IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.New website called PwnedList allows people to check if their online accounts have been compromised by entering associated email address or username. The site is currently maintained by security researchers Alen Puzic and Jasiel Spelman who started the site as an experiment to discover how many compromised accounts could be harvested programatically. The site also assures users that no email or username entered is stored in shape or form. more»
New security report has revealed at least 48 companies involved in research, development, manufacturing of chemicals and advanced materials have been victims of a coordinated cyberattack traced to a source in China. The purpose of the attacks, code named Nitro, appear to be industrial espionage, collecting intellectual property for competitive advantage, according to Symantec. more»
Shawn Henry, FBI's executive assistant director says computer networks that control power plants and financial systems will never be secure enough, so government and corporate leaders should consider developing a new, highly secure alternative Internet, according to an AP report. "We can't tech our way out of the cyberthreat. The challenge with the Internet is you don't know who's launching the attack." A key step, he said, would be to develop networks where anonymity is not an option and only known and trusted employees have access. more»
Virus researchers at Symantec Corp. have revealed a variant of the Stuxnet worm, named Duqu, that is found to be stealing information about industrial control systems. Symantec reports: "Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility... Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose." more»
U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes. The Securities and Exchange Commission issued guidelines on Thursday that laid out the kind of information companies should disclose, such as cyber events that could lead to financial losses. more»
SSL replacement proposal made by security expert Moxie Marlinspike, last August at the Black Hat Conference (called 'Convergence'), is gaining some momentum, particularly after the recent hacker attacks on DigiNotar, GlobalSign, Comodo and other SSL certificate authorities that have resulted in fake certificates coming into use on the web, including a fake Google certificate, since revoked. more»
The U.S. departments of Commerce and Homeland Security (DHS) has met with other agencies and private-sector leaders in the information technology industry discussing the need to create a voluntary industry code of conduct to address the detection and mitigation of botnets. The meeting, hosted by the Center for Strategic and International Studies (CSIS), included topics such as the problematic and at time controversial issue of notifying individuals whose computers have been infected with malware and are part of a botnet. more»
Robert McMillan reporting in InfoWorld: "Microsoft has opened a front in its ongoing battle against Internet scammers, using the power of a U.S. court to deal a knockout blow to an emerging botnet and taking offline a provider of free Internet domains. Microsoft used the same technique that worked in its earlier takedowns of the Rustock and Waledac botnets, asking a U.S. court to order Verisign to shut down 21 Internet domains associated with the command-and-control servers that form the brains of the Kelihos botnet." more»
The Domain Name System, or DNS, has come a long way since its early days and the constant expansion of consumer activity and security concerns has raised further awareness about the critical role of the DNS. However, as the Yankee Group Research points out in a recent report, "there are more changes coming that are also raising the profile of DNS -- notably the move to cloud computing and the migration to IPv6." Suffice to say this is "Not Your Father's DNS". The report titled, "DNS: Risk, Reward and Managed Services" takes a fresh look at today's state of the DNS and the pros and cons of in-house, ISP and managed service provider DNS management options. more»
Wout de Natris: "In this decision OPTA revokes the registration of Diginotar as a so called Trusted Third Party. Diginotar issued certified certificates for digital signatures. The security breach by Iranian hackers over the summer, which Diginotar did not report to the authorities, lead to severe credibility issues for all Diginotar certificates issued before. This included Dutch government websites, but also led to severe breaches of privacy for Iranian end users, in multiple countries. As a result of OPTA's decision all certificates issued by Diginotar have to be revoked, while at the same she is forbidden to issue new ones. more»
Reported in Guardian: "Footage that appears to feature army-labelled software raises questions about China's denials of involvement in hacking. China's state broadcaster has screened footage that apparently shows army-labelled software for attacking US-based websites, security experts have said. Beijing has consistently denied being behind cyber-attacks, insisting it plays no part in hacking and is itself a victim." more»
While a more secure online banking may be offered should banks choose to take advantage of ICANN's recently liberalized generic Top-Level Domains (gTLDs) application process, some banks may have difficulty taking advantage of their new domain-name liberty because of their "klunky names", according to nomenclature specialist Naseem Javed, founder of New York-based ABC Namebank. Additionally the American Bankers Association is concerned that whatever entity ends up controlling the .bank domain could either charge high fees to financial institutions wishing to protect their intellectual property or fail to securely operate such domains, damaging consumer confidence in the internet channel. more»
New research indicates cyberattacks increasingly plague businesses and government organizations, resulting in significant financial impact, despite widespread awareness. Conducted by the Ponemon Institute, the Second Annual Cost of Cyber Crime Study revealed that the median annualized cost of cybercrime incurred by a benchmark sample of organizations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organization. This represents an increase of 56 percent from the median cost reported in the inaugural study published in July 2010. more»
The U.S. Department of Transportation (USDOT), Research and Innovative Technology Administration (RITA) and Volpe National Transportation Systems Center (Volpe Center), today released a Request for Information (RFI) seeking to obtain informed views on the "perceived needs, prevailing practices, and lessons learned concerning the cybersecurity and safety of safety-critical electronic control systems used in various modes of transportation and other industry sectors."
more»
Paul Roberts reporting in threatpost: "Stuxnet may have been super sophisticated cyber weapon deployed by state actors, but future generations of the malware will be available to run of the mill script kiddies, a noted expert on security and industrial control systems has warned in a letter to the U.S. Congress ten months ago. Ralph Langner, the UK-based security consultant, released a copy of a confidential letter addressed to a member of the U.S. House of Representatives." more»
