Threat Intelligence |
Sponsored by |
|
A report from one of the largest documented surveys conducted on the ethical hacking community reveals some hackers are earning over 16 times that of full-time software engineers in their home country. more
The market has failed to secure cyberspace. A ten-year experiment in faith-based cybersecurity has proven this beyond question. The market has failed and the failure of U.S. policies to recognize this explains why we are in crisis. The former chairman of the Security and Exchange Commission, Christopher Cox, a longtime proponent of deregulation, provided a useful summary of the issue when he said, "The last six months have made it abundantly clear that voluntary regulation does not work."... more
Last week, I re-tweeted Cloudflare's announcement that they are providing universal SSL for their customers. I believe the announcement is a valuable one for the state of the open Internet for a couple of reasons: First, there is the obvious -- they are doubling the number of websites on the Internet that support encrypted connections. And, hopefully, that will prompt even more sites/hosting providers/CDNs to get serious about supporting encryption, too. Web encryption -- it's not just for e-commerce, anymore. more
In a note released this week, Google announced that it will begin publicly sharing National Security Letters (NSLs) it receives that have been freed of nondisclosure obligations either through litigation or legislation. more
.ORG, The Public Interest Registry (PIR) has announced today the launch of a new campaign aimed at educating IT professionals about securing DNS and the adoption of Domain Name System Security Extensions (DNSSEC). The key purpose of the "Practice Safe DNS" website, according to PIR, is to "serve as a key resource for domain holders, registrars, web developers and IT professionals to learn how they can respectively play a increasingly relevant role in providing a safer and more secure Internet." more
If current predictions are correct, 2009 will be a tougher year than 2008 in terms of the economy. In tough economic times such as these it becomes increasingly important for us to follow recommended safety practices when going online. As the numbers of Internet-related fraud and financial scams continue to increase we should expect the current economic situation to produce more victims of cybercrime. Knowledge and vigilance are the keys to remaining safe while online. more
The new Global Phishing Survey released by the Anti-Phishing Working Group (APWG) this month reveals that phishing gangs are concentrating their efforts within specific top level domains (TLDs), but also that anti-phishing policies and mitigation programs by domain name registrars and registries can have a significant and positive effect. The number of TLDs abused by phishers for their attacks expanded 7 percent from 145 in H2/2007 to 155 in H1/2008. The proportion of Internet-protocol (IP) number-based phishing sites decreased 35 percent in that same period, declining from 18 percent in the second half of 2007 to 13 percent in the first half of 2008. more
ICANN introduced a requirement for domain name registrars to send out annual notices to all their customers (registrants) to check the Whois on their domain names to ensure the information is correct. While this seemed fairly reasonable (if cumbersome), the fact is it confuses the heck out of people -- and creates a whole lot of confusion for registrants. But that was a problem we could deal with. Fast-forward to October, 2008... more
Last April, I shared information about a multistakeholder process that CIRA is part of, which seeks to identify and guide the development of policy around the Internet of Things (IoT), putting security at the heart of internet innovations in Canada. Since the formation of this process, we've made quite a bit of progress and I'm pleased to share some of that with you. more
Wait and see approach on abuse attracts ICANN Stakeholder attention: A few weeks ago I made a detailed argument as to why product safety applies to domains, just like it does to cars and high chairs. I also argued that good products equal good business or "economically advantaged" in the long run. Then I really made a strong statement, I said if we don't actively engage other Internet stakeholders -- those that interact with our products, we would eventually lose the opportunity to self-regulate. more
I don't (and probably won't) have anything substantive to say about the technical details of the just-announced Meltdown and Spectre attacks. What I do want to stress is that these show, yet again, that security is a systems property: being secure requires that every component, including ones you've never heard of, be secure. These attacks depend on hardware features... and no, many computer programmers don't know what those are, either. more
A Twitter thread on trolls brought up mention of trolls on Usenet. The reason they were so hard to deal with, even then, has some lessons for today; besides, the history is interesting. (Aside: this is, I think, the first longish thing I've ever written about any of the early design decisions for Usenet. I should note that this is entirely my writing, and memory can play many tricks across nearly 40 years.) more
This is a story about my mother and Obama. My mother: "Have you heard about Obama? Really impressive guy." Me: "What about him?" My mother: "x, y and z." Me: "Where did you hear about this?" My mother: "I read email too, you are not the only one who is into technology." Luckily, my mother bases her opinion on more than just spam messages... more
The Internet Corporation for Assigned Names and Numbers (ICANN) has released new guidance concerning the reporting and disclosure of bugs that affect the Domain Name System, including information of how ICANN itself will behave in response to vulnerabilities. Until recently, ICANN, which is responsible for maintaining the root domain servers at the heart of the DNS system, had no specific guidelines for the reporting of vulnerabilities, leaving responsible disclosure protocols up to the researchers who discovered the bug. more
A reasonably well informed article in Thursday's USA Today reminds us that in 2004 Bill Gates said the spam problem would be solved in early 2006, but here at the end of 2007 there's more spam than ever. They go through a laundry list of problems of spambots, new kinds of PDF and MP3 spam, and phishing, and a list of of partial or non-solutions including filters, walled gardens, and an odd system called Boxbe, a hybrid of whitelists, challenge/response, and pay for delivery. Oh, and Bill says he never said spam would be solved... more