In this week’s Cyber Risk Report we briefly discussed the fact that millions of individuals are victims of their own carelessness by freely posting information such as vacation plans and family photos on social networks and by storing Personally Identifiable Information (PII), such as medical records and financial information, on mobile devices. Users are sometimes not properly educated when it comes to what types of information should be shared, and with whom they should be sharing this information. This lack of education and subsequent “overposting” of personal details is now trickling down to our youth, some of whom are under the legal age to even utilize some of these social network sites. Read More »
On June 1-2, I will be participating in the EastWest Institute’s (EWI) second Worldwide Cybersecurity Summit at the Queen Elizabeth II Conference Center in London, and I’m very excited about the prospects for this event.
EastWest Institute is a global, action-oriented, “think-and-do” tank founded in 1980. Its goals are to mobilize leading business and government leaders to address cross-border cybersecurity challenges; set new models for private-public-sector leadership in addressing high-priority security threats and vulnerabilities; and to make advances on the most pressing issues in global management of critical information infrastructure with breakthrough international collaboration.
I’m particularly energized about this year’s session, as I anticipate we will continue and expand upon the dialogue initiated at last year’s inaugural summit in Dallas. I’m proud to have participated in that event, along with other government, business, and civil society leaders from around the world who came together to collaborate on ways to assure the security of the world’s digital infrastructure.
In the previous installment of our series of IPv6 security posts, we covered some of the basic things you need to consider when performing security testing on your IPv6 network. In this post, we will examine some of the things that you need to consider to secure the transition from IPv4 to IPv6. IPv6 is being deployed on more and more networks, but IPv4 is not going away any time soon. During this transition period, security is crucial since you will be running both IPv4 and IPv6, along with various tunneling protocols (even if you did not configure them explicitly) that enable communication between IPv4 and IPv6 networks (such as Teredo, ISATAP, and 6to4).
To begin with, the designers of IPv6 realized that the transition from IPv4 to IPv6 would not happen overnight. There was a hope that there would be a large push and the transition would go rather quickly, but as time moved on, that did not happen. The time for a quick transition has passed and we are in for a long and protracted transition. During this transition, nodes on your network will fit into one of the following buckets:
The Cisco 1Q11 Global Threat Report has been released. The report covers the period from 1 January 2011 through 31 March 2011 and features data from Cisco Security Intelligence Operations. This quarter’s contributors includes Cisco Intrusion Prevention System (IPS), IronPort, Remote Management Services (RMS), Security Research and Operations (SR&O), and ScanSafe.
Unique Web malware increased 46% from January to March 2011. 16% of encounters were via online searches and webmail. Likejacking, where users are tricked/forced into registering a click with the Facebook “Like” button, increased from 0.54% to 6% throughout the quarter.
The next wave of spam is now making its way into social networks. One example of this type of threat is the Koobface malware, distributed through social networks such as Facebook. Koobface tricked users into downloading the malware, which then spread via the network of trusted friends. (For more details please read Unsociable: Social Media Brings a New Wave of Threats)
Facebook recognized this malware was a major problem. The trick to solving it, though, was determining how to distinguish the behavior of a bot acting like a human from the behavior of a real human. The initial answer seemed clear: selectively use a “captcha.” A captcha is the squiggly letters or numbers with interspersed lines that websites use to verify the user is a real person, not a bot. It’s very difficult for a machine to read the captcha and enter the right characters. (IMHO it is difficult for a person to enter the right characters, too—so no wonder a bot can’t do it.)