Cybersecurity |
Sponsored by |
|
I was talking to my good friend Verner Entwhistle the other day when he suddenly turned to me and said "I don't think we need DNSSEC". Sharp intake of breath. Transpired after a long and involved discussion his case boiled down to four points: 1. SSL provides known and trusted security, DNSSEC is superfluous, 2. DNSSEC is complex and potentially prone to errors, 3. DNSSEC makes DoS attacks worse, 4. DNSSEC does not solve the last mile problem. Let's take them one at a time... more
DNS rebinding attacks are real and can be carried out in the real world. They can penetrate through browsers, Java, Flash, Adobe and can have serious implications for Web 2.0-type applications that pack more code and action onto the client. Such an attack can convert browsers into open network proxies and get around firewalls to access internal documents and services. It requires less than $100 to temporarily hijack 100,000 IP addresses for sending spam and defrauding pay-per-click advertisers. Everyone is at risk and relying on network firewalls is simply not enough. In a paper released by Stanford Security Lab, "Protecting Browsers from DNS Rebinding Attacks," authors Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh provide ample detail about the nature of this attack as well as strong defenses that can be put in place in order to help protect modern browsers. more
This is an issue of some concern and should be watched carefully: phishers are now trying to get passwords of domain registrants (domain owners). Currently, correspondents inform me that GoDaddy is the target, but there's no reason to think the phishers won't expand to other registrars. Normally, phishers go after bank accounts or other financial information, or sometimes the online accounts of users so that they may send spam. It's not known precisely why phishers are after domain registration information, but the possibilities are chilling... more
Last month's column looked at the exhaustion of the IPv4 unallocated address pool and the state of preparedness in the Internet to grapple with this issue... There has been a considerable volume of discussion in various IPv6 and address policy forums across the world about how we should respond to this situation in terms of development of address distribution policies. Is it possible to devise address management policies that might both lessen some of the more harmful potential impacts of this forthcoming hiatus in IPv4 address supply, and also provide some impetus to industry to move in the originally intended direction to transition into an IPv6 network? more
According to the majority of the testimony at this month's "Spam Summit," held by the U.S. Federal Trade Commission (FTC), the state of the fight against spam is pretty much the same as it has been for the last several years. The two days of presentations can largely be boiled down to the following bullets: Spam volumes continue to increase, being driven by the growth of "botnets"... Oh, and the spam wars are a lot less exciting than they used to be. Case in point: unlike last time, there were no fist-fights at this year's shindig. more
Last week, my colleagues over at Sunbelt Software discovered a bogus Windows domain being registered earlier this month (where the "w" in "windows" is actually two "v"s). Today, I've been alerted to the fact that are several additional Windows domains which have registered where the "w"s have been also been replaced with "v"s... more
No that's not really happening, Google is not buying VeriSign. But given Google's ravenous appetite for data, it might find VeriSign quite attractive. VeriSign has both root domain name servers and servers for the .com and .net top level domains (TLDs). VeriSign could data mine the queries coming into those servers and produce a very valuable real-time stream of what users on the net are doing... Google just bought Postini -- and one would have to be fairly naive to believe that Google does not intend to dredge through all... more
Funny how some topics seem sit on a quiet back burner for years, and then all of a sudden become matters of relatively intense attention. Over the past few weeks we've seen a number of pronouncements on the imminent exhaustion of the IP version 4 address pools. Not only have some of the Regional Internet Registries (RIRs) and some national registry bodies made public statements on the topic, we've now seen ICANN also make its pronouncement on this topic... Why the sudden uptake of interest in this topic? I suspect that a small part of this may be my fault! more
In one of the first (if not the first) UDRP cases for .cat, the auto giant BMW appears to have filed a WIPO case over the BMW.cat domain name. Other prospective new TLD operators have tried to suggest in ICANN meetings that these new TLDs do not cause problems with cybersquatting or defensive registrations... Obviously, given the above WIPO case, that statement is false. more
Legitimate email marketers, anti-spam groups and beleaguered recipients got a bit of good news with the arrest last week of a man described as one of the world's most prolific spammers. Robert Alan Soloway, 27, dubbed "the Seattle Spammer" by federal officials, was indicted on 35 charges related to fraudulent Internet activities. Soloway pleaded not guilty to all charges at his May 30 arraignment. You can read more here. Although it's always great when a notorious spammer gets put out of business, such actions probably won't result in a drop in the amount of spam that gets sent... more
A World-Renowned Source for Internet Developments. Serving Since 2002.