[Newsclips] IETF SYN-ACK Newspack 2020-12-21

[David Goldstein <david@goldsteinreport.com>]

Hi IETF and friends,

 

This is the last IETF SYNACK Newspack for 2020. I’ll continue monitoring the news over the next couple of weeks and resume sending out the news again in early January. Thanks for your interest in this news service in 2020 and remember, if anyone has any comments or suggestions on the news service, they’re always welcome, sent to Greg Wood and myself as well if you’re inclined.

 

And just a reminder, the IETF SYNACK Newspack collects IETF-related items from a variety of news outlets and other online publications. They do not represent the views of the IETF and are not checked for factual accuracy.

 

So until 2021, for those celebrating Christmas and the new year, please enjoy yourselves. And for everyone, stay safe in these turbulent times.

 

Kind regards,

David

 

**********************

IETF IN THE NEWS

**********************

Diversity at any price? IETF looking for a new chair

The ongoing search for a new IETF Chair offers the community a possibility to look into diversity issues and choose a candidate sponsored by one of the newer participants in the standardisation process. It is unfortunate that the most plausible candidate from the standpoint of diversity, is sponsored by Chinese vendor Huawei, who is currently locked in a trade war with the US.

< <https://www.centr.org/news/blog/ietf109-new-chair.html> https://www.centr.org/news/blog/ietf109-new-chair.html>

 

Transparent censors and other extensions of extended error codes

The DNS Working Group of the IETF is continuing to expand the DNS code base with both new features and enhancements to previous features. In the latest session, a proposal on private space in the DNS with two letter codes received mixed comments, while the policy-heavy work on the operational fall-out of DoH is still not welcome.

< <https://www.centr.org/news/blog/ietf109-transparent-censors.html> https://www.centr.org/news/blog/ietf109-transparent-censors.html>

 

Standardising an end-to-end encrypted messaging protocol at the IETF

Last month, an Austrian media report kicked up a storm by suggesting that the Council of the European Union was drafting a resolution to prohibit the use of end-to-end encrypted communication. This was quickly corrected: the draft resolution, in fact, affirms the previous position of previous EU policy documents that recognise the importance of end-to-end encryption (E2EE) in providing secure and private communication.

< <https://www.centr.org/news/blog/ietf109-e2ee.html> https://www.centr.org/news/blog/ietf109-e2ee.html>

 

WatchGuard releases two new firewall appliances

... The M5800 has achieved certified performance results through open, standardised testing developed by NetSecOPEN and adopted by the Internet Engineering Task Force (IETF).

< <https://securitybrief.com.au/story/watchguard-releases-two-new-firewall-appliances> https://securitybrief.com.au/story/watchguard-releases-two-new-firewall-appliances>

 

Wireshark 3.4.2

... New and Updated Features: IETF QUIC TLS decryption errors when packets are coalesced with random data Bug 16914.

< <https://www.neowin.net/amp/wireshark-342/> https://www.neowin.net/amp/wireshark-342/>

 

Ad-blocker AdGuard deploys world's first DNS-over-QUIC resolver

Ad-blocker company AdGuard has deployed on Wednesday the world's first-ever DNS-over-QUIC (DoQ) resolver into a production environment as part of the company's Android and iOS applications. ... The protocol is currently only a working draft at the Internet Engineering Task Force (IETF), but AdGuard says there is no reason to wait to start experimenting and providing this better and more private version of the DNS protocol to its users.

< <https://www.zdnet.com/article/ad-blocker-adguard-deploys-worlds-first-dns-over-quic-resolver/> https://www.zdnet.com/article/ad-blocker-adguard-deploys-worlds-first-dns-over-quic-resolver/>

 

AdGuard becomes the world's first public DNS-over-QUIC resolver!

AdGuard DNS is the first public DNS resolver to support the new DNS-over-QUIC protocol! We believe that DNS-over-QUIC (or simply DoQ) is the future of DNS encryption and we're extremely proud be the first to present you with the opportunity to try it out.

< <https://adguard.com/en/blog/dns-over-quic.html> https://adguard.com/en/blog/dns-over-quic.html>

 

AdGuard aktualisiert seinen Werbeblocker für Android [AdGuard updates its ad blocker for Android]

Die Version 3.6 verschlüsselt DNS-Anfragen über das QUIC-Protokoll. Es verzichtet auf HTTP-Cookies und HTTP-Header. Neu ist auch, dass AdGuard – über einen kleinen Umweg – Werbung aus über die Youtube-App aufgerufene Videos filtert.

< <https://www.zdnet.de/88390829/adguard-aktualisiert-seinen-werbeblocker-fuer-android/> https://www.zdnet.de/88390829/adguard-aktualisiert-seinen-werbeblocker-fuer-android/>

 

Ad-blocker AdGuard implementa primeiro DNS-over-QUIC do mundo [Ad-blocker AdGuard implements world's first DNS-over-QUIC]

A empresa que criou os bloqueadores de anúncios AdGuard implantou o primeiro DNS-over-QUIC (DoQ) do mundo em um ambiente de produção como parte dos aplicativos Android e iOS da empresa. ... O protocolo é atualmente apenas um rascunho de trabalho na Internet Engineering Task Force (IETF). Entretanto, o AdGuard diz que não há razão para esperar para começar a experimentar e fornecer esta versão melhor e mais privada do protocolo DNS para seus usuários.

< <https://sempreupdate.com.br/ad-blocker-adguard-implementa-primeiro-dns-over-quic-do-mundo/> https://sempreupdate.com.br/ad-blocker-adguard-implementa-primeiro-dns-over-quic-do-mundo/>

 

Cloudflare startet HTTP/3 mit Chrome und Firefox [Cloudflare launches HTTP/3 with Chrome and Firefox]

Der Netzwerkdienstleister Cloudflare stellt allen seinen Kunden die Nutzung von HTTP/3 über Quic zur Verfügung. In der Ankündigung hebt der Anbieter explizit den Support in Chrome und Firefox hervor und die gute Zusammenarbeit in der IETF.

< <https://www.golem.de/news/quic-cloudflare-startet-http-3-mit-chrome-und-firefox-1909-144129.html> https://www.golem.de/news/quic-cloudflare-startet-http-3-mit-chrome-und-firefox-1909-144129.html>

 

Online-Workshop: E-Mail mit DANE und DNSSEC absichern [Online workshop: Secure e-mail with DANE and DNSSEC]

... DANE (DNS-based Authentication of Named Entities) ist von der IETF standardisiertes Protokoll, das über die DNS-Sicherheitserweiterung DNSSEC die Identität von Mailservern sicherstellt. Damit ist eine sichere TLS/SSL-verschlüsselte Mailkommunikation möglich, die nicht durch das Unterschieben eines manipulierten X.509-Zertifikats angreifbar ist.

< <https://www.heise.de/news/Online-Workshop-E-Mail-mit-DANE-und-DNSSEC-absichern-4987295.html> https://www.heise.de/news/Online-Workshop-E-Mail-mit-DANE-und-DNSSEC-absichern-4987295.html>

 

Oblivious DoH, il nuovo DNS di Cloudflare che protegge la privacy [Oblivious DoH, Cloudflare's new DNS that protects privacy]

... Cloudflare annunciato il supporto per Oblivious DoH, un nuovo standard DNS proposto all’IETF, i cui autori sono ingegneri della stessa Cloudflare, di Apple e Fastly, che separa gli indirizzi IP dalle query, in modo che nessuna singola entità possa vederli entrambi contemporaneamente.

< <https://www.01net.it/oblivious-doh-nuovo-dns-cloudflare-protegge-privacy/> https://www.01net.it/oblivious-doh-nuovo-dns-cloudflare-protegge-privacy/>

 

Nieuwe Firebox-appliances van WatchGuard voor organisaties met veel thuiswerkers [New Firebox appliances from WatchGuard for organizations with many home workers]

... Recent onderzoek van WatchGuard onderstreept het belang van https-inspectie in het huidige dreigingslandschap. Organisaties die versleuteld verkeer niet goed kunnen analyseren, merken ruim de helft van de aanvallen niet op. Na gestandaardiseerde testen ontwikkeld door NetSecOPEN is de M5800 gecertificeerd voor doorvoersnelheden tot 4,9 Gbps met alle securityscans en https-inspectie ingeschakeld. Deze testmethode wordt ook gehanteerd door de Internet Engineering Task Force (IETF).

< <https://dutchitchannel.nl/663984/watchguard-vernieuwt-firebox-appliances.html> https://dutchitchannel.nl/663984/watchguard-vernieuwt-firebox-appliances.html>

 

Code is law: É fundamental que os poderes públicos se capacitem e relacionem com o código informático. Sem compreender o código, não haverá lei. [It is essential that public authorities empower and relate to the computer code. Without understanding the code, there will be no law.]

... Referência na reflexão sobre a regulação do ciberespaço, Lawrence Lessig descortinou quatro elementos fundamentais que condicionam a dominação do ciberespaço pelas formas tradicionais de regulação: o mercado, os usos sociais, a lei e a arquitetura. Atentemos neste último. Olhando a invenção, o autor viu nas características técnicas da internet (o seu software e hardware) as razões para uma arquitetura de liberdade. A rede foi desenvolvida no meio militar e adaptada à utilização civil no meio académico, sem preocupações de monta com a identificabilidade dos sujeitos e a segurança em geral. Esta visão das forças que concorrem pela ordem num mundo sem terra, interoperável e de vários idiomas com tronco comum, fizeram dela um caso estranho de autorregulação, baseado na observância de padrões tecnológicos unitários, seguidos em conformidade pelos techies reunidos em organismos como o ISOC ou o IETF.

< <https://observador.pt/opiniao/code-is-law/> https://observador.pt/opiniao/code-is-law/>

 

Bugüne kadarki en yüksek performanslı güvenlik duvarı cihazları tanıtıldı [Introducing the highest-performing firewall devices to date]

... Yakın tarihli WatchGuard tehdit istihbaratı, şifrelenmiş trafiği etkili bir şekilde analiz edemeyen şirketlerin gelen saldırıların %54’ünü kaçıracağını göstererek günümüzün tehdit ortamında HTTPS denetimi ihtiyacını vurguluyor. Ayrıca yeni Firebox M4800 ve M5800, UTM hizmetleri etkinken sırasıyla 5,2 Gb/sn ve 11,3 Gb/sn aktarım hızına ulaşıyor. Firebox M5800, NetSecOPEN tarafından geliştirilen ve İnternet Mühendisliği Görev Gücü (IETF) tarafından benimsenen açık, standartlaştırılmış testler yoluyla sertifikalı performans sonuçları elde ederken, Netscape testinde Firebox M5800, tüm güvenlik taramaları ve HTTPS içerik denetimi etkinken 4,9 Gbps’ye kadar hızlar için onaylandı. WatchGuard’ın bugüne kadarki en yüksek performanslı Firebox cihazları olan bu yeni modeller, kullanıcıların aktarım hızı ve güvenlik arasında seçim yapmak zorunda kalmamasını sağlıyor.

< <https://www.alanyahaber.com/bugune-kadarki-en-yuksek-performansli-guvenlik-duvari-cihazlari-tanitildi/> https://www.alanyahaber.com/bugune-kadarki-en-yuksek-performansli-guvenlik-duvari-cihazlari-tanitildi/>

 

Internetul acestă graniță niciodată cunoscută [The Internet has never known this frontier]

... IETF, o organizație nonprofit cu sediul în California și formată în 1986, este principala organizație de standarde deschise care dezvoltă protocoale de internet voluntare de acest fel. Procesul de dezvoltare a standardelor IETF este ghidat în principal de cinci obiective: excelența tehnică; implementarea și testarea prealabilă; documentație clară, concisă și ușor de înțeles; deschidere și corectitudine; actualitatea (IETF, nedatată). Membrii organizației care participă la procesele IETF revizuiesc propunerile care, odată ce au fost convenite, pot fi puse în aplicare în mod voluntar de către companiile de internet din întreaga lume. Pe lângă membrii comunităților academice, de cercetare și nonprofit, companiile de internet și tehnologie sunt ele însele implicate puternic în procesele de dezvoltare a standardelor IETF.

< <https://www.ziuanews.ro/editorial/internetul-acest-grani-niciodat-cunoscut-1560046> https://www.ziuanews.ro/editorial/internetul-acest-grani-niciodat-cunoscut-1560046>

 

**********************

SECURITY & PRIVACY

**********************

Cloudflare launches web hosting service Cloudflare Pages

... The security of the platform, meanwhile, is being assured with free SSL as standard, alongside the firm’s Web Application Firewall (WAF). The company will also provide support for the latest web standards with HTTP/3, the QUIC transport layer network protocol, and image compression.

< <https://www.itpro.co.uk/development/web-development/358192/cloudflare-launches-web-hosting-service-cloudflare-pages> https://www.itpro.co.uk/development/web-development/358192/cloudflare-launches-web-hosting-service-cloudflare-pages>

 

Introducing Cloudflare Pages: the best way to build JAMstack websites

Across multiple cultures around the world, this time of year is a time of celebration and sharing of gifts with the people we care the most about. In that spirit, we thought we'd take this time to give back to the developer community that has been so supportive of Cloudflare for the last 10 years.... The latest web standards are fun to read about on Hacker News but not fun to implement yourself. With Cloudflare Pages, we’ll do the heavy lifting to keep you ahead of the curve: IPv6, HTTP/3, TLS 1.3, all the latest image formats.

< <https://blog.cloudflare.com/cloudflare-pages/> https://blog.cloudflare.com/cloudflare-pages/>

 

Cloudflare lance le service d’hébergement Web, Cloudflare Pages [Cloudflare Launches Web Hosting Service, Cloudflare Pages]

... En utilisant Cloudflare Pages, les développeurs peuvent créer des sites qui sont massivement évolutifs, car ils sont construits sur le réseau mondial de Cloudflare qui s’étend sur plus de 200 villes dans plus de 100 pays. La sécurité de la plate-forme est assurée par le protocole SSL gratuit en standard, ainsi que par le pare-feu pour applications Web (WAF) de la société. L’entreprise prendra également en charge les dernières normes Web avec HTTP/3, le protocole de réseau de la couche transport QUIC et la compression des images.

< <https://www.blog-nouvelles-technologies.fr/192372/cloudflare-lance-le-service-dhebergement-web-cloudflare-pages/> https://www.blog-nouvelles-technologies.fr/192372/cloudflare-lance-le-service-dhebergement-web-cloudflare-pages/>

 

HTTP vs IPFS: cuáles son las principales diferencias [HTTP vs IPFS: What are the main differences]

... HTTP: Se trata del Protocolo de transferencia de hipertexto. Básicamente es un protocolo de comunicaciones que permite las transferencias de información mediante archivos HTML, XHML y otros en Internet. Este protocolo surgió en el año 1989, pero ha ido recibiendo actualizaciones con el paso del tiempo. Ahora nos encontramos en la versión HTTP/3. Es, en definitiva, algo básico para comprender el Internet moderno y poder navegar por las páginas web.

< <https://www.redeszone.net/tutoriales/internet/principales-diferencias-ipfs-http/> https://www.redeszone.net/tutoriales/internet/principales-diferencias-ipfs-http/>

 

Internet, jaki znamy, się kończy... nowe HTTP, czyli jedna z cichych rewolucji 2020 [The Internet as we know it is over... new HTTP, one of the silent revolutions of 2020]

... To w wielu przypadkach przyspieszyło wczytywanie stron internetowych, teraz jednak postanowiono pójść dalej i zdefiniowano HTTP/3 bazujący na protokole QUIC od Google.

< <https://www.dobreprogramy.pl/marcinw2/Internet-jaki-znamy-sie-konczy-nowe-HTTP-czyli-jedna-z-cichych-rewolucji,112276.html> https://www.dobreprogramy.pl/marcinw2/Internet-jaki-znamy-sie-konczy-nowe-HTTP-czyli-jedna-z-cichych-rewolucji,112276.html>

 

ENISA welcomes the EU Cybersecurity Strategy and Agency’s proposed tasks

The new EU Cybersecurity Strategy will bring tasks and responsibilities for ENISA to help Europe become a resilient, technological sovereign leader in cyberspace.

< <https://www.enisa.europa.eu/news/enisa-news/enisa-welcomes-the-eu-cybersecurity-strategy-and-agency2019s-proposed-tasks> https://www.enisa.europa.eu/news/enisa-news/enisa-welcomes-the-eu-cybersecurity-strategy-and-agency2019s-proposed-tasks>

 

New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient

The Commission and the High Representative of the Union for Foreign Affairs and Security Policy have presented this week a new EU Cybersecurity Strategy. As a key component of Shaping Europe's Digital Future, the Recovery Plan for Europe and the EU Security Union Strategy, the Strategy will bolster Europe's collective resilience against cyber threats and help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools.

< <https://ec.europa.eu/digital-single-market/en/news/new-eu-cybersecurity-strategy-and-new-rules-make-physical-and-digital-critical-entities-more> https://ec.europa.eu/digital-single-market/en/news/new-eu-cybersecurity-strategy-and-new-rules-make-physical-and-digital-critical-entities-more>

 

Launch of New Ad-hoc Working Group on European Cybersecurity Skills Framework

The European Union Agency for Cybersecurity kicked-off yesterday the new ad-hoc working group in response to the European Skills Agenda.

< <https://www.enisa.europa.eu/news/enisa-news/launch-of-new-ad-hoc-working-group-on-european-cybersecurity-skills-framework> https://www.enisa.europa.eu/news/enisa-news/launch-of-new-ad-hoc-working-group-on-european-cybersecurity-skills-framework>

 

ENISA AI Threat Landscape Report Unveils Major Cybersecurity Challenges

Today, the European Union Agency for Cybersecurity (ENISA) released its Artificial Intelligence Threat Landscape Report, unveiling the major cybersecurity challenges facing the AI ecosystem. ENISA’s study takes a methodological approach at mapping the key players and threats in AI.

< <https://www.enisa.europa.eu/news/enisa-news/enisa-ai-threat-landscape-report-unveils-major-cybersecurity-challenges> https://www.enisa.europa.eu/news/enisa-news/enisa-ai-threat-landscape-report-unveils-major-cybersecurity-challenges>

 

Measuring the impact of DNS Flag Day 2020

The architecture of the Internet took a highly radical step in the evolution of wide-area communications protocols. Rather than placing much of the functionality into the network infrastructure and using network functions to emulate reliable edge-to-edge circuitry, the Internet Protocol (IP) used a network service model that was minimal and provided nothing beyond unreliable packet delivery. Everything else was left to the connected hosts.

< <https://www.potaroo.net/ispcol/2020-12/xldns3.html> https://www.potaroo.net/ispcol/2020-12/xldns3.html>

 

Improving the privacy of DNS and DoH with oblivion

Technical development often comes in short intense bursts, where a relatively stable technology becomes the subject of intense revision and evolution. The DNS is a classic example here.

< <https://www.potaroo.net/ispcol/2020-12/oblivion.html> https://www.potaroo.net/ispcol/2020-12/oblivion.html>

 

DNS-over-HTTPS in Unbound

Privacy plays an important part in the development of NLnet Labs products. For Unbound this manifests itself by being in the front line of the development of privacy preserving features like QNAME minimization, auth-zones, and DNS-over-TLS (DoT).

< <https://blog.apnic.net/2020/12/14/dns-over-https-in-unbound/> https://blog.apnic.net/2020/12/14/dns-over-https-in-unbound/>

 

APNIC now testing ‘signed TAL’

APNIC has deployed a testbed for the ‘signed TAL‘ method of Trust Anchor (TA) key rollover.

< <https://blog.apnic.net/2020/12/15/apnic-now-testing-signed-tal/> https://blog.apnic.net/2020/12/15/apnic-now-testing-signed-tal/>

 

RIPE NCC Response to the EU’s Cybersecurity Strategy for the Digital Decade

The EU’s Cybersecurity Strategy for the Digital Decade was released today and includes a strategy to reinforce the security of the DNS root system. The strategy refers to plans for the European Commission to work with ENISA, Member States, the two root server operators based in the EU (the RIPE NCC and Netnod) and the multistakeholder community in order to develop a contingency plan “for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system.”

< <https://www.ripe.net/publications/news/announcements/ripe-ncc-response-to-the-eu2019s-cybersecurity-strategy-for-the-digital-decade> https://www.ripe.net/publications/news/announcements/ripe-ncc-response-to-the-eu2019s-cybersecurity-strategy-for-the-digital-decade>

 

Europol and the European Commission inaugurate new decryption platform to tackle the challenge of encrypted material for law enforcement investigations

This week Europol launched an innovative decryption platform, developed in close cooperation with the European Commission's Joint Research Centre. It will significantly increase Europol’s capability to decrypt information lawfully obtained in criminal investigations.

< <https://www.europol.europa.eu/newsroom/news/europol-and-european-commission-inaugurate-new-decryption-platform-to-tackle-challenge-of-encrypted-material-for-law-enforcement> https://www.europol.europa.eu/newsroom/news/europol-and-european-commission-inaugurate-new-decryption-platform-to-tackle-challenge-of-encrypted-material-for-law-enforcement>

 

Here’s how we can strengthen cybersecurity for ‘the New Normal’ by Malcolm Johnson, ITU Deputy Secretary-General

The pace at which the world is changing can be unsettling and casts uncertainty about the future. Cybersecurity concerns are reaching unprecedented levels, and no country and no industry is untouched. According to one estimate, cybercrime could cost the world more than 10 trillion USD a year by 2025, which would represent the greatest transfer of economic wealth in history.

< <https://news.itu.int/strengthen-cybersecurity-new-normal/> https://news.itu.int/strengthen-cybersecurity-new-normal/>

 

5G flaws allow criminals to steal data, cut access to the web

Flaws in 5G technology are allowing criminals to steal data and cut access to the web, according to new research.

< <https://futurefive.co.nz/story/5g-flaws-allow-criminals-to-steal-data-cut-access-to-the-web> https://futurefive.co.nz/story/5g-flaws-allow-criminals-to-steal-data-cut-access-to-the-web>

 

Updated ENISA 5G Threat Landscape Report to Enhance 5G Security

ENISA releases updated 5G threat assessment report to enhance cybersecurity of 5G by identifying vulnerabilities and proposing corresponding technical 5G security controls.

< <https://www.enisa.europa.eu/news/enisa-news/updated-enisa-5g-threat-landscape-report-to-enhance-5g-security> https://www.enisa.europa.eu/news/enisa-news/updated-enisa-5g-threat-landscape-report-to-enhance-5g-security>

 

EU unveils revamp of cybersecurity rules days after hack

The European Union unveiled Wednesday plans to revamp the 27-nation bloc’s dated cybersecurity rules, just days after data on a new coronavirus vaccine was unlawfully accessed in a hack attack on the European Medicines Agency.

< <https://apnews.com/article/europe-hacking-europe-coronavirus-pandemic-32c882769dc0f3c15e471657905e3713> https://apnews.com/article/europe-hacking-europe-coronavirus-pandemic-32c882769dc0f3c15e471657905e3713>

 

Homeland security tells all federal agencies to disconnect from widely-used software

The US has issued an emergency warning after it emerged that nation-state hackers had managed for several months to weaponise software used by almost all Fortune 500 companies and multiple federal agencies, as well as hundreds of thousands of organisations globally.

< <https://www.ft.com/content/3a635e09-221c-49af-a582-97bc4e803747> https://www.ft.com/content/3a635e09-221c-49af-a582-97bc4e803747>

 

Assessing the New Normal for Cybersecurity

“Pandemic” was the word of the year, with runners up including quarantine, coronavirus and asymptomatic. They make sense, of course, but two phrases that should also be included in that list are “remote worker” (or work from home, take your pick) and “new normal.”

< <https://securityboulevard.com/2020/12/assessing-the-new-normal-for-cybersecurity/> https://securityboulevard.com/2020/12/assessing-the-new-normal-for-cybersecurity/>

 

Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce

Russian government hackers breached the Treasury and Commerce departments, along with other U.S. government agencies, as part of a global espionage campaign that stretches back months, according to people familiar with the matter.

< <https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html> https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html>

 

The SolarWinds Wake-Up Call by Michael Chertoff , Latha Reddy, Alexander Klimburg

The recently discovered SolarWinds hack holds obvious lessons for governments around the world, particularly after a year in which cyber attacks on critical infrastructure have surged. International action is urgently needed, not to write new treaties or codes of conduct, but to enforce existing norms.

< <https://www.project-syndicate.org/commentary/soladwinds-cyber-norms-must-be-upheld-by-michael-chertoff-et-al-2020-12> https://www.project-syndicate.org/commentary/soladwinds-cyber-norms-must-be-upheld-by-michael-chertoff-et-al-2020-12>

 

Hack against US is ‘grave’ threat, cybersecurity agency says

Federal authorities are expressing increased alarm about a long-undetected intrusion into U.S. and other computer systems around the globe that officials suspect was carried out by Russian hackers. The nation’s cybersecurity agency warned of a “grave” risk to government and private networks.

< <https://apnews.com/article/donald-trump-politics-foreign-policy-hacking-russia-f32a2c951c84718381efd282d566f614> https://apnews.com/article/donald-trump-politics-foreign-policy-hacking-russia-f32a2c951c84718381efd282d566f614>

 

US agencies, companies secure networks after huge hack

U.S. government agencies and private companies rushed Monday to secure their computer networks following the disclosure of a sophisticated and long-running cyber-espionage intrusion suspected of being carried out by Russian hackers.

< <https://apnews.com/article/us-agencies-hacked-global-cyberspying-328b4936f2535418b27cb90afa858489> https://apnews.com/article/us-agencies-hacked-global-cyberspying-328b4936f2535418b27cb90afa858489>

 

The SolarWinds Perfect Storm: Default Password, Access Sales and More

A perfect storm may have come together to make SolarWinds such a successful attack vector for the global supply-chain cyberattack discovered this week. Researchers said that includes its use of a default password (“SolarWinds123”) that gave attackers an open door into its software-updating mechanism; and, SolarWinds’ deep visibility into customer networks.

< <https://threatpost.com/solarwinds-default-password-access-sales/162327/> https://threatpost.com/solarwinds-default-password-access-sales/162327/>

 

SolarWinds: Why the Sunburst hack is so serious

We've all seen the pop-ups on our laptops or phones: "Update is available, click here to download." We're constantly urged to do as we're told because these software updates improve our apps by boosting cyber-security and removing glitches.

< <https://www.bbc.com/news/technology-55321643> https://www.bbc.com/news/technology-55321643>

 

SolarWinds Hack Could Affect 18K Customers

The still-unfolding breach at network management software firm SolarWinds may have resulted in malicious code being pushed to nearly 18,000 customers, the company said in a legal filing on Monday. Meanwhile, Microsoft should soon have some idea which and how many SolarWinds customers were affected, as it recently took possession of a key domain name used by the intruders to control infected systems.

< <https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/> https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/>

 

**********************

INTERNET OF THINGS

**********************

NIST Releases Draft Guidance on Internet of Things Device Cybersecurity

As the Internet of Things (IoT) grows to connect an amazing diversity of devices to electronic networks, four new publications from the National Institute of Standards and Technology (NIST) offer recommendations to federal agencies and manufacturers alike concerning effective cybersecurity for these devices.

< <https://www.nist.gov/news-events/news/2020/12/nist-releases-draft-guidance-internet-things-device-cybersecurity> https://www.nist.gov/news-events/news/2020/12/nist-releases-draft-guidance-internet-things-device-cybersecurity>

 

IEEE gears up for World Forum on the Internet of Things 2021

The internet as we know it is flexing, transforming, and has crossed the threshold to a new era: The internet of intelligent things. From cloud to edge and ecosystems to privacy and security, the Internet of Things is shaping technology at a rapid pace.

< <https://securitybrief.com.au/story/ieee-gears-up-for-world-forum-on-the-internet-of-things-2021> https://securitybrief.com.au/story/ieee-gears-up-for-world-forum-on-the-internet-of-things-2021>

------

David Goldstein

email:  <mailto:david@goldsteinreport.com> david@goldsteinreport.com

web:  <http://goldsteinreport.com/> http://goldsteinreport.com/

Twitter:  <https://twitter.com/goldsteinreport> https://twitter.com/goldsteinreport

phone: +61 418 228 605 - mobile; +61 2 9663 3430 - office/home