Tag: isn’t | SpinSafe

The status quo for DNS security isn’t working

April 19, 2023/in Internet Security

The Domain Name System (DNS) is often referred to as the phone book of the internet. DNS translates web addresses, which people use, into IP addresses, which machines use. But DNS was not designed with security in mind. And even though companies have invested incredible amounts of money into their security stack (and even though they’ve had since the 1980s to figure this out), DNS traffic often goes unmonitored.

This has only worsened with the adoption of encrypted DNS, known as DNS-over-HTTPS (DoH). Since its introduction in late 2018, DoH has grown from a personal privacy feature that most IT teams blocked outright, to an encouraged enterprise privacy and security function. While DoH protects traffic in transit, it also leaves organizations with little to no visibility over what’s happening with their DNS queries.

The evolution of DNS

Threat actors regularly exploit this visibility gap. IDC’s 2022 Global DNS Threat Report revealed that 88% of organizations interviewed had suffered DNS-related attacks—primarily phishing, malware, and DDoS attacks—over the previous year. Additionally, 70% had experienced application downtime as a result.

A few DNS attack tactics are particularly popular:

DNS tunneling: One of the most popular DNS threats is DNS tunneling, in which threat actors take advantage of the flexible nature of DNS queries to hide communications to command-and-control servers, download malware, or exfiltrate data. Unfortunately, this is challenging to detect due to the broad nature of DNS queries (a website can be called pretty much anything so a DNS query can be pretty much anything) and due to IT visibility gaps, particularly when it comes to encrypted traffic.
DNS spoofing: This tactic—frequently executed using Man-in-the-Middle (MitM) techniques—involves altering the DNS entries on a DNS server or entering false information into the DNS cache, resulting in the targeted user traffic getting redirected to an attacker-controlled fraudulent site. This can be used for phishing or to trick users into installing malicious software like worms or viruses.
DDoS attacks on DNS servers: Attackers don’t necessarily have to infiltrate a…

Source…

The most expensive domain name in history isn’t doing too well with site traffic

February 26, 2023/in Internet Security

Owning a domain name will typically cost between $10 and $20 per year, but this is just a drop in the ocean in terms of a possible price tag, new data has revealed.

Top web hosting (opens in new tab) company Hostinger (opens in new tab) released a study looking into the top seven most expensive domain names in history, with the most expensive domain costing $30 million in 2019.

Voice.com was bought by a team of technologists, artists and curators from enterprise analytics and software company MicroStrategy, with Hostinger’s data suggesting the transaction wasn’t great value for money based on the site’s monthly traffic figures (88.8k per month).

Top dollar domains

The top seven websites cost a combined amount of $109 million and include the domain names: 360.com, NFTs.com, Sex.com, Fund.com, Hotels.com and Tesla.com.

The domain name 360.com was owned by Chinese internet security company 360 Security Technology, but was bought by Vodafone for $17 million back in 2015.

SimilarWeb data shows its traffic does significantly better than the most expensive domain with 23.9 million monthly visitors, making it the 154th biggest website in China.

What’s more, the domain name Sex.com was sold in November 2010 from Escom to Clover Holdings after it won an auction.

Currently, the domain name receives more traffic than the rest of the top five sites combined, with 64 million visitors each month, and it’s currently on sale, with minimum bids of $20 million so far.

“It’s fascinating to see how much money has exchanged hands for specific domain names – the cost of the seven names in the list adds up to more than $100 million,” said a spokesperson from Hostinger.

“For multi-billion-dollar companies, the outlay is relatively small, especially if it secures your presence on the web, strengthens your brand and provides a good stream of traffic to your site. However as this study shows, spending millions of dollars on the domain name doesn’t guarantee millions of website visitors.”

As far as Tesla.com goes, CEO Elon Musk previously mentioned that it took him ten years to buy the domain from Silicon Valley engineer Stuart Grossman for around $11 million.

Source…

T-Mobile’s New Data Breach Shows Its $150 Million Security Investment Isn’t Cutting It

January 21, 2023/in Mobile Security

Yesterday, mobile giant T-Mobile said that it suffered a data breach beginning on November 26 that impacts 37 million current customers on both prepaid and postpay accounts. The company said in a US Securities and Exchange Commission filing that a “bad actor” manipulated one of the company’s application programming interfaces (APIs) to steal customers’ names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details. The initial intrusion occurred at the end of November, and T-Mobile discovered the activity on January 5.

T-Mobile is one of the US’s largest mobile carriers and is estimated to have more than 100 million customers. But in the past 10 years, the company has developed a reputation for suffering repeated data breaches alongside other security incidents. The company had a mega breach in 2021, two breaches in 2020, one in 2019, and another in 2018. Most large companies struggle with digital security, and no one is immune to data breaches, but T-Mobile seems to be approaching companies like Yahoo in the pantheon of repeated compromises.

“I’m certainly disappointed to hear that, after as many breaches as they’ve had, they still haven’t been able to shore up their leaky ship,” says Chester Wisniewski, field chief technical officer of applied research at the security firm Sophos. “It is also concerning that the criminals were in T-Mobile’s system for more than a month before being discovered. This suggests T-Mobile’s defenses do not utilize modern security monitoring and threat hunting teams, as you might expect to find in a large enterprise like a mobile network operator.”

Because of limits on the API (an interface that facilitates communication between two software programs), the attacker did not gain access to Social Security numbers or tax IDs, driver’s license data, passwords and PINs, or financial information like payment card data. Such data has been compromised in other recent T-Mobile breaches, though, including one in August 2021. In July 2022, T-Mobile agreed to settle a class action suit about that breach in a deal that included $350 million to customers. At the time, the company also committed to a…

Source…

DuckDuckGo Isn’t as Private as You Think

May 28, 2022/in Mobile Security

After another week of dismally tragic news and moral failures by the powerful, it’s good to know that you can at least depend on the small things, like “privacy-focused” search engine and browser DuckDuckGo resisting the temptation to sell out and help corporations to surveil its users. Oh, wait.

Yes, a security researcher revealed this week that even DuckDuckGo, which markets itself as “the internet privacy company,” made an exception for its business partner Microsoft to its browser’s blocking of some advertising trackers on websites, sparking accusations of betraying its purported privacy ethos. The milkshake-ducking of DuckDuckGo comes amid a rising awareness of how the stakes of online surveillance are rising as signs grow that the US Supreme Court will overturn Roe v. Wade’s protections on abortion rights: A new report this week from the Surveillance Technology Oversight Project laid out all the technological means available to law enforcement and private litigants to surveil those seeking abortions, should Roe be struck down. And more than 40 members of Congress called on Google to stop tracking location data in Android ahead of a potential Roe reversal.

In other privacy news, we looked at how the European Union’s General Data Protection Regulation has failed to meaningfully curb Big Tech’s privacy abuses four years after its passage. Australia’s digital driver’s licenses turn out to be far too easy to forge. China has been saber-rattling with accusations about American cyberespionage. We spoke to the inventor of the browser “cookie” about how to handle cookie settings for privacy—and those ubiquitous cookie-related pop-ups on websites. And we also interviewed the CEO of Protonmail, now rebranded as just Proton, about its ambitions to offer a broader range of privacy-focused services beyond email—hopefully without, ahem, surveillance exceptions for its business partners.

But there’s more. As usual, we’ve rounded up all the news that we didn’t break or cover in-depth this week. Click on the headlines to read the full stories. And stay safe out there.

Cybersecurity and privacy researcher Zach Edwards discovered a glaring hole in the privacy protections of…

Source…

Tag Archive for: isn’t