Security

Noteworthy

 IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.

Security / Recently Commented

Data Breaches Up Almost 50 Percent in 2008 as Compared to 2007

Businesses, governments and educational institutions reported nearly 50 percent more data breaches last year than in 2007, exposing the personal records of at least 35.7 million Americans, according to a nonprofit group that works to prevent identity fraud. Identity Theft Resource Center of San Diego is set to announce today that some 656 breaches were reported in 2008, up from 446 in the previous year. Nearly 37 percent of the breaches occurred at businesses, while schools accounted for roughly 20 percent of the reported incidents. more»

More Privacy, Bit by Bit

Before the Holidays, Yahoo got a flurry of good press for the announcement that it would (as the LA Times puts it) "purge user data after 90 days." My eagle-eyed friend Julian Sanchez noticed that the "purge" was less complete than privacy advocates might have hoped. more»

CircleID's Top 10 Posts of 2008

Here is a list of the most viewed news and blog postings that were featured on CircleID in 2008... Best wishes for 2009 and Happy New Year from all of us here at CircleID. more»

Cybersecurity Rapidly Growing Part of U.S. Budget, Lockheed and Boeing Heavily Involved

Lockheed Martin Corp. and Boeing Co., the world's biggest defense companies, are deploying forces and resources to a new battlefield: cyberspace. The military contractors, eager to capture a share of a market that may reach $11 billion in 2013, have formed new business units to tap increased spending to protect U.S. government computers from attack. more»

Experts Concerned Economic Downturn Getting in the Way of Patching Critical DNS Flaw

The discovery of a major DNS flaw in mid-2008 landed the technology in many headlines, but with economic concerns weighing on many in IT, industry watchers worry that revamping systems and security around domain name servers could be put on hold in 2009. The vulnerability discovered by director of penetration testing at IOActive Dan Kaminsky motivated numerous vendors to upgrade their products to protect enterprise networks against cache poisoning and other DNS attacks, such as distributed denial-of-service (DDoS). IT directors were encouraged to upgrade their DNS systems to guard against potential threats... more»

Researchers Demonstrate How to Launch Undetectable Phishing Attacks

With the help of about 200 Sony Playstations, an international team of security researchers have devised a way to undermine the algorithms used to protect secure Web sites and launch a nearly undetectable phishing attack. To do this, they've exploited a bug in the digital certificates used by Web sites to prove that they are who they claim to be. By taking advantage of known flaws in the MD5 hashing algorithm used to create some of these certificates, the researchers were able to hack Verisign's RapidSSL.com certificate authority and create fake digital certificates for any Web site on the Internet. more»

US Homeland Security Still Without Cybercrisis Plan

When the U.S. Department of Homeland Security was created, it was supposed to find a way to respond to serious "cybercrises." "The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the legislation in November 2002. More than six years later, and after spending more than $400 million on cybersecurity, DHS still has not accomplished that stated goal. "We need to have a plan tailored for a cybercrisis," DHS Secretary Michael Chertoff said on Thursdaymore»

Spam Peaked at 200 Billion per Day in 2008, Botnets Nexus of Criminal Activity, Says Cisco

In a 52 page security report released by Cisco, the company has confirmed what has been consistently been observed through out this year: "the Internet-based attacks are becoming increasingly sophisticated and specialized as profit-driven criminals continue to hone their approach to stealing data from businesses, employees and consumers." The 2008 edition of the report has specified the year's top security threats and offers recommendations for protecting networks against attacks that are propagating more rapidly, becoming increasingly difficult to detect, and exploiting technological and human vulnerabilities. more»

Localized Social Engineering on Demand

If I were to come across this service last year, I'd be very surprised. But coming across it in 2008 isn't surprising at all, and that's the disturbing part. Following the ongoing trend of localizing cybercrimea new service takes the concept further by introducing a multilingual, on-demand social engineering service especially targeting scammers and fraudsters that are unable to "properly scam an international financial institution" due to the language limitations. more»

Six Days Later, Internet Explorer Still Unsafe

A malignant security flaw found in all versions of Microsoft's Internet Explorer browser has yet to be fixed, and the problem is spreading. Microsoft detailed the flaw in a security update blog post six days ago. Since then, the problem has spread across the globe, hitting at least 2 million computers. Unlike other computer exploits, this one does not require users to click on fishy links or download mysterious software: it plagues computers that simply open an infected Web page. Internet Explorer is currently used by 69 percent of Web surfers. more»

More US States Placing Criminal Records Online

Finding out can be a mouse click away, thanks to the growing crop of searchable online databases run directly by states. Vermont launched its service Monday, and now about 20 states have some form of them. The Web sites provide a valuable and timesaving service to would-be employers and businesses by allowing them to look up criminal convictions without having to submit written requests and wait for the responses. And they're popular: Last month alone, Florida's site performed 38,755 record checks. more»

The Report on "Securing Cyberspace for the 44th Presidency"

A report "Securing Cyberspace for the 44th Presidency" has just been released. While I don't agree with everything it says (and in fact I strongly disagree with some parts of it), I regard it as required reading for anyone interested in cybersecurity and public policy. The analysis of the threat environment is, in my opinion, superb; I don't think I've seen it explicated better. Briefly, the US is facing threats at all levels, from individual cybercriminals to actions perpetrated by nation-states. The report pulls no punches... more»

Severe Vulnerability Affecting IE5, IE6, and IE7

An unpatched vulnerability found in Internet Explorer 7 also affects older versions of the browser as well as the latest beta version, Microsoft has warned. The new information widens the pool of users who could be at risk of inadvertently becoming infected with malicious software installed on their PC, as Microsoft does not yet have a patch ready. In an advisory updated on Thursday, Microsoft confirmed that IE 5.01 with Service Pack 4, IE6 with and without Service Pack 1 and IE8 Beta 2 on all versions of the Windows operating system are potentially vulnerable. more»

Newly Launched Cyber Secure Institute Says Constant Hack and Patch Not the Answer

The Cyber Secure Institute has recently announced its launch with the mission to raise awareness and pressure on addressing issues related to cyber threats faced by the U.S., companies, and individuals. The Institute is unique in that it is not a trade association or industry group. Rob Housman, the Institute's Executive Director, said "We formed the Cyber Secure Institute because this is a critical time for cybersecurity. ... However, we can't address this threat through cybersecurity as we now know it -- endless after-the-fact struggles to close gaps exposed in inherently insecure technologies. If we continue this constant cycle of hack and patch we will never be secure." more»

Google Releases a One-Stop Reference Source to Browser Security

Today via its Online Security Blog, Google announced the release of its Browser Security Handbook aimed at providing web application developers, browser engineers, and information security researchers a "one-stop reference" to critical security attributes of modern web browsers. "Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities," says the introduction to the 60-page document. more»