[Newsclips] IETF SYN-ACK Newspack 2020-09-14

[David Goldstein <david@goldsteinreport.com>]

**********************

IETF IN THE NEWS

**********************

TLD Maintenance Significantly Improved With the New Registry Maintenance Notifications for EPP by Tobias Sattler

Three years ago, the first Internet-Draft on Registry Maintenance Notifications for the Extensible Provisioning Protocol (EPP) was published, which will become a Request for Comments (RFC). The IETF Registration Protocols Extensions (REGEXT) working group is the home of the coordination effort for standards track EPP extensions. They released eight RFCs over the last couple of years, and they are currently working on more than 15 Internet-Drafts.

< <http://www.circleid.com/posts/20200908-tld-maintenance-significantly-improved-new-registry-maintenance/> http://www.circleid.com/posts/20200908-tld-maintenance-significantly-improved-new-registry-maintenance/>

 

Popular Android apps are rife with cryptographic vulnerabilities

... “A crypto misuse is an invocation to a crypto API that does not respect common security guidelines, such as those suggested by cryptographers or organizations like NIST and IETF.”

< <https://www.helpnetsecurity.com/2020/09/08/android-apps-cryptographic-vulnerabilities/> https://www.helpnetsecurity.com/2020/09/08/android-apps-cryptographic-vulnerabilities/>

 

Alles over het nieuwe internetprotocol HTTP/3 [All about the new Internet protocol HTTP/3]

Geen enkele internetgebruiker kan buiten het http-protocol. Dat ligt immers aan de basis van de datacommunicatie binnen het wereldwijde web en ook op lokale netwerken zoals een intranet. Intussen is dit protocol aan versie 3 toe en de ondersteuning hiervoor neemt gestaag toe. ... De naam http/3 werd al in november 2018 door het IETF (Internet Engineering Task Force) goedgekeurd en is momenteel nog een rfc-draft, op weg dus naar een definitieve rfc-status. Volgens cijfers van W3Techs ondersteunt op het moment van schrijven circa 4,7 procent van alle websites dit nieuwe protocol. Dat lijkt weinig, maar de trend lijkt onomkeerbaar: op 1 januari van dit jaar bijvoorbeeld was dat nog geen 2,3 procent.

< <https://pcmweb.nl/artikelen/internet/alles-over-het-nieuwe-internetprotocolhttp3/> https://pcmweb.nl/artikelen/internet/alles-over-het-nieuwe-internetprotocolhttp3/>

 

Forskere fant svak bruk av krypto i nesten alle populære Android-apper [Researchers found weak use of crypto in almost all popular Android apps]

... De fire forskerne har brukt verktøyet til å undersøke bruken av kryptografi i de mest populære appene i 33 ulike kategorier i Google Play Store, til sammen 1780 apper. I alt ble det undersøkt om appene overholder 26 grunnleggende, kryptografiske regler, som anbefales av NIST og IETF.

< <https://www.digi.no/artikler/forskere-fant-svak-bruk-av-krypto-i-nesten-alle-populaere-android-apper/498951> https://www.digi.no/artikler/forskere-fant-svak-bruk-av-krypto-i-nesten-alle-populaere-android-apper/498951>

 

研发符合人权及西方价值观的人工智能技术 西方国家组建全球人工智能联盟 [Research and development of artificial intelligence technology in line with human rights and Western values Western countries to form a global AI alliance.]

... 全球人工智能联盟的成员国都认为，要规范全球人工智能领域需要一套国际法规，这套法规往往是由国际规定制定机构起草的，然而过去几十年中共在这种国际机构中一向都特别活跃。例如中共过去几十年中一直在互联网工程任务组（IETF）和国际电信联盟（ITU）推动其理念，互联网工程任务组是负责开发和推广自愿互联网标准的国际组织；而国际电信联盟是联合国负责确立国际无线电和电信管理制度和标准的组织。对此卡内基国际和平基金会（Carnegie Endowment for International Peace）主管技术和国际事务项目的尼尔森（Michael R Nelson）说：“中共在过去十多年中一直在国际社会推动自己的理念，为了推动他们的理念他们还雇佣了很多顾问与其他公司合作。” 

< <https://www.soundofhope.org/post/419320> https://www.soundofhope.org/post/419320>

 

重启DNS根密钥服务器的七个人 [Seven people who restarted the DNS root key server. (includes 3 IETF mentions)]

... 鉴于对DNS安全性的考虑，上世纪90年代后期，IETF成立了工作组专门研究DNSSEC安全扩展协议（DNS Security Extensions），利用经典的加密算法和签名机制，完善了原有DNS体系的不足之处。

< <http://www.edu.cn/xxh/zt/tj/202009/t20200908_2009058.shtml> http://www.edu.cn/xxh/zt/tj/202009/t20200908_2009058.shtml>

 

腾讯未来网络实验室雷艺学：参与5G标准助力业务落地 [Tencent's future network lab Lei Yi: participate in the 5G standard to help the business landing.]

... 在5G服务化架构以及5G V2X等领域,腾讯提案贡献排列全球参与公司的前列。此外,我们也积极参加IETF,在应用和网络的交互这一重要领域,积极推动无线网络的能力开放。在5G汽车协会5GAA中,腾讯也积极参加车路协同,C-V2X高精度定位,5G网络QoS预测等重要的技术课题。同时,腾讯也非常重视国际和国内标准的联动,跨越ICT、交通和汽车领域牵头和参与一批行业集团体标准制定,推动5G边缘计算、5G云化多媒体和5G智慧出行等业务落地。

< <https://tech.sina.com.cn/roll/2020-09-12/doc-iivhvpwy6317903.shtml> https://tech.sina.com.cn/roll/2020-09-12/doc-iivhvpwy6317903.shtml>

 

中兴通讯创新Slice＋网络切片方案，满足多厂商组网场景 [ZTE's innovative Slice+ network slicing solution meets multi-vendor networking scenarios]

... 中兴通讯Slice＋网络切片方案作为业界首个基于FlexE＆SR的共享控制面方案，弥补了传统切片方案控制层面不能共享、切片无法快速部署及跨域的缺陷。整体技术方案易于部署，全面支持二层、三层接口类型，大大扩展了切片的适用场景，同时该方案完全兼容现有切片技术IGP Flexible Algorithm，提供良好的网络互通能力，可灵活满足多厂商组网场景。中兴通讯已在IETF提交多篇关于Slice＋的提案，加速5G网络切片技术商用落地，为运营商5G 2B行业拓展提供完善而有竞争力的产品和解决方案，助力运营商数字化转型和行业升级。

< <https://fiber.ofweek.com/2020-09/ART-210008-8140-30458277.html> https://fiber.ofweek.com/2020-09/ART-210008-8140-30458277.html>

 

**********************

INTERNET OF THINGS

**********************

Privacy, blockchain and the Internet of Things – Can we keep control of our own identities?

New research from The University of South Australia indicates there are key privacy issues inherent to current blockchain platforms, suggesting greater effort should be made to refine the technology so it conforms to privacy rights and expectations.

< <https://www.unisa.edu.au/Media-Centre/Releases/2020/privacy-blockchain-and-the-internet-of-things--can-we-keep-control-of-our-own-identities/> https://www.unisa.edu.au/Media-Centre/Releases/2020/privacy-blockchain-and-the-internet-of-things--can-we-keep-control-of-our-own-identities/>

 

**********************

SECURITY & PRIVACY

**********************

DNS over HTTPS (DoH) – DNS Encryption Entering the Mainstream

With large-scale Internet companies currently implementing DNS over HTTPS (DoH), Klaus Landefeld, Vice-Chair of the eco Association, explains the significance of the move, and why network operators and ISPs should be working on implementation themselves.

< <https://international.eco.de/news/dns-over-https-doh-dns-encryption-entering-the-mainstream/> https://international.eco.de/news/dns-over-https-doh-dns-encryption-entering-the-mainstream/>

 

DNS over HTTPS: eco Discussion Paper Makes Recommendations for More Security in Network Environments

The DoH protocol, designed to improve user privacy and security, has both its upsides and downsides. A new eco Association paper sets out to clarify some of the complexities and provide recommendations for implementation and deployment.

< <https://international.eco.de/presse/dns-over-https-eco-discussion-paper-makes-recommendations-for-more-security-in-network-environments/> https://international.eco.de/presse/dns-over-https-eco-discussion-paper-makes-recommendations-for-more-security-in-network-environments/>

 

Where are DNS registries at with deploying ROAs?

The DNS is an important component of the Internet and over the last 20 years or so, a great deal of attention has been directed at improving its inherently insecure aspects. This includes the deployment of DNSSEC that enable cryptographic validation of DNS records, and more recently DNS-over-TLS and DNS-over-HTTPS which encrypt DNS transactions between hosts and resolvers.

< <https://blog.apnic.net/2020/09/07/where-are-dns-registries-at-with-deploying-roas/> https://blog.apnic.net/2020/09/07/where-are-dns-registries-at-with-deploying-roas/>

 

DNS Query Privacy Revisited by Geoff Huston & Joao Damas

Much has been said and written in recent times about the use of the DNS as a means of looking at the behaviour of end systems and inferring user behaviours. Almost every transaction starts with a DNS query, and if one were to assemble the complete set of DNS queries generated by an Internet user it would be possible to assemble a relatively complete picture of their online activity.

< <https://www.potaroo.net/ispcol/2020-09/qmin.html> https://www.potaroo.net/ispcol/2020-09/qmin.html>

 

Who Protects You from Cyber Villains?

This is the first in a small series of articles published in collaboration with the Youth IGF and CyberVictimhelp. In this article Joanna Kulesza, a former RACI fellow, talks about DNS abuse victims, shows us a definition of DNS Abuse and explains why this type of online threat cannot be solved solely by nation states.

< <https://labs.ripe.net/Members/yuliya_morenets/who-protects-you-from-cyber-villains> https://labs.ripe.net/Members/yuliya_morenets/who-protects-you-from-cyber-villains>

 

Leadership from ENISA and FORTH further talks on Cybersecurity Collaboration

The European Union Agency for Cybersecurity visits the Foundation for Research and Technology – Hellas in Crete to discuss framework of research projects and events.

< <https://www.enisa.europa.eu/news/enisa-news/Leadership-from-ENISA-and-FORTH-Further-Talks> https://www.enisa.europa.eu/news/enisa-news/Leadership-from-ENISA-and-FORTH-Further-Talks>

 

us: Congress Should Act to Ensure Weapon Systems’ Cybersecurity

As Congress returns from August recess and prepares to finalize the Fiscal Year 2021 National Defense Authorization Act (NDAA), legislators should address a major cybersecurity and national security priority: ensuring the resilience of essential deterrent and warfighting capabilities to adversary cyber action. U.S. strategy documents have emphasized that the United States is in a new strategic environment, one defined by great power, long-term strategic competition in which China and Russia are the most consequential challengers. In this context, the United States should not take for granted its ability to maintain strategic deterrence or conventional overmatch. These capabilities are becoming increasingly vulnerable to malicious adversary cyber campaigns. Therefore, Congress should adopt the recommendation of the Cyberspace Solarium Commission to pass legislation requiring the Department of Defense (DOD) to institutionalize a comprehensive cybersecurity vulnerability assessment of nuclear and conventional weapon systems.

< <https://www.cfr.org/blog/congress-should-act-ensure-weapon-systems-cybersecurity> https://www.cfr.org/blog/congress-should-act-ensure-weapon-systems-cybersecurity>

 

China launches initiative for global data security issues

China has launched an initiative to address global data security issues, a countermove to the U.S. “clean network” program that is aimed at discouraging other countries from using Chinese technology.

< <https://apnews.com/7648da9c8a82902789c4a5ecc4f45e59> https://apnews.com/7648da9c8a82902789c4a5ecc4f45e59>

 

Wang Yi: China proposes global data security initiative

China is proposing a global data security initiative that opposes undermining key infrastructure or data theft by using information technology and forcing firms to store data generated overseas in their home country, Chinese State Councilor and Foreign Minister Wang Yi said on Tuesday at an international symposium named "Seizing Digital Opportunities for Cooperation and Development."

< <https://news.cgtn.com/news/2020-09-08/Wang-Yi-China-proposes-global-data-security-initiative-TBYqRj0kYo/index.html> https://news.cgtn.com/news/2020-09-08/Wang-Yi-China-proposes-global-data-security-initiative-TBYqRj0kYo/index.html>

 

CEOs Could Be Held Personally Liable for Cyberattacks that Kill

As IT systems, IoT and operational technology converge, attacks on cyber-physical systems in industrial, healthcare and other scenarios will come with dire consequences, Gartner predicts.

< <https://threatpost.com/ceos-personally-liable-cyberattacks-kill/158990/> https://threatpost.com/ceos-personally-liable-cyberattacks-kill/158990/>

 

Which Cybersecurity Incidents Involve Misuse of Legitimate Services

Threat actors who misuse legitimate tools have several advantages over those who use intrusive software, notes Kaspersky Lab, a Russia-based multinational cybersecurity and anti-virus provider, in a press release. It’s more difficult for cybersecurity solutions to discern between regular user activity and malicious activity involving legitimate tools. This difficulty gives attackers more time to access an organization’s network, discover its critical assets and target sensitive information. Knowing how to prevent intrusions and stop unwanted use of legitimate tools is important for a security team’s toolkit. 

< <https://securityintelligence.com/news/cybersecurity-attacks-legitimate-services/> https://securityintelligence.com/news/cybersecurity-attacks-legitimate-services/>

 

Kaspersky finds attackers misuse legitimate tools in 30% of successful cyber-incidents

According to new research from Kaspersky, almost a third (30%) of cyberattacks investigated by the Kaspersky Global Emergency Response team in 2019 involved legitimate remote management and administration tools. As a result, attackers can remain undetected for a longer period of time, with research showing continuous cyber-espionage attacks and theft of confidential data had a median duration of 122 days. These findings are from Kaspersky’s new Incident Response Analytics Report.

< <https://usa.kaspersky.com/about/press-releases/2020_kaspersky-finds-attackers-misuse-legitimate-tools-in-30-of-successful-cyber-incidents> https://usa.kaspersky.com/about/press-releases/2020_kaspersky-finds-attackers-misuse-legitimate-tools-in-30-of-successful-cyber-incidents>

 

Why Internet Security is So Important in 2021

Today it’s not just about teaching people to be safe during a browsing session. Life is a browsing session and next year and beyond we need to be ready to do so safely.

< <https://www.legalreader.com/why-internet-security-is-so-important-in-2021/> https://www.legalreader.com/why-internet-security-is-so-important-in-2021/>

 

**********************

OTHERWISE NOTEWORTHY

**********************

Internet Society launches first ever toolkit to gauge the impact of regulation on the Internet

The Internet Society, a global nonprofit organization that promotes the development and use of an open, globally connected and secure Internet has launched the first-ever regulatory assessment toolkit that defines the critical properties needed to protect and enhance the future of the Internet.

< <https://www.internetsociety.org/news/press-releases/2020/internet-society-launches-first-ever-toolkit-to-gauge-the-impact-of-regulation-on-the-internet/> https://www.internetsociety.org/news/press-releases/2020/internet-society-launches-first-ever-toolkit-to-gauge-the-impact-of-regulation-on-the-internet/>

 

“New IP” and global Internet governance: September 23 with Dr. Milton Mueller, Dr. Richard Li & Olaf Kolkman

The Internet protocols were standardized in the early 1980s, roughly the same time as the first PCs and the first generation of analogue mobile phones. Although there have been many changes and improvements in IETF standards since then, the original IPv4 is still the world’s predominant data communication standard. TCP/IP was an extraordinary success at creating a scalable and globally interoperable data communications; so much so, that even its designated successor, IPv6, has struggled to replace it.

< <https://www.internetgovernance.org/2020/09/07/event-do-we-need-a-new-generation-of-internet-standards/> https://www.internetgovernance.org/2020/09/07/event-do-we-need-a-new-generation-of-internet-standards/>

 

Wi-Fi 6 is the fastest standard yet. Wi-Fi 6E will be even better

Wi-Fi is expanding into the 6GHz band, giving new Wi-Fi 6E devices an exclusive multilane expressway for faster internet traffic. Here are the details.

< <https://www.cnet.com/how-to/wi-fi-6-is-the-fastest-yet-but-wi-fi-6e-will-be-even-better-6-ghz/> https://www.cnet.com/how-to/wi-fi-6-is-the-fastest-yet-but-wi-fi-6e-will-be-even-better-6-ghz/>

------

David Goldstein

email:  <mailto:david@goldsteinreport.com> david@goldsteinreport.com

web:  <http://goldsteinreport.com/> http://goldsteinreport.com/

Twitter:  <https://twitter.com/goldsteinreport> https://twitter.com/goldsteinreport

phone: +61 418 228 605 - mobile; +61 2 9663 3430 - office/home