Weekend Reads 010821

Internet Society Chapters in Europe are warning the European Commission that its recent plea for Member States to help find ways to access encrypted communications could make millions of citizens and countries more vulnerable to harm and terrorism online.

Every Christmas season the Mozilla Foundation reviews a list of IoT devices that do not protect privacy. It seems like almost anything we buy today that includes electronics also connects to the Internet.

You have probably heard the saying: “If you are not paying for the product, you ARE the product”. Nowhere is this more acute than on the internet when our personal data is collected, analyzed and used to persuade us to buy products or ideas, many times without our explicit knowledge or permission.

Due to its growing popularity, identifying which addresses are anycasted and from where they are announced is becoming fundamentally important to provide a more accurate assessment of the Internet’s resilience.

Privacy plays an important part in the development of NLnet Labs products. For Unbound this manifests itself by being in the front line of the development of privacy preserving features like QNAME minimization, auth-zones, and DNS-over-TLS (DoT).

The 2020 (ISC)2 Cybersecurity Workforce Study looks at the effect of this transition to remote work and how organizations have fared. It also analyzes the impact of the pandemic and the resultant transition to remote work on cybersecurity professionals.

Imagine a popular social network that takes privacy super seriously. By default, your posts are visible only to people in your real-life community. Not only does the company not use tracking cookies, but it promises it never will. It even announces that future changes to the privacy policy will be put to a vote by users before implementation.

Newly discovered web skimming malware is capable of hiding in plain sight to inject payment card skimmer scripts into compromised online stores.

Our recent annual surveys found that racks with densities of 20 kW and higher are becoming a reality for many data centers (we asked about highest rack density) — but not to the degree forewarned. Year-over-year, most respondents said their highest density racks were in 10-19 kW range, which is not enough to merit wholesale technical changes.

Domain spoofing is a very common form of a security breach wherein a cybercriminal tries to impersonate a company’s business email domain to carry out a range of malicious activities by forging the sender’s address.

Some widely sold D-Link VPN router models have been found vulnerable to three new high-risk security vulnerabilities, leaving millions of home and business networks open to cyberattacks—even if they are secured with a strong password.

One of these questions was posed first to DNS resolver operators in the middle of the last decade, and is now being brought to authoritative name server operators: “to encrypt or not to encrypt?” It’s a question that Verisign has been considering for some time as part of our commitment to security, stability and resiliency of our DNS operations and the surrounding DNS ecosystem.

There is a new threat in town known as “SAD DNS” that allows attackers to redirect traffic, putting companies at risk of phishing, data breach, reputation damage, and revenue loss.

Chances are, by now you have heard about the controversy surrounding TikTok, the popular social media video app. The controversy stems from allegations that TikTok complies with Chinese Communist Party’s request to provide user data for purposes of surveillance and intelligence gathering. And yes, that data is purported to include US user data.

Large-scale phishing attacks remain a key threat to Internet users and organizations, both due to the direct harm these attacks can cause, such as identity theft or account compromise, and other collateral damage, such as risks due to password reuse across services or simply the necessity of mitigations.

Cybersecurity researchers disclosed a dozen new flaws in multiple widely-used embedded TCP/IP stacks impacting millions of devices ranging from networking equipment and medical devices to industrial control systems that could be exploited by an attacker to take control of a vulnerable system.

In their report “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?,” for instance, Siemens and the Ponemon Institute found that 64% of respondents considered sophisticated attacks against the utilities sector a top challenge. Slightly less than that (54%) said that they expected an attack on CNI would occur in the next year.

The Open Platform Communications Unified Architecture (OPC UA) protocol is a prime candidate for secure future industrial communication. While the protocol’s security features are widely attested, it requires extensive configuration to achieve the promised security level.

You’ve probably heard about the new Man in the Middle (MITM) vulnerability in Kubernetes. If you’re unfamiliar, a MITM vulnerability works by redirecting a victim’s legitimate network traffic through a secret attacker on the network, where the attacker can eavesdrop or actively tamper with the victim’s data before sending it to its intended destination.

“Doxxing” is an eerie, cyber-sounding term that gets thrown around more and more these days, but what exactly does it mean? Simply put, it’s when a person or other entity exposes information about you, publicly available or secret, for the purpose of causing harm.