Cybersecurity |
Sponsored by |
One thing I enjoy about following Dyn Research (formerly Renesys) on Twitter is that they provide quite interesting graphics and charts about Internet outages. They've been tracking North Korea's Internet access quite closely over the past week and their tweets have been quite enlightening. Back on December 22, for instance, DynResearch tweeted a chart showing a 9-hour, 31-minute outage... more
After the botched burglary at the Watergate Apartments, every scam and scandal that hit the headlines became a 'gate' -- Irangate, Contragate, you name it. The Heartbleed bug is possibly the closest thing to Watergate that this generation of computer security had seen till the past few days -- an exploit in a component that is "just there" -- something you utterly rely on to be there and perform its duties, and give very little thought to how secure (or rather, insecure) it might be. So, fittingly, every such catastrophic bug in an ubiquitous component is now a 'bleed'. more
Where is the domain industry with the adoption of DNSSEC? After a burst of well publicized activity from 2009-2011 -- .org, .com, .net, and .gov adopting DNSSEC, roots signed, other Top-Level Domains (TLDs) signed -- the pace of adoption appears to have slowed in recent years. As many CircleID readers know, DNSSEC requires multiple steps in the chain of trust to be in place to improve online security. more
In a video interview conducted during the NSCS ONE conference, Paul Vixie CEO of Farsight Security further discusses the topic of his presentation titled: "Defective by Design -- How the Internet's Openness is Slowly Poisoning Us". more
The first question I often get when talking to IT Service providers on ISO 27001 certification is: "How much does it cost to get it?" I like to reply with a question: "how much does it cost when you don't have it?" The answer to the first question is easy, the answer to the second one is more complicated. As a financial I am interested in the business case. If the cost of not having an ISO 27001 certification is higher than the cost of getting and maintaining one, you can actually make a profitable investment by getting certified. more
How do we harden the Internet against the kinds of pervasive monitoring and surveillance that has been in recent news? While full solutions may require political and legal actions, are there technical improvements that can be made to underlying Internet infrastructure? As discussed by IETF Chair Jari Arkko in a recent post on the IETF blog, "Plenary on Internet Hardening", the Technical Plenary at next weeks IETF 88 meeting in Vancouver, BC, Canada, will focus on this incredibly critical issue. more
During a speech last week at the Internet Governance Forum in Bali, Jari Arkko, IETF's chair, re-emphasized it's efforts to ramp up online security in light of recent revelations of mass internet surveillance. "Perhaps the notion that internet is by default insecure needs to change," Arkko said. Significant technical fixes "just might be possible." more
Over the last 5 years, hacktivists have continued the practice of redirecting well-known domain names to politically motivated websites utilizing tactics such as SQL injection attacks and social engineering schemes to gain access to domain management accounts -- and that, in and of itself, is not surprising. But what IS surprising is the fact that less than 15% of the 500 most highly trafficked domains in the world are utilizing Registry Locking. more
When the domain name system (DNS) was first designed, security was an afterthought. Threats simply weren't a consideration at a time when merely carrying out a function - routing Internet users to websites - was the core objective. As the weaknesses of the protocol became evident, engineers began to apply a patchwork of fixes. After several decades, it is now apparent that this reactive approach to DNS security has caused some unintended consequences and challenges. more
At the Internet Governance Forum in Baku, I made an intervention on behalf of NL IGF, reporting on the recommendations given by the participants of Workshop 87... I concluded that more regulatory and law enforcement bodies need to become part of the IGF discussions, as they are an integral part of governing the Internet from a safety and security perspective. Mr. Cerf responded with a one-liner: "I can't help observing, if we keep the regulatories confused, maybe they will leave us alone". more
The President and Congress are deliberating how best to ensure appropriate cybersecurity protection for private sector critical infrastructure. Legislative action and Executive Order are both under consideration. It is possible, however, that the White House Office of Management and Budget (OMB) already has sufficient statutory authority to enact new cybersecurity regulations through the normal notice-and-comment rulemaking process. more
According to press reports, DHS is going to require federal computer contractors to scan for holes and start patching them within 72 hours. Is this feasible? It's certainly a useful goal. It's also extremely likely that it will take some important sites or applications off the air on occasion - patches are sometimes buggy (this is just the latest instance I've noticed), or they break a (typically non-guaranteeed or even accidental) feature that some critical software depends on. more
Crime, fraud, scams etc., they're all very bad things. They're also not going to go away anytime soon. As a domain name registrar and hosting provider we're constantly "at risk", as we sell a lot of services that are both cost-effective and also give criminals the tools they need to attack 3rd parties. Again, this isn't exactly news. We've always taken a very pro-active approach to dealing with criminal activity and network abuse... But recently I've been losing sleep. more
Only two years after signing the DNS root zone, the powerful lure of a secure global infrastructure for data distribution is starting to reveal itself. It is illustrated clearly by two proposed technical standardizations that seek to leverage secure DNS. To some degree these developments highlight the strength of DNS institutions and how they might fill gaps elsewhere in the Internet's governance. But an increasing reliance upon and concentration of power in the DNS also makes getting its global governance correct even more important. more
Mobile networks aren't usually thought of as sources of spam, but a quick look at some of the resources that track spam reveals they actually are. This is counter intuitive at first glance because when most people think of mobile they think of smartphones, and those aren't known to be sources of spam (at least not yet). What's really going on is PCs connected to mobile networks with air cards, or tethered with a smartphone where it's permissible, are the culprits more