[Newsclips] IETF SYN-ACK Newspack 2023-04-17

[David Goldstein <david@goldsteinreport.com>]

The IETF SYN-ACK Newspack collects IETF-related items from a variety of news outlets and other online publications. They do not represent the views of the IETF and are not checked for factual accuracy.

 

**********************

IETF IN THE NEWS

**********************

Notes from IETF 116

The IETF had its 116th meeting in Yokohama, Japan in the last week of March 2023. Here are some notes I made from some of the Working Group sessions I attended that I found to be of interest.

< <https://www.potaroo.net/ispcol/2023-04/ietf116.html> https://www.potaroo.net/ispcol/2023-04/ietf116.html>

< <https://blog.apnic.net/2023/04/12/notes-from-ietf-116/> https://blog.apnic.net/2023/04/12/notes-from-ietf-116/>

 

How organizations can prepare for post-quantum cryptography

Preparation for post-quantum cryptography increasingly appears in the news and industry materials. The reason for this is twofold. First, there have been advances in capabilities for post-quantum computing. Second, the National Institute of Standards and Technology (NIST) will complete the final rounds for the selection of these new cryptographic algorithms in 2024. ... The Internet Engineering Task Force (IETF) and other standards-developing organizations (SDO) such as OASIS will take several steps to make this possible, as the algorithm parameters and key lengths differ from pre-quantum cryptography. As you can see from the IETF link provided above, some of this work has already commenced. There is some preparation work that is possible by standards bodies and that is underway.

< <https://blog.apnic.net/2023/04/10/how-organizations-can-prepare-for-post-quantum-cryptography/> https://blog.apnic.net/2023/04/10/how-organizations-can-prepare-for-post-quantum-cryptography/>

 

Call for volunteers or nominations for the IETF Delegate to the ICANN 2024 Nominating Committee

The IAB (on behalf of the IETF) has been asked to supply a member to the 2024 ICANN Nominating Committee (NomCom). Vittorio Bertola has filled this role for the IETF community for the past two years and cannot seek another term due to term limits; the IAB thanks him for his service.

< <https://www.iab.org/2023/04/12/call-for-volunteers-or-nominations-for-the-ietf-delegate-to-the-icann-2024-nominating-committee/> https://www.iab.org/2023/04/12/call-for-volunteers-or-nominations-for-the-ietf-delegate-to-the-icann-2024-nominating-committee/>

 

KNX IoT: Part 3 – the fundamentals of KNX IoT devices

... For example, there are resources (datapoints) for configuring the device. Existing concepts as Load State Machine (LSM), programming mode (PM), individual address (IA) and Group Object Table are modelled with the above-described mechanisms. As a result, the following IETF (Internet Engineering Task Force) specifications are referenced in the KNX IoT Point API specification:

< <https://www.knxtoday.com/2023/04/46408/knx-iot-part-3-the-fundamentals-of-knx-iot-devices.html> https://www.knxtoday.com/2023/04/46408/knx-iot-part-3-the-fundamentals-of-knx-iot-devices.html>

 

Cybersecurity Threats to Automotive Networks and Cybersecurity Countermeasures for the Ethernet

... The IP security (IPSec) is an Internet Engineering Task Force (IETF) standard suite of protocols between two communication points across the IP network that provides data authentication, integrity, and confidentiality. It also defines the encrypted, decrypted, and authenticated packets. The protocols needed for secure key exchange and key management are defined in it.

< <https://www.bisinfotech.com/automotive-networks-and-cybersecurity-countermeasures-for-the-ethernet/> https://www.bisinfotech.com/automotive-networks-and-cybersecurity-countermeasures-for-the-ethernet/>

 

PodChats for FutureIoT: Accelerating IoT in Asia

... In addition to the broad list of possible applications of the technology, there are at least three competing protocols: MQTT, CoAP, and HTTP; and at least three standards: IEEE, IETF, and ISO. The lack of unified standards and protocols continues to limit IoT from seeing wider adoption.

< <https://futureiot.tech/podchats-for-futureiot-accelerating-iot-in-asia/> https://futureiot.tech/podchats-for-futureiot-accelerating-iot-in-asia/>

 

Communications networks become automatic for the people

... The next step up is model-driven automation, which moves away from suppliers’ proprietary management systems to properly configure the network. This type of networking is open and based on standardised data models and configuration protocols. Used by Virgin Media O2 in its backbone network upgrade, the IETF’s Network Configuration Protocol (NETCONF) and the Yet Another Next Generation (YANG) data modelling language provide this standardised structure, interoperability and control so that operators can access and program everything. But this makes configuring the network even harder.

< <https://www.fibre-systems.com/feature/communications-networks-become-automatic-people> https://www.fibre-systems.com/feature/communications-networks-become-automatic-people>

 

Cara Mengubah Audio Menjadi Mp4 [How to convert audio to mp4]

... Ada beberapa cara lain untuk convert format file video yang bisa anda gunakan di Android dan PC, semoga bermanfaat. Menurut Wikipedia, Opus adalah format codec audio berkualitas rendah yang dikembangkan oleh Internet Engineering Team (IETF) yang paling sesuai untuk aplikasi dunia nyata. Interaktif Waktu di Internet Semua paten dalam perangkat lunak ini disediakan oleh Opus, yang dilisensikan secara gratis.

< <https://www.lingkarberita.com/30392/cara-mengubah-audio-menjadi-mp4.html> https://www.lingkarberita.com/30392/cara-mengubah-audio-menjadi-mp4.html>

 

Cara Merubah Audio Menjadi Video [How to Convert Audio to Video]

... Cara Membuat dan Menghapus System Restore Point di Windows 7 – System Restore Point adalah fitur gratis di sistem operasi Windows[…]Menurut Wikipedia ops adalah format encoding audio berkualitas yang dikembangkan oleh Internet Engineering Task Force (IETF) yang digunakan di jaringan Internet. Sangat cocok untuk aplikasi interaktif real-time di, semua paten perangkat lunak ini yang disertakan oleh Opus adalah lisensi bebas royalti.

< <https://www.lingkarberita.com/30418/cara-merubah-audio-menjadi-video.html> https://www.lingkarberita.com/30418/cara-merubah-audio-menjadi-video.html>

 

**********************

SECURITY & PRIVACY

**********************

Preparing for security in a post-quantum world [registration]

Advanced quantum computers may be 10 years away but organisational changes in security can take years to implement

< <https://www.teiss.co.uk/cyber-risk-management/preparing-for-security-in-a-post-quantum-world> https://www.teiss.co.uk/cyber-risk-management/preparing-for-security-in-a-post-quantum-world>

 

Why is Source Address Validation Still a Problem?

Despite being a known vulnerability for at least 25 years, source IP address spoofing remains a popular attack method for redirection, amplification, and anonymity.

< <https://www.manrs.org/2023/04/why-is-source-address-validation-still-a-problem/> https://www.manrs.org/2023/04/why-is-source-address-validation-still-a-problem/>

 

us: CISA releases updated guidance for zero trust security architectures

The Cybersecurity and Infrastructure Security Agency is encouraging increased automation and enhanced security for access controls in its latest roadmap for agencies and organizations working to achieve zero trust.

< <https://fcw.com/security/2023/04/cisa-releases-updated-guidance-zero-trust-security-architectures/385053/> https://fcw.com/security/2023/04/cisa-releases-updated-guidance-zero-trust-security-architectures/385053/>

 

us: CISA Asks Manufacturers to Prioritize Cybersecurity in Product Design

Several cybersecurity organizations worldwide have jointly published a new series of guidelines to aid manufacturers in prioritizing cybersecurity practices while designing products.

< <https://www.infosecurity-magazine.com/news/cisa-manufacturers-prioritize/> https://www.infosecurity-magazine.com/news/cisa-manufacturers-prioritize/>

 

RSA 2023 highlights a cybersecurity identity crisis in the age of AI

The RSA Conference takes place in the last week of April this year at a time when the industry is at a crossroads. Where once it looked as if the security industry would be shielded from macroeconomic conditions, the past year has been painful for many investors, with some exceptions – most notably those investors who stuck with Palo Alto Networks Inc. and Fortinet Inc. That said, Q1 saw a rebound in tech but for the most part cyber-lagged. The tech rally was largely attributable to an uptick in semis, a leading indicator in normal times. But these aren’t normal times and RSA gives us a nice opportunity to assess the situation in the market.

< <https://siliconangle.com/2023/04/15/rsa-2023-highlights-cybersecurity-identity-crisis-age-ai/> https://siliconangle.com/2023/04/15/rsa-2023-highlights-cybersecurity-identity-crisis-age-ai/>

 

Cybersecurity in Space: Exploring Extra-Terrestrial Vulnerabilities

Humanity’s fascination with the extra-terrestrial does not appear to be abating. Between 2005 and 2017, the global space industry grew at an average rate of 6.7% per year and is projected to increase from its current value of $350bn to $1.3trn per annum by 2030. This rise is driven by new technologies, business models and government investment in the industry, increasing the number of stakeholders and the application domains they serve cost-effectively.

< <https://www.infosecurity-magazine.com/opinions/cybersecurity-space-extra/> https://www.infosecurity-magazine.com/opinions/cybersecurity-space-extra/>

 

Risk vs Benefit: The Impact of Shorter 90-Day SSL Certificate Life Cycles

In today’s digital age, securing your website and ensuring your users’ safety has never been more critical. Secure sockets layer (SSL) certificates are the go-to solution for securing websites by encrypting the data transmitted between web servers and browsers.

< <https://www.cscdbs.com/blog/risk-vs-benefit-the-impact-of-shorter-90-day-ssl-certificate-life-cycles/> https://www.cscdbs.com/blog/risk-vs-benefit-the-impact-of-shorter-90-day-ssl-certificate-life-cycles/>

 

The Tipping Point: Exploring the Surge in IoT Cyberattacks Globally

The Internet of Things (IoT) has become an integral part of our daily lives. However, with the growing use of IoT devices, there has been an increase in cyberattacks against these devices in recent years, using various exploitable vulnerabilities. One contributing factor to this increase is the rapid digital transformation that occurred in various sectors, such as education and healthcare, during the pandemic. This transformation, driven by the need for business continuity, often took place without proper consideration of security measures, leaving vulnerabilities in place.

< <https://blog.checkpoint.com/security/the-tipping-point-exploring-the-surge-in-iot-cyberattacks-plaguing-the-education-sector/> https://blog.checkpoint.com/security/the-tipping-point-exploring-the-surge-in-iot-cyberattacks-plaguing-the-education-sector/>

 

Addressing the Security Risks of AI

In recent weeks, there have been urgent warnings about the risks of rapid developments in artificial intelligence (AI). The current obsession is with large language models (LLMs) such as GPT-4, the generative AI system that Microsoft has incorporated into its Bing search engine. However, despite all the concerns about LLMs hallucinating and trying to break up marriages (the former quite real, the latter more on the amusing side), little has been written lately about the vulnerability of many AI-based systems to adversarial attack. A new Stanford and Georgetown report offers stark reminders that the security risks for AI-based systems are real. Moreover, the report—which I signed, along with 16 others from policy research, law, industry, and government—recommends immediately achievable actions that developers and policymakers can take to address the issue.

< <https://www.lawfareblog.com/addressing-security-risks-ai> https://www.lawfareblog.com/addressing-security-risks-ai>

 

Enforcement of Cybersecurity Regulations: Part 3

In enforcing any regulatory system, whether it involves food safety, financial stability of banks, or cybersecurity of critical infrastructure, there are three different questions regulators need to answer: Does the regulated entity have a good risk mitigation plan meeting the regulatory requirements? Does the entity actually implement the plan consistently enterprise-wide? And, (the hardest of all to measure) is the plan as implemented effective in achieving the public policy goals that the regulatory system is intended to advance? For cybersecurity, the progression from the first question to the third is the difference between compliance and security. Over the past year, I’ve benefited greatly from discussions with cybersecurity professionals. Everyone on the ground I’ve talked to has stressed the difference between compliance and security. And the corollary to that is that while there are many paths to claiming compliance, it is very hard to get to ground truth on security.

< <https://www.lawfareblog.com/enforcement-cybersecurity-regulations-part-3> https://www.lawfareblog.com/enforcement-cybersecurity-regulations-part-3>

 

Tackling Software Supply Chain Security: A Toolbox for Policymakers

For software development platform provider CircleCI, this year began with a scramble to respond to a software supply chain compromise. CircleCI’s tens of thousands of customers use the continuous integration and delivery (CI/CD) platform for automating the building, testing, and deployment of software. A malicious actor had gained remote access to an employee’s laptop and was consequently able to access customer data, including private keys used for software signing and credentials stored in the platform.

< <https://www.lawfareblog.com/tackling-software-supply-chain-security-toolbox-policymakers> https://www.lawfareblog.com/tackling-software-supply-chain-security-toolbox-policymakers>

 

Standing up for democratic values and protecting stability of cyberspace: Principles to limit the threats posed by cyber mercenaries

The explosive growth of private “cyber mercenary” companies poses a threat to democracy and human rights around the world. Cyber mercenaries – private companies dedicated to developing, selling, and supporting offensive cyber capabilities that enable their clients to spy on the networks, computers, phones, or internet-connected devices of their targets – are a real cause for concern. These tools have been used to target elections, journalists, and human rights defenders and are increasingly accessible on the open market, enabling malicious actors to undermine our key democratic institutions.

< <https://blogs.microsoft.com/on-the-issues/2023/04/11/cyber-mercenaries-cybersecurity-tech-accord/> https://blogs.microsoft.com/on-the-issues/2023/04/11/cyber-mercenaries-cybersecurity-tech-accord/>

 

Why is ‘Juice Jacking’ Suddenly Back in the News?

KrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about “juice jacking,” a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things you can do to avoid having to worry about juice jacking.

< <https://krebsonsecurity.com/2023/04/why-is-juice-jacking-suddenly-back-in-the-news/> https://krebsonsecurity.com/2023/04/why-is-juice-jacking-suddenly-back-in-the-news/>

 

Actually, Charging Your Phone in a Public USB Port Is Fine

Over the past week, hundreds of articles have been written warning the public not to charge cellphones at airport or hotel USB ports. Most of the news items cite a recent tweet from the FBI, which includes the menacing detail that “bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices.”

< <https://slate.com/technology/2023/04/free-public-phone-chargers-fbi-warning-bad-actors-threat-bogus-debunked.html> https://slate.com/technology/2023/04/free-public-phone-chargers-fbi-warning-bad-actors-threat-bogus-debunked.html>

 

NSA, U.S. and International Partners Issue Guidance on Securing Technology by Design and Default

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are partnering with international partners’ cybersecurity agencies to encourage technology manufacturers to create products that are secure-by-design and secure-by-default.

< <https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3361073/nsa-us-and-international-partners-issue-guidance-on-securing-technology-by-desi/> https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3361073/nsa-us-and-international-partners-issue-guidance-on-securing-technology-by-desi/>

 

Europe, Cyber and the Cloud: A View from the International Cybersecurity Forum

As a keynote speaker and multiday attendee at Europe’s largest cybersecurity conference, here are some of my top takeaways from a thought-provoking, global event with a distinctly European flare.

< <https://www.govtech.com/blogs/lohrmann-on-cybersecurity/europe-cyber-and-the-cloud-a-view-from-the-international-cybersecurity-forum> https://www.govtech.com/blogs/lohrmann-on-cybersecurity/europe-cyber-and-the-cloud-a-view-from-the-international-cybersecurity-forum>

 

What is the true potential impact of artificial intelligence on cybersecurity?

Will artificial intelligence become clever enough to upend computer security? AI is already surprising the world of art by producing masterpieces in any style on demand. It’s capable of writing poetry while digging up arcane facts in a vast repository. If AIs can act like a bard while delivering the comprehensive power of the best search engines, why can’t they shatter security protocols, too?

< <https://www.csoonline.com/article/3692868/what-is-artificial-intelligence-s-true-potential-impact-on-cybersecurity.html> https://www.csoonline.com/article/3692868/what-is-artificial-intelligence-s-true-potential-impact-on-cybersecurity.html>

 

Why reporting an incident only makes the cybersecurity community stronger

Reporting an incident to the correct authorities or vulnerability clearinghouses can be an experience fraught with frustration.

< <https://www.csoonline.com/article/3692815/why-reporting-an-incident-only-makes-the-cybersecurity-community-stronger.html> https://www.csoonline.com/article/3692815/why-reporting-an-incident-only-makes-the-cybersecurity-community-stronger.html>

 

DNSAI Releases 2022 Annual Report

The DNS Abuse Institute is pleased to publish its second Annual Report, covering activities in 2022. 2022 was a big year for the DNSAI. This annual report covers the launch of two successful key initiatives, NetBeacon and DNSAI: Compass. The DNSAI also published four best practices and engaged with stakeholders from around the globe.

< <https://dnsabuseinstitute.org/dnsai-releases-2022-annual-report/> https://dnsabuseinstitute.org/dnsai-releases-2022-annual-report/>

 

de: eco IT Security Survey 2023: Many companies still underestimate the threat situation

The current cybersecurity situation in Germany remains tense, according to the prevailing opinion of IT experts. 93 per cent rate the general threat situation as high or very high, while only about 7 per cent of those participating in the current IT Security Survey by eco – Association of the Internet Industry assume that the threat situation will remain unchanged.

< <https://international.eco.de/presse/eco-it-security-survey-2023-many-companies-still-underestimate-the-threat-situation/> https://international.eco.de/presse/eco-it-security-survey-2023-many-companies-still-underestimate-the-threat-situation/>

 

All Dutch govt networks to use RPKI to prevent BGP hijacking

The Dutch government will upgrade the security of its internet routing by adopting before the end of 2024 the Resource Public Key Infrastructure (RPKI) standard.

< <https://www.bleepingcomputer.com/news/security/all-dutch-govt-networks-to-use-rpki-to-prevent-bgp-hijacking/> https://www.bleepingcomputer.com/news/security/all-dutch-govt-networks-to-use-rpki-to-prevent-bgp-hijacking/>

 

Governing The Internet After The Ukraine War

The Russian invasion of Ukraine, for the most part, seems an old-fashioned war of invasion and terror that demands boots on the ground. In reality, it has blended traditional and innovative elements, and while the cyber dimension has been less visible, it has been fully-fledged from the very start. A study by Microsoft indicates that, as a prelude to the war, on Feb 23, 2022, one day before the official invasion, Russia launched a cyberweapon called ‘Foxblade’ “against computers in Ukraine. Reflecting the technology of our time, those among the first to observe the attack were half a world away, working in the United States in Redmond, Washington.” As for the Ukrainian defense, it has been quick “to disburse its digital infrastructure into the public cloud, where it has been hosted in data centers across Europe.”

< <https://technopolitics.org/governing-the-internet-after-the-ukraine-war/> https://technopolitics.org/governing-the-internet-after-the-ukraine-war/>

 

**********************

NEW TRANSPORT PROTOCOLS

**********************

The 5G tipping point

Ahead of what will likely be a big year for the standard, Barry Mansfield reports on how wide-scale deployment of 5G communication networks is delivering value across the industrial sector. ... A great promise of 5G is the ultra-low latency enabled by mmWave (a theoretical 1ms and under, compared to 20-30ms with 4G), which can provide businesses with near-time data from sensor-equipped devices to boost productivity and reduce costs. With that in mind, a welcome breakthrough came with Qualcomm’s completion of 3GPP Release (Rel) 17 last March, which addressed earlier range and stability issues, thereby supporting new deployment scenarios.

< <http://www.landmobile.co.uk/indepth/the-5g-tipping-point/> http://www.landmobile.co.uk/indepth/the-5g-tipping-point/>

 

Inmarsat and MediaTek expedite the 5G phone’s route to satellite

Comms specialist Inmarsat and chip maker MediaTek have upped the ante in their joint mission to connect the world’s phones, IoTs and all things 5G to satellite services so they can network over the air, land and sea. In this latest initiative the comms collaborators have signed a Memorandum of Understanding (MoU) over joint inventions and the commercial use of satellite-enabled devices. This follows on from three years of joint ventures where they have conducted a succession of fruitful live, in-orbit trials of two-way communications. These have proved how effective their combined technologies and space assets are in real-life applications, they claimed. According to MediaTek the pair have expedited the convergence of cellular and satellite networks for the 5G era, along the guidelines of 3GPP standards, inventing new options by fine tuning the data connections needed for vertical markets such as the internet of Things (IoT).

< <https://www.mobileeurope.co.uk/inmarsat-and-mediatek-expedite-the-5g-phones-route-to-satellite/> https://www.mobileeurope.co.uk/inmarsat-and-mediatek-expedite-the-5g-phones-route-to-satellite/>

 

MediaTek Conduct World’s First Public Test of 5G Satellite IoT Data Connection with Inmarsat [news release]

MediaTek is pushing the boundaries of advanced IoT 5G satellite communications with a successful field trial that transfers data through Inmarsat’s Alphasat L-band satellite, in Geostationary Orbit (GEO) 35,000 kilometers above the equator. The results of MediaTek and Inmarsat’s IoT field test will be contributed to the 3rd Generation Partnership Project (3GPP)’s Rel-17 standardization work on Non-Terrestrial Network (NTN), which is part of its overarching initiative to establish 5G standards toward new use cases and services.

< <https://corp.mediatek.com/news-events/press-releases/mediatek-conduct-worlds-first-public-test-of-5g-satellite-iot-data-connection-with-inmarsat> https://corp.mediatek.com/news-events/press-releases/mediatek-conduct-worlds-first-public-test-of-5g-satellite-iot-data-connection-with-inmarsat>

 

GlobalData and Huawei release a 5G voice transition white paper — Voice services are still critical to telcos [news release]

... As 5G ramps up, operators need to leverage more innovative high-value services to open revenue streams on top of traditional voice services, the white paper says. It further notes that the latest 3GPP standards have defined a new way to do this: the IMS data channel. This innovation allows users to transmit data in parallel with voice, thereby enabling interactive communication and new services such as 5G New Calling, which can bring amazing experiences like visualized voice calling, real-time translation, and fun calling. Operators can use the IMS data channel to create more services, further improve the user experience, and rejuvenate voice services in 5G.

< <https://www.huawei.com/en/news/2023/4/5g-voice-transition-whitepaper> https://www.huawei.com/en/news/2023/4/5g-voice-transition-whitepaper>

 

**********************

OTHERWISE NOTEWORTHY

**********************

Transformative Innovation Takes Center Stage at 2023 IEEE Vision, Innovation, and Challenges Summit [news release[

IEEE, the world’s largest technical professional organization dedicated to advancing technology for humanity, will pay tribute to innovation and creativity in engineering, science, and technology at its 2023 IEEE Vision, Innovation, and Challenges Summit (IEEE VIC Summit) & Honors Ceremony on 5 May 2023, at the Hilton Atlanta in downtown Atlanta, GA, USA. The daylong conference is marked by compelling discussions of the transformative advances propelling humanity forward, culminating with an awards ceremony where IEEE Life Fellow Vinton G. Cerf will be presented with IEEE’s highest award and century-old distinction: the IEEE Medal of Honor.

< <https://www.ieee.org/about/news/2023/ieee-vic-summit.html> https://www.ieee.org/about/news/2023/ieee-vic-summit.html>

------

David Goldstein

email:  <mailto:david@goldsteinreport.com> david@goldsteinreport.com

web:  <http://goldsteinreport.com/> http://goldsteinreport.com/

Twitter:  <https://twitter.com/goldsteinreport> https://twitter.com/goldsteinreport

phone: +61 418 228 605 - mobile; +61 2 9663 3430 - office/home