Security

Noteworthy

 IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.

Security / Recently Commented

Geoff Huston on Securing the Internet Routing System

Excerpts of a recent interview by Network World's Carolyn Duffy Marsan with Geoff Huston, one of the foremost authorities on Internet routing and scaling issues, has been published on the site. Questions include: "Can you explain in plain English what RPKI is trying to do and how it relates to improving the security of the Internet's routing system?" Huston's response follows... more»

Embedding Malicious IFrames Through Stolen FTP Accounts

The practice of using stolen or data mined &ndash from a botnet's infected population – FTP accounts is nothing new. In March, 2008, a tool originally published in February, 2007, got some publicity once details of stolen FTP accounts belonging to Fortune 500 companies were found in the wild. Interestingly, none of the companies were serving malicious iFrames on their compromised hosts back then. Despite the fact that 2008 was clearly the year of the massive SQL injection attacks... more»

Phishers Using New Web-Based Technique 'In-Session Phishing' to Steal User Data, Researchers Warn

Security researchers have identified a new phishing attack method designed to trick users into surrendering confidential information after they have logged on to an online banking, brokerage, or other sensitive website. The technique, called In Session Phishing, can be used to inject into all major browsers legitimate looking Pop Up messages using malicious JavaScript that request passwords, account numbers, etc., on behalf of the trusted website. more»

DARPA Announces $30 Million of First Contract Awards for National Cyber Range Program

The Defense Advanced Research Projects Agency announced Jan. 8 a total of some $30 million of first contract awards for its National Cyber Range (NCR) program, a research and development testbed aimed at speeding deployment of new cybersecurity systems and which is a key part of the interagency Comprehensive National Cybersecurity Initiative (CNCI). Launched early in 2008, the CNCI will be managed by the Homeland Security Department and will be the central coordinating office for all of the government's cybersecurity organizations and development efforts... more»

Widespread Vulnerabilities in Programs Using OpenSSL, Bind Security Patch Released

New vulnerabilities have been discovered in multiple programs using OpenSSL, one of the standard cryptography libraries on Linux and Unix systems. Due to a common mistake in checking return values from functions checking digital signatures, several programs may be vulnerable to spoofing of digital signatures. The most important affected program is ISC Bind, which is the most widely used DNS server on the internet. A flaw in its validation of signatures on DNSSEC replies means that the server may be vulnerable to DNS spoofing attacks even where DNSSEC is in use. ISC has released BIND 9.6.0-P1 to fix this bug. more»

Hacker Sentenced to 30 Years in Prison in Turkish Court

A Turkish court has sentenced a hacker to 30 years in prison for his role in the theft of 45 million identities from credit card transactions by nine US retailers including TJX. Ukrainian Maksym Yastremskiy was among 11 people charged by US authorities in August 2008 in connection with the biggest identity theft to date. more»

Opinion: UK Moving Quickly Down the Slippery Slope…

Admittedly, I'm a not Johnny-come-lately with regards to surveillance, intelligence, telecommunications, network security, law enforcement, and a cross-pollination of all-of-the-above. I actually have a very colorful background of working within all of the aforementioned disciplines - at one time or another - either through the U.S. Military, U.S Government contractors, private industry, etc. ... And unfortunately, I am not generally "shocked" very often by much of the abuses being perpetrated on unwitting Internet users, both by supposedly "trusted" entities (e.g. Democratic Governments, ISPs, etc.) more»

22,000 New Malware Samples Detected Every Day in 2008, Says New Report

Security firm PandaLabs reports today that it received more malware in the first eight months of 2008 than in the previous 17 years combined -- Trojans being the leading cause of malware infections. In 2008, Panda Security's malware analysis and detection laboratory states that it found an average of 35,000 malware samples each day, 22,000 of which were new infections. By the year's end, the total count of malware threats detected exceeded 15 million. more»

UK Police Gets Go-Ahead to Hack Home PCs Without Warrant

The Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people's personal computers without a warrant. The move, which follows a decision by the European Union's council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as a sinister extension of the surveillance state which drives "a coach and horses" through privacy laws. The hacking is known as "remote searching". more»

Data Breaches Up Almost 50 Percent in 2008 as Compared to 2007

Businesses, governments and educational institutions reported nearly 50 percent more data breaches last year than in 2007, exposing the personal records of at least 35.7 million Americans, according to a nonprofit group that works to prevent identity fraud. Identity Theft Resource Center of San Diego is set to announce today that some 656 breaches were reported in 2008, up from 446 in the previous year. Nearly 37 percent of the breaches occurred at businesses, while schools accounted for roughly 20 percent of the reported incidents. more»

More Privacy, Bit by Bit

Before the Holidays, Yahoo got a flurry of good press for the announcement that it would (as the LA Times puts it) "purge user data after 90 days." My eagle-eyed friend Julian Sanchez noticed that the "purge" was less complete than privacy advocates might have hoped. more»

CircleID's Top 10 Posts of 2008

Here is a list of the most viewed news and blog postings that were featured on CircleID in 2008... Best wishes for 2009 and Happy New Year from all of us here at CircleID. more»

Cybersecurity Rapidly Growing Part of U.S. Budget, Lockheed and Boeing Heavily Involved

Lockheed Martin Corp. and Boeing Co., the world's biggest defense companies, are deploying forces and resources to a new battlefield: cyberspace. The military contractors, eager to capture a share of a market that may reach $11 billion in 2013, have formed new business units to tap increased spending to protect U.S. government computers from attack. more»

Experts Concerned Economic Downturn Getting in the Way of Patching Critical DNS Flaw

The discovery of a major DNS flaw in mid-2008 landed the technology in many headlines, but with economic concerns weighing on many in IT, industry watchers worry that revamping systems and security around domain name servers could be put on hold in 2009. The vulnerability discovered by director of penetration testing at IOActive Dan Kaminsky motivated numerous vendors to upgrade their products to protect enterprise networks against cache poisoning and other DNS attacks, such as distributed denial-of-service (DDoS). IT directors were encouraged to upgrade their DNS systems to guard against potential threats... more»

Researchers Demonstrate How to Launch Undetectable Phishing Attacks

With the help of about 200 Sony Playstations, an international team of security researchers have devised a way to undermine the algorithms used to protect secure Web sites and launch a nearly undetectable phishing attack. To do this, they've exploited a bug in the digital certificates used by Web sites to prove that they are who they claim to be. By taking advantage of known flaws in the MD5 hashing algorithm used to create some of these certificates, the researchers were able to hack Verisign's RapidSSL.com certificate authority and create fake digital certificates for any Web site on the Internet. more»