gTLD Security Threat Less Than Meets the Eye
Jan 16, 2012 6:00 AM PT
Despite the pleas of some regulators and the advertising industry, the overlords of the Internet -- the Internet Corporation for Assigned Names and Numbers (ICANN) -- plunged forward last week with its plan to drastically expand the number of generic top level domains on the Net.
Generic Top Level Domains (gTLDs) are what come after the dot in an Internet address -- .com, .net, .org, .gov and so forth. Under the new ICANN scheme, anyone can have anything they want after that dot -- as long as they have the cash to do it.
To obtain one of the new gTLDs, an applicant needs to pay ICANN US$187,000 -- $5,000 of it up front.
Critics of the new scheme see it as a potential security nightmare. They're concerned, for example, that the registry where domain owners list their personal information, called "Whois," will be as riddled with errors as it is now.
"You find names like Mickey Mouse, Donald Duck, even God," Dan Jaffe, executive vice president for government relations for the Association of National Advertisers, told TechNewsWorld.
"You can't get behind those names, and often those are the sites behind a lot of cybercrime," he added.
However, ICANN's avowed protections -- it says it's going to take a closer look at applicants for the new gTLDs than it does for the 22 current ones -- and the price of obtaining a custom gTLD may keep Net bottom feeders at bay.
"A scammer can't go out and get a big company name, slightly misspelled, on a whim to run a phishing scam," Gretchen Olive, director of policy and industry affairs for the Corporation Service Company (CSC), told TechNewsWorld. "It costs too much money."
Cybercriminals think like business people. When business people make an investment, they want the best bang for their buck -- aka "return on investment."
"It would be very hard to get a good ROI on an investment like that," maintained Roel Schouwenberg, a senior researcher for Kaspersky Lab.
"The average cybercriminal has much better uses for spending that amount of money than creating a rogue domain," he added. "I don't think it's worth it. The old ways they're using are effective and cheap."
Stratfor Back Online
Although Stratfor usually charges for much of its content, all content was free during the relaunch. That, apparently, attracted a lot of rubberneckers to the site and service interruptions ensued.
Along with the relaunch, it posted a video on YouTube in which its CEO George Friedman decried the actions of Anonymous.
"We are now in a world in which anonymous judges, jurors and executioners can silence whom they want," he said. "This is a new censorship that doesn't come openly from governments but from people hiding behind masks."
Among the spoils taken from Stratfor by Anonymous were the passwords, user names and credit card numbers of thousands of the company's customers. In the spirit of the holidays -- the break-in took place on Christmas Eve -- some of the credit cards were used to make donations to charities.
Apparently, they were also used to send tokens of affection to loved ones, too. One victim told TechNewsWorld that his stolen card had on it a charge for a flamboyant arrangement from 1-800-Flowers.
Terabyte on a Stick
Swiss Army knives are known all-purpose tools, but Victorinox has taken its version of the legendary implement to another level by adding a one-terabyte USB stick to it. Reportedly, it's the only drive of its type that supports eSATA II/III and USB 2.0/3.0 connections.
While the gizmo is sure to give gadget lovers warm and fuzzy feelings, it's giving one security expert nightmares.
"USB drives are incredibly useful, and many companies are hesitant to lock them down altogether," said David Gibson, director of strategy for Varonis.
"But with the prospect of someone being able to transfer the many gigabytes of files onto a device they carry around in their pocket or purse -- and which bears absolutely no resemblance to a portable hard drive -- the chances of a rogue member of staff being detected with this data are close to zero without using automation to audit and analyze access activity," he added.
"Against this backdrop," Gibson continued, "the arrival of the one-terabyte Swiss Army Knife high-speed USB drive really needs to act as a wake-up call to anyone who stores large volumes of data on their IT systems and does not have a comprehensive audit trail of activity on all their data."