along with collaborator and U.S. Naval Academy professor Adam J. Aviv examined nearly 900 million user-submitted URLs to gauge the prevalence and severity of privacy leaks. ›››

Verisign Named to the OTA's 2014 Online Trust Honor Roll

The Online Trust Alliance (OTA), a nonprofit organization that works collaboratively with industry leaders to enhance online trust, completed comprehensive evaluations of more than 800 sites and mobile applications by analyzing companies' data protection, security and privacy practices, including over two-dozen criteria. ›››

Tips to Address New FFIEC DDoS Requirements

Recently, the FFIEC released statements that describe steps it expects financial institutions to take to address cyberattacks and highlight resources institutions can use to help mitigate the risks posed by such attacks. ›››

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

At Verisign, we focus on protecting companies from increasingly complex cyber threats, and this relationship should only raise the bar higher, as it will provide a different, more integrated approach than what's used today, to help ensure faster and more efficient detection and mitigation. ›››

Motivated to Solve Problems at Verisign

As the world keeps changing, so do the requirements for products and services and the ways to achieve them most effectively. Our researchers and engineers continue to innovate and adapt to those changes, while also anticipating the next ones. ›››

Diversity, Openness and vBSDcon 2013

Diversity is a central design principle of the Domain Name System; diversity is one reason the DNS industry in general, and Verisign in particular, doesn't do everything the same way and in the same place. ›››

Industry Updates

Participants – Random Selection