Security

Noteworthy

 IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.

Blogs

Can Big Companies Stop Being Hacked?

The recent huge security breach at Sony caps a bad year for big companies, with breaches at Target, Apple, Home Depot, P.F.Changs, Neiman Marcus, and no doubt other companies who haven't admitted it yet. Is this the new normal? Is there any hope for our private data? I'm not sure, but here are three observations... This week Brian Krebs reported on several thousand Hypercom credit card terminals that all stopped working last Sunday. Had they all been hacked? more»

One Year Later: Lessons Learned from the Target Breach

As the autumn leaves fall from naked trees to be trampled or encased in the winter snow, it reminds us of another year quickly gone by. Yet, for organisations that were breached and publicly scrutinised for their security lapses, it's been a long and arduous year. It was about this time last year that the news broke of Target's mega breach. Every news outlet was following the story and drip feeding readers with details, speculation and "expert opinion" on what happened, why it happened and who did it. more»

Wait and See Approach on Abuse

Wait and see approach on abuse attracts ICANN Stakeholder attention: A few weeks ago I made a detailed argument as to why product safety applies to domains, just like it does to cars and high chairs. I also argued that good products equal good business or "economically advantaged" in the long run. Then I really made a strong statement, I said if we don't actively engage other Internet stakeholders -- those that interact with our products, we would eventually lose the opportunity to self-regulate. more»

Which Domains Stand the Strongest Against Phishing Attacks?

The latest Anti-Phishing Working Group (APWG) Global Phishing Survey, which analyzed over 100,000 phishing attacks in the first half of 2014, examines the progress that top level domains (TLDs) are making in responding to phishing attacks that use their TLDs. The report finds the .INFO domain has the lowest average phishing uptimes as compared to other TLDs, such as .COM and .NET. more»

DNSSEC Adoption Part 3: A Five Day Hole in Online Security

Implementing security requires attention to detail. Integrating security services with applications where neither the security service nor the application consider their counterpart in their design sometimes make plain that a fundamental change in existing practices is needed. Existing "standard" registrar business practices require revision before the benefits of the secure infrastructure foundation DNSSEC offers can be realized. more»

Call For Participation - ICANN 52 DNSSEC Workshop on 11 Feb 2015 In Singapore

If you will be at ICANN 52 in Singapore in February 2015 (or can get there) and work with DNSSEC or the DANE protocol, we are seeking proposals for talks to be featured as part of the 6-hour DNSSEC Workshop on Wednesday, February 11, 2015. The deadline to submit proposals is Wednesday, December 10, 2015... The full Call For Participation is published online and gives many examples of the kinds of talks we'd like to include. more»

Nameserver Operators Need the Ability to "Disavow" Domains

Yesterday's DDoS attack against DNSimple brought to light a longstanding need for DNS nameserver operators to have an ability to unilaterally repudiate domains from their nameservers. The domains under attack started off on DNSMadeEasy, migrated off to DNSimple and took up residence there for about 12 hours, causing a lot of grief to DNSimple and their downstream customers. more»

A Brave New World or Do We Need to Discuss IT and Ethics?

Every day comes with another digital security breach, surveillance disclosure and what not. The world seems to have grown used to it and continues its business as usual. It doesn't seem to be bad enough to really act. Every day comes with new stories about the end of the Middle Class, IT taking over jobs in places where up to very recently that was inconceivable, not in people's wildest dreams would these jobs disappear. more»

Domain Name Abuse Is a 4 Letter Word

There has been a lot of back and forth recently in the ICANN world on what constitutes domain abuse; how it should be identified and reported AND how it should be addressed. On one side of the camp, we have people advocating for taking down a domain that has any hint of misbehaviour about it, and on the other side we have those that still feel Registries and Registrars have no responsibility towards a clean domain space. (Although that side of the camp is in steady decline and moving toward the middle ground). more»

If It Doesn't Exist, It Can't Be Abused

A number of outlets have reported that the U.S. Post Service was hacked, apparently by the Chinese government. The big question, of course, is why. It probably isn't for ordinary criminal reasons: The intrusion was carried out by "a sophisticated actor that appears not to be interested in identity theft or credit card fraud," USPS spokesman David Partenheimer said. ... But no customer credit card information from post offices or online purchases at usps.com was breached, they said. more»

Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia

In Internet Draft draft-lee-dnsop-scalingroot-00.txt, I described with my coauthors a method of distributing the task of providing DNS Root Name Service both globally and universally. In this article I will explain the sense of the proposal in a voice meant to be understood by a policy-making audience who may in many cases be less technically adept than the IETF DNSOP Working Group for whom the scalingroot-00 draft was crafted. I will also apologize for a controversial observation concerning the addition of new root name servers... more»

Customer Confusion over New(ish) gTLDs Targeting Financial Services

For the last decade and a bit, banking customers have been relentlessly targeted by professional phishers with a never-ending barrage of deceitful emails, malicious websites and unstoppable crimeware -- each campaign seeking to relieve the victim of their online banking credentials and funds. In the battle for the high-ground, many client-side and server-side security technologies have been invented and consequently circumvented over the years. Now we're about to enter a new era of mitigation attempts... more»

New MANRS Initiative Aims to Improve Security of Internet Routing

How can we work together to improve the security and resilience of the global routing system? That is the question posed by the "Routing Resilience Manifesto" site with the suggested answer launched today of the "Mutually Agreed Norms for Routing Security (MANRS) document, to which a number of network operators have already signed on as participants, including: Comcast, Level 3, NTT, RUNNet, ClaraNet, SURFnet, SpaceNet, KPN and CERNET. more»

Scaremongering from Spy Agents

In an article for the Financial Times, Mr Hannigan -- the chief of the British spy agency GCHQ said: "I understand why they [US technology companies] have an uneasy relationship with governments. They aspire to be neutral conduits of data and to sit outside or above politics." "But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism."... more»

An Open Letter to the Prime Minister of India, from Within India, Through an Internet Blog

Hon' Prime Minister, Why would India table Proposal 98 for the work of the ITU Plenipotentiary Conference? Contribution 98 wants the ITU to develop an IP address plan; wants it to be a contiguous IP address platform so as to enable the Governments to map and locate every Internet user; suggests that the ITU may coordinate the distribution of IP addresses accordingly; instructs the ITU Secretary General to develop policies for... naming, numbering and addressing which are [already] systematic, equitable... more»

News Briefs

Symantec Chosen as Verification Agent for .bank and .insurance TLDs

A Survey of Internet Users from 24 Countries Finds 83% Consider Affordable Access Basic Human Right

DNS Based DDoS Attacks Using White House Press Releases

Group Announces Certificate Authority to Encrypt the Entire Web, Lunching in 2015

European Data Breaches Have Resulted in Loss of 645 Million Records Since 2004

A Look at the Security Collapse in the HTTPS Market

TCP Stealth Aims to Keep Servers Safe from Mass Port-Scanning Tools

Google Announces Project Zero to Secure the Internet

DDoS Attacks Shutdown Several World Cup Websites

Popular RSS Reader Feedly Suffers Back to Back DDoS Attacks, Held for Ransom

Paul Vixie on How the Openness of the Internet Is Poisoning Us

Sophia Bekele: The AUCC Debate on Cybersecurity Needs to Involve All Stakeholders

European Standardization Organizations Discuss Role of Standards for EU Cybersecurity Strategy

US House Hearing Scheduled on Internet Stability, IANA Transition

Secure Domain Foundation Launched to Help Internet Infrastructure Operators Fight Cybercrime

Widespread Compromised Routers Discovered With Altered DNS Configurations

A Research Finds Banking Apps Leaking Info Through Phones

Significant Uptick Reported in Targeted Internet Traffic Misdirection

Upcoming Latin America and Caribbean DNS Forum

IETF Reaches Broad Consensus to Upgrade Internet Security Protocols Amid Pervasive Surveillance

Most Viewed

Most Commented

Taking Back the DNS

Fake Bank Site, Fake Registrar

When Registrars Look the Other Way, Drug-Dealers Get Paid

Who Is Blocking WHOIS? Part 2

Not a Guessing Game

Verisign Updates – Sponsor

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

Verisign just released its Q3 2014 DDoS Trends Report, which details observations and insights derived from distributed denial of service attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services from July through September of this year. ›››

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Andrew G. West, a Research Scientist in Verisign Labs, along with collaborator and U.S. Naval Academy professor Adam J. Aviv examined nearly 900 million user-submitted URLs to gauge the prevalence and severity of privacy leaks. ›››

Verisign Named to the OTA's 2014 Online Trust Honor Roll

The Online Trust Alliance (OTA), a nonprofit organization that works collaboratively with industry leaders to enhance online trust, completed comprehensive evaluations of more than 800 sites and mobile applications by analyzing companies' data protection, security and privacy practices, including over two-dozen criteria. ›››

Tips to Address New FFIEC DDoS Requirements

Recently, the FFIEC released statements that describe steps it expects financial institutions to take to address cyberattacks and highlight resources institutions can use to help mitigate the risks posed by such attacks. ›››

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

At Verisign, we focus on protecting companies from increasingly complex cyber threats, and this relationship should only raise the bar higher, as it will provide a different, more integrated approach than what's used today, to help ensure faster and more efficient detection and mitigation. ›››

Motivated to Solve Problems at Verisign

As the world keeps changing, so do the requirements for products and services and the ways to achieve them most effectively. Our researchers and engineers continue to innovate and adapt to those changes, while also anticipating the next ones. ›››

Diversity, Openness and vBSDcon 2013

Diversity is a central design principle of the Domain Name System; diversity is one reason the DNS industry in general, and Verisign in particular, doesn't do everything the same way and in the same place. ›››

Industry Updates

Participants – Random Selection