A Bad Year for Phishing

Here at the Anti-Phishing Working Group meeting in Hong Kong, we've just released the latest APWG Global Phishing Survey. Produced by myself and my research partner Rod Rasmussen of Internet Identity, it's an in-depth look at the global phishing problem in the second half of 2013. Overall, the picture isn't pretty. There were at least 115,565 unique phishing attacks worldwide during the period. This is one of the highest semi-annual totals we've observed since we began our studies in 2007. more

Types of Attack

A lot of pixels have been spilled in the last few years about "advanced persistent threats" (APT); if nothing else, any high-end company that has been penetrated wants to blame the attack on an APT. But what is an APT, other than (as best I can tell) an apparent codename for China? Do they exist? After thinking about it for a while, I came up with the following representation... more

Two Years Later WannaCry Continues to Spread to Vulnerable Devices, Nearly 5M Devices Affected

Two years after the initial wave of WannaCry attack in May of 2017, security researchers say the ransomware continues to spread to vulnerable devices. WannaCry infection has affected close to 5 million devices to date. more

Google Engineer Ben McIlwain on Why HSTS Could Be a Perfect Fit for .Brands Security

The Google-run .app TLD was always destined to draw attention and scrutiny, from the moment it fetched a then-record ICANN auction price of $25 million. Since it reached General Availability in May it has gained more than 250,000 registrations making it one of the world's most successful TLDs. However perhaps more interesting was Google's choice to add the .app TLD and its widely used .google extension to the HTTP Strict Transport Security (HSTS) Top-Level Domain preload list, offering an unprecedented level of security for all domains under .google and .app. more

ICANN Board Member and Former GAC Chair to Give Evidence in .Africa Case

The controversy over the competing .africa TLD applications has been going on for some time. A recent decision by the International Centre For Dispute Resolution (ICDR) said that ICANN had breached its own by-laws and has questioned why ICANN won't allow a current board member and the former GAC Chair to speak to them and provide evidence. A letter that was published on the ICANN site yesterday suggests that ICANN may have changed their tune... more

The Good Old Days in the Cryptography Wars

The 20th century was the golden age of surveillance. High-speed communication went either by telegraph and telephone, which needed a license from the government, or by radio, which anyone can listen to. Codes were manual or electromechanical and were breakable, e.g., the Zimmermann telegram and Bletchley Park. (The UK government spent far more effort inventing a cover story for the source of the telegram than on the break itself, to avoid telling the world how thoroughly they were spying on everyone.) more

Internet Society Seeks Nominations for Board of Trustees

Are you passionate about preserving the global, open Internet? Do you have experience in Internet standards, development or public policy? If so, please consider applying for one of the open seats on the Internet Society Board of Trustees. The Internet Society serves a pivotal role in the world as a leader on Internet policy, technical, economic, and social matters, and as the organizational home of the Internet Engineering Task Force (IETF). more

Customer Confusion over New(ish) gTLDs Targeting Financial Services

For the last decade and a bit, banking customers have been relentlessly targeted by professional phishers with a never-ending barrage of deceitful emails, malicious websites and unstoppable crimeware -- each campaign seeking to relieve the victim of their online banking credentials and funds. In the battle for the high-ground, many client-side and server-side security technologies have been invented and consequently circumvented over the years. Now we're about to enter a new era of mitigation attempts... more

10.1 Million .ORG Domains and Counting

PIR released the results of the bi-annual domain name report, "The Dashboard," which outlines the growth of .ORG in the second half of 2012. Overall, we had a remarkable year. Most notably, we hit a major milestone in June with the registration of the 10 millionth .ORG domain! Some of the key findings of "The Dashboard" include the following. more

The Next Green Initiative is Internet Sustainability

We are all aware of the pollution caused by burning coal and combusting oil. The results are obvious: exhaust spewing from vehicles, factories, and power plants. Many of us don't realize we are actively contributing to the unnecessary burning of energy (natural gas and coal in the US) to power the Internet. We wag our fingers at Internet Service Providers (ISPs) and data centers, but the fact is that our own organizations are wasting electricity every single hour out of ignorance or apathy. more

Proposed Changes to Australia’s Data Retention Laws Likely to Be Costly

Australians may lose their right to privacy online if the attorney-general has her way. Nicola Roxon's discussion paper is before a parliamentary inquiry. Proposals include storing the social media and other online and telecommunications data of Australians for two years, under a major overhaul of Australia's surveillance laws. The government passed a toned down version of these proposals last week, giving police the power to force telcos to store data on customers for a specific period while a warrant is sought. more

Cyber Security and the White House

A few months ago, an article appeared on arstechnica.com asking the question "Should cybersecurity be managed from the White House?" During the recent presidential elections in the United States and the federal elections in Canada, the two major players in both parties had differing views that crossed borders. In the US, the McCain campaign tended to favor free market solutions to the problem of cybersecurity, and the Conservatives in Canada took a similar position... more

DNSSEC Taking Center Stage at 2010 Black Hat

On July 28th DNSSEC took center stage at the 2010 Black Hat Conference in Las Vegas. Two years ago, at the same conference, Dan Kaminsky unveiled the infamous DNS bug that many believe became a major catalyst for DNSSEC implementation. To kick things off, Jeff Moss -- founder of Black Hat -- in his opening speech called out the fact that "we have not solved any fundamental problems" and noted that the technical community must catch up. more

Cybercriminals Benefitting from Stalled Privacy/Proxy Policy

We've seen alarmingly BIG increases in multiple abusive behaviors – like phishing, hacking and malware – that often leverage the domain name system (DNS) and privacy/proxy services. Cybercriminals capitalize on gaps in DNS security measures, and ICANN is holding the door open for them by failing to implement their privacy/proxy policy. If you are ever targeted, you are not alone. more

Identical or Confusingly Similar to Trademarks but Noninfringing Domain Names

Domain names may be confusingly similar to trademarks or even identical or but not infringing. This is particularly true of trademarks acquired later than the allegedly infringing domain names ArcBest Corporation v. Domains By Proxy, LLC, Registration Private / Vernon Troupe, D2016-2381 (WIPO January 13, 2017) (<arcbest.com>, in which "ark" is a contraction of "Arkansas"), but it can also apply to marks composed of common element that predate domain name registration... more