Networking Forum

Sanjib Mitra is a man who likes to be responsible and do the right thing. A year ago he discovered, quite by accident, that a little bit of URL tweaking could reveal personal data about people other than himself within a website database. He was completing a complicated application form himself when he was faced with a blank page and a browser back button that did nothing, so he tried changing numerical data at the end of the URL in an effort to salvage some of the information he had spent the previous hour entering. His reward was not time …

Werner Vogel, Amazon Web Services (AWS) CTO, speaking at the AWS Summit in London yesterday has made the rather amazing claim that security in the cloud is "much stronger" than anything you can have on-premises. As someone who has been writing about information security for more than 20 years, and covering the cloud security beat for five, I can understand why he may say that. However, it doesn't mean that he was right; not for every customer, not for every implementation. If you are talking about the smaller end of the SME spectrum then, for the most part in my …

According to new research from Venafi, apparently some 74 percent of 'Forbes Global 2000 organizations' (or the big boys of business if you prefer) have yet to properly secure their public facing servers against the Heartbleed OpenSSL threat. That's a year after the thing broke for goodness sake! Venafi found that at least 580,000 hosts belonging to this elite group of enterprises were still vulnerable as full and proper threat remediation had not been applied. They were patched, yes, but did not bother with the equally important steps of replacing private keys and revoking the old certificates. Apparently, looking at …

Oh the irony. In what is starting to read very much like the script to a Hollywood movie itself, the latest twist to the Sony Pictures hacking plot took an unexpected turn yesterday. It would appear that at one stage yesterday access to the web across pretty much all of North Korea went down, with access to key sites such as the state-run Korean Central News Agency (KCNA) and Rodong Sinmun newspaper were down for most of the day. Not that most North Koreans would have noticed, of course, seeing as they are denied access to the Internet anyway. The …

One of the biggest security stories so far this year is that of the high school that remotely triggered webcams in laptops given to students -- which the school said it only did to help track stolen laptops, and which some students and families said was a violation of their privacy, with the student in question [URL="http://www.toledofreepress.com/2010/02/25/advanced-parenting/"]filing [/URL]a class-action lawsuit. The school, Harriton in the Lower Merion School District, in a suburb of Philadelphia, said it has activated the cameras -- which parents reportedly didn't know about -- on 42 of the laptops. An extremely detailed [URL="http://strydehax.blogspot.com/2010/02/spy-at-harrington-high.html"]post [/URL]in a security …

Yesterday, Tor [issued a security advisory](https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack) which revealed that a group of relays had been discovered on July 4th which looked like they "were trying to deanonymize users." The advisory states that the attack "involved modifying Tor protocol headers to do traffic confirmation attacks" with the relays having joined the network at the start of the year. This means they were potentially deanonymizing users between January 30th and July 4th when they were finally removed. A Tor spokesperson says that they know the attack "looked for users who fetched hidden service descriptors, but the attackers likely were not able to …

According to newly published research from cloud-based social Wi-Fi software outfit [Purple WiFi](http://www.purplewifi.net/), of 2,540 consumer questioned vastly more were concerned about getting access to pornography than were worried about matters of data security. The 'Using Wi-Fi in Public Places’ study revealed that 28 percent of those asked (711 people) don't use public Wi-Fi, and of that number 27 percent (192 people) didn't do so due to fears about security. Compare and contrast to the 56 percent (1422 people) who were so concerned about being able to access pornography via free Wi-Fi that they thought content filtering should be a …

The Onion Router, better known as the Tor Network, is often thought of as being the dark-side of the web. Not least as the anonymity provided by Tor meant that sites hosted on so-called hidden service servers were free to trade in just about anything from drugs and guns through to child pornography. In amongst the depravity and illegal excess, of course, were political activists and dissidents looking for an online safe haven in order to escape persecution, prosecution and potentially death. Revelations that the FBI would appear to have been behind the takedown of Freedom Hosting, apparently responsible for …

Back in the eighties, the Defense Advanced Research Projects Agency ([DARPA](http://www.darpa.mil/)) spent more than a billion dollars in an attempt to create what was, in effect, Skynet. You know, the self-aware artificial intelligence system that goes bad in The Terminator movie. DARPA called it the Strategic Computing Initiative, but it was Skynet alright. You only have to read this little bit of political persuasion in favour of the idea back then to get that: "...there will be unique new opportunities for military applications of computing. Instead of fielding simple guided missiles or remotely piloted vehicles, we might launch completely autonomous …

The Distributed Denial of Service (DDoS) attack is becoming the crowbar of the online criminal. In the past we have got rather used to DDoS attacks being one of the favoured approaches of hacktivists, with perhaps the Low Orbit Ion Cannon (LOIC) and later the High Orbit Ion Cannon (HOIC) as used by Anonymous to take down sites being the best known examples. However, recent evidence suggests that taking down a site is increasingly no longer the be all and end all of a DDoS attack, instead it's just a means to a much more profitable end. A couple of …

At first I thought it was just me. I restarted my DNS server after noticing intermittent connection issues. But nope! It looks like Facebook, Twitter and a handful of other sites are currently down in parts of the United States. At least here with Time Warner in NYC, and according to [DownWhere.com](http://www.downwhere.com/facebook) and [DownForEveryoneOrJustMe](http://www.downforeveryoneorjustme.com/facebook.com). How on earth are we expected to tweet our frustrations with Twitter being down?! It's been quite an extended period of time so far, too. At least a half hour ago since I first came onto the computer and noticed, so we're not talking about a …

Did the FBI get the wrong man, or at least the wrong Dread Pirate Roberts (DPR), when it shut down the Silk Road darknet marketplace? Claims are being made that this is precisely what happened, and that Ross Ulbricht who was arrested took over as acting DPR from the real Silk Road founder before the FBI made its move. In a statement, reposted to Pastebin today under the title of '[Possible truths behind DPR and Silk Road](http://pastebin.com/5VkmGi0u)', someone calling themselves Elthemor Sagewood and claiming to be a well known Silk Road vendor says "In a court hearing today, Ulbricht's lawyer …

Research published today by data governance software developer Varonis reveals that, when it comes to the virtualized environment, security awareness appears to be something of a black hole. The [study](http://eu.vocuspr.com/Publish/517692/vcsPRAsset_517692_109957_85137914-8b53-4005-b292-0c87aa89763a_0.png) found that data security in these virtualized environments can all too often be totally neglected, and some 48% of IT organisations reported or suspected there had been unauthorised access to files kept on virtual servers. The findings suggest that when it comes to awareness of security matters regarding virtualized servers and the data stored upon them, the harsh truth of the matter is that there is very little. Indeed, the …

The University of Birmingham in the United Kingdom has been [researching](www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf) how users of the hugely popular file-sharing BitTorrent peer-to-peer protocol are being monitored by those acting for copyright holders. What the researchers found surprised them, and may surprise those using BitTorrent to download pirated content: the average time it takes to log the IP address of an illegal file sharer is now less than three hours of the pirated content being made available. The researchers reckon that those downloading a single pirated movie, if it is in the top 100 downloads, will be monitored and their IP address logged. …

While they have, in past years, enjoyed glorious recognitino such as the iconic ["Worst Company in America"](http://voices.washingtonpost.com/fasterforward/2010/04/comcast_wins_consumerist_worst.html) award, Comcast isn't letting its data-caps go away anytime soon, and while they have raised some of their caps in some markets, it's apparent the motive of the entire movement is far from bandwidth-related. Last month, Comcast stopped kicking around the idea of [data caps](http://arstechnica.com/business/2012/09/comcast-data-caps-hit-test-cities-range-from-300gb-to-600gb/) and instead pushed it into high gear, launching the capped services in various test markets, with limits ranging from 300GB to 600GB. The caps, designed to help quell bandwidth usage with their customers, seems to be suicidal from …

The line ‘free crypto browser extension for Firefox’ contains six of my favorite words within its seven-word construction, which is not bad going. In case you were wondering, for is the word that doesn’t float my boat, although others such as complexity, ‘key management’ and PGP which usually rub me up the wrong way when talking about client side encryption are noticeably absent. That is because [URL="http://www.freenigma.com"]Freenigma [/URL]has no place for them in its lexicon. Simply put, it is a free extension offering encryption for your webmail account when accessed via the Firefox browser and which works with Gmail, Hotmail …

This is, I would suggest, perhaps the biggest privacy issue of the day. I have lost count of the number of press releases, leads, emails and telephone calls that have come my way this year regarding how search engines treat the data you enter when performing a search. Be it the act of serving up contextual advertising, through to archiving of search strings (and requests for access to those archives from law enforcement agencies) and even ‘accidental’ publishing of research databases such as the recent AOL debacle. Although there is some merit in the argument that if you are not …

Wednesday 6th June 2012 is [URL="http://www.worldipv6day.org/"]World IPv6 Launch Day[/URL] (no, seriously, it is) and, we have been continually reminded in a Chicken Little fashion, the IPv4 address space sky is falling. The fact that the media obsession with Internet addresses running out has been on-going for at least a decade now, fuelled no doubt by slow news days and headline space to fill, has led to something of a blasé attitude towards making the move over to IPv6. Indeed, you might be forgiven for thinking that the whole IPv6 thing had fallen by the wayside and become another Betamax technology. …

I am pleased to report that DaniWeb, based about half an hour outside Manhattan in Uniondale, Long Island, New York has survived Hurricane Sandy. There were no downtimes or outages, and all staff are OK. Not everyone in the tech space has been so lucky it would seem.  Four big online names have suffered outages after Datagram, a web hosting and data center outfit based in Manhattan, lost power. Buzzfeed, Gawker, Gizmodo and The Huffington Post were amongst the sites impacted by the power loss after Datagram experienced flooding to the basement of its building last night. Intermap, …

For the last two years a transition has been apparent between the various mobile phone carriers in the United States. On one end, AT&T and Verizon have seem extreme growth, together covering nearly 2/3rds of the current market share. On the other, Sprint & T-Mobile have been begging for growth, and stand as a far cry to the immense growth the two larger carriers have seen. As a result, stagnation has become apparent in both T-Mobile and Sprint, but has been much more visible for the latter as the company, unlike T-Mobile, is publically owned and traded. However, that's about …

Around midday on October 22, a number of [top websites all went down](http://techcrunch.com/2012/10/22/aws-ec2-issues-in-north-virginia-affect-heroku-reddit-and-others-heroku-still-down/), among them including Reddit, Minecraft, Pinterest and Foursquare. The iconic 404 of these sites and many more is a shock, especially considering just how essential these websites are to most users of the web as a source of social media and activity alike.  The cause? The downtime was cause by an outtage in Northern Virginia from [Amazon Web Services](http://aws.amazon.com/), one of the world's largest cloud server systems, and host to millions of websites, including some of the internet's most largest websites and services. Amazon Web …

The 'Murder Ball' competition is now underway at the London 2012 Summer Paralympics, also known as wheelchair rugby to some. However, you won't find Olympic athletes taking part in the warbiking event that has also been happening in London recently: warbiking is very much a sport for nerds.  The brainchild of security vendors Sophos, [Project Warbike](http://www.sophos.com/en-us/security-news-trends/security-trends/bottom-line/project-warbike.aspx) itself consisted of one man on a specially adapted bicycle complete with with dynamos and solar panels powering a computer that was scanning for wireless networks. Taking place across a couple of days, Sophos Director of Technology Strategy James Lyne cycled around …

You can tell a lot about a company by the way they treat the employees lowest on its pay scale. Pay cuts and, yes, even layoffs are inevitable in today's economic climate. The decisions are painful, but they're often necessary and unavoidable. They aren't, however, a license to be callous and cold toward the very people who have kept your business running. Computer vendor HP recently announced significant across the board pay cuts for everyone starting at the top down -- and I do mean everyone. All 100,000 employees on the payroll at HP will suffer some sort of reduction …

Today is [World IPv6 Launch Day](http://www.worldipv6launch.org ).Today is the day that the global Internet gets redefined. Today is the day that people everywhere are saying "so what?" I imagine. However, not everyone is having a 'meh!' moment at the thought of IPv6 being officially launched. Take Jay Parikh, Vice President of Infrastructure at Facebook, who insists that "supporting IPv6 has become crucial to the future scalability of the Internet" and goes on to say that it's "awesome to see so many people and companies working together across the world to make progress on this transition". But is IPv6, as the …

The ZDNet Great Debate Series explored the proposition: [IT Department: Cost Center or Profit Center?](http://www.zdnet.com/debate/your-it-department-cost-center-or-profit-center/6361393?tag=content;siu-container). Discussing the IT industry and how it can adapt and prove to be a contributor to a company's profit as opposed to just the cost of doing business. The debaters, Juston James of TechRepublic and Dana Gardner of ZDNet, gave some great insights in to the problems facing IT departments. James taking the cost side explained that while it could be possible, many in the IT industry are not adopting a profit prespective which could find them struggling in this era of outsourcing. The problem, …

The Serious Organised Crime Agency (SOCA) website remains offline after being hit by a Distributed Denial of Service (DDoS) attack for the second time in the space of a year. Last June it was the hacktivist group LulzSec which claimed responsibility; this time nobody has yet come forward to admit they did it and explain why. However, it seems likely that hacking collective Anonymous could be behind the strike in protest over the [decision of the UK's High Court](http://www.bbc.co.uk/news/technology-17894176) to order all Internet Service Providers to block access to The Pirate Bay.  The SOCA website has been unavailable …

Although Mozilla's Firefox and Google's Chrome browsers get a lot of attention in the media, Apple's Safari browser is not too shabby in comparison. The one thing it unfortunately lacks is robust security. Given that so much computer activity revolves around the browser these days, security is the last place you'd want to see sub-standard features. InfoWorld's Roger Grimes took and [URL="http://www.infoworld.com/article/09/01/30/04TC-safari-security_1.html"]in-depth look at Safari[/URL] and says that even though it has strong pop-up blocking and anti-phishing tools, it's rife with numerous security flaws. "[S]ecurity is not Safari's strong point. Unfortunately, 26 separate vulnerabilities have been announced since March 2008, …

An Internet Service Provider (ISP) has finally been given permission to reveal that he was the recipient of an National Security Letter (NSL) from the Federal Bureau of Investigation (FBI) six years ago, demanding information about his clients. Nicholas Merrill, president of the New York ISP Calyx, still can’t say on what specific date in February, 2004, he received the letter, nor the target of it from among his more than 200 clients, but he is now able to talk about the lawsuit that the American Civil Liberties Union (ACLU) filed on his behalf. He told [URL="http://www.democracynow.org/seo/2010/8/11/gagged_for_6_years_nick_merrill"]Democracy Now[/URL]! – incidentally, …

Having a professional interest in security, and a personal distrust of politicians and their promises of providing the same, I was not at all surprised by the findings of a [URL="http://www.bbc.co.uk/pressoffice/pressreleases/stories/2007/03_march/23/keylogger.shtml"]BBC TV investigation[/URL] that has just been broadcast in the UK. Inside Out, a news reporting and investigative documentary series that most often homes in on fairly lightweight consumer stories, decided to send their reporter to the heart of the [URL="http://www.parliament.uk/"]UK Parliament[/URL], the [URL="http://www.parliament.uk/commons/index.cfm"]House of Commons[/URL], and test the security provided by one of the most heavily guarded buildings in the British Isles. I’ve attended working group committee meetings there …

[ATTACH=RIGHT]21767[/ATTACH]An unnamed Asian company operating within what has been described as a 'high risk e-commerce industry' has been targeted by a botnet which launched a DDoS attack of unprecedented magnitude. According to Distributed Denial of Service mitigation experts Prolexic, which claims to have successfully combated the attack, the volume of this particular attack was nothing short of extraordinary. How so? Well, consider that most high-end border routers employed by your average ISP are capable of forwarding around 70,000 packets per second typically. Now consider that the volume of this DDoS attack using TCP SYN Floods and ICMP Floods reached 25 …