The Official, Unofficial, DNS Security Extensions (DNSSEC) Blog

Introducing DNSCrypt (Preview Release),by OpenDNS

2011-12-08T15:44:00.000-08:00

"DNSCrypt and DNSSEC are complementary. DNSSEC does a number of things. First, it provides authentication. (Is the DNS record I'm getting a response for coming from the owner of the domain name I'm asking about or has it been tampered with?) Second, DNSSEC provides a chain of trust to help establish confidence that the answers you're getting are verifiable. But unfortunately, DNSSEC doesn't actually provide encryption for DNS records, even those signed by DNSSEC. Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.

That said, DNSSEC and DNSCrypt can work perfectly together. They aren't conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn't trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS."

Source: OpenDNS.com

Read in full and download DNSCrypt

DNSSEC Update from ICANN 42 in Dakar

2011-11-30T12:43:00.000-08:00

"Perhaps the most encouraging update came from CZ.NIC, the manager of Czech country-code top-level domain .cz, which has been aggressively promoting DNSSEC since 2009. According to CZ.NIC's Ondrej Filip, 17% of domains in the .cz zone are now signed. That's 145,000 domains, making .cz probably the most DNSSEC-saturated zone in both relative and absolute numbers."

circleid (full article)

The Economist: Accessories after the fact

2011-11-24T19:20:00.000-08:00

That risks damaging the internet’s vital internal addressing system, which lets people use words instead of numbers to access websites. It also clashes with DNSSEC (don’t ask), a protocol that America has long championed to increase internet security. Messing with DNSSEC could create loopholes for hackers by allowing rogue websites to pose as legitimate ones. Savvy users (who do the most downloading) will be able to bypass these filters anyway. And the bill’s vague wording leaves open the possibility that American ISPs might have to institute more intrusive forms of filtering, with the costs, performance problems and privacy issues that would inevitably entail.

Full Article

P2P DNS – Taking ownership of the internet

2011-10-23T22:19:00.000-07:00

"DNS is one of those core technologies on which the internet runs. For most end users, DNS is pretty much invisible until they want to register their first domain for their own websites. At that point, the concept of a domain registrar suddenly pops into view."

Read the entire article here.

Finland to launch improved Fi-domain name service

2011-09-13T06:28:00.000-07:00

"Finland's telecom regulator Ficora announced that an upgraded fi-domain name service domain.fi will be launched soon. As a result of the launch process, applying for new fi-domain names or making changes to existing ones will not be possible from 17 September at 8:00hrs until 19 September at 10:00hrs.

The improved fi-domain name service offers users a more user-friendly way of applying for fi-domain names as well as for renewing, terminating and paying for them. At the same time, the system takes into consideration the modern requirements for electronic services better than before. The renewed service introduces the so-called DNSSec support to improve the information security of fi-domain names. The service also contains full IPv6 support, which is critical since it is believed that IPv6 connections will grow strongly in the future as available IPv4 addresses can no longer be assigned.

The improvements in the service contain added information on domain names for different user groups, such as companies, organisations and private persons. The service provides answers to such questions as who is entitled to apply for a domain name, to whom are fi-domain names granted, what can be registered as a domain name, what are domain names used for and the ways in which one can apply for a domain name.

The service has a specific section for service providers who can be authorised to apply for a domain name and assists domain name applicants in matters concerning the name server, server status and e-mail servers."

Source: Retrieved on Tuesday 13 September 2011 from telecompaper.com/news/finland-to-launch-improved-fi-domain-name-service

PROTECT IP threatens the future of DNS security

2011-08-25T21:34:00.000-07:00

"PROTECT IP is the name of a bill which is working its way through the US Senate with a version also expected to be introduced in the House of Representatives next month. It would require the Attorney General's office to compile of list of domain names which DNS operators (in the US) will be required to block. According to some critics, it threatens to undo more than a decade of Internet security development in a single stroke."- AfterDawn

More...

Nominet Launches Free Trial Of Secure DNS

2011-07-25T08:58:00.000-07:00

Nominet will give .uk domain owners a DNSSEC service to prevent hackers spreading counterfeit addresses

Nominet, gatekeepers to the .uk kingdom, is attempting to make its part of the Internet safer by promoting a secure version of the Internet’s directory – the domain name system (DNS).

Nominet is offering a free trial of the DNSSEC (DNS Security Extension), a secure version of the DNS protocol, designed to prevent hackers from “poisoning” the Internet’s directory system with false entries that can trap the unwary.

Source: http://www.eweekeurope.co.uk/news/nominet-launches-free-trial-of-secure-dns-35010

New IPv6 DNS and BIND Book

2011-07-05T07:48:00.000-07:00

New book provides important information for IPv6 BIND configuration

http://www.networkworld.com/community/node/75933

ICANN Leaders to Discuss Generic Top-Level Domains

2011-06-15T12:57:00.000-07:00

"(The Hosting News) – Rod Beckstrom, ICANN’s President and Chief Executive Officer will join Board Chair Peter Dengate Thrush and Senior Vice President Kurt Pritz at news conference immediately following an historic special meeting of the ICANN Board of Directors to decide the future of new generic top-level domains (gTLDs).

The potential expansion of new gTLDs could mark one of the biggest changes ever to the Internet’s Domain Name System."

Source: The Hosting News: Retrieved on June 15, 2011 from www.thehostingnews.com/icann-leaders-to-discuss-generic-top-level-domains-18604.html

Getting started with a DNSSEC implementation

2011-06-06T10:30:00.000-07:00

"Can you clarify what fixes are being implemented to the DNS system (via DNSSEC) to make it more secure? Do enterprises need to take any action in turn or will these DNS security improvements be transparent?

Attackers sometimes attempt to manipulate DNS records through cache-poisoning attacks that insert malicious false DNS records into a server. Attackers hope these records will be distributed to client machines, which will then unknowingly guide users to malicious webpages.

Until recently, there was little that could be done on the client side to defend against this type of attack. But the release of the DNS Security Extensions (DNSSEC) changes that, allowing for the application of digital signature technology to DNS records, and providing the end user with assurance that the record is authentic.
The idea to secure DNS has been around for over a decade, but it took time to work out the details, and adoption has been quite slow. Over the past year, the idea picked up some steam, especially after the publicity surrounding the DNS vulnerabilities that Dan Kaminsky announced at 2010 Black Hat Briefings conference. Major network and hosting providers such as Comcast and GoDaddy have joined the federal government in deploying DNSSEC.

If you want to get started with a DNSSEC implementation"

Source: Getting started with a DNSSEC implementation, By Mike Chapple, Contributor, SearchSecurity.com, Retrieved on June 6, 2011 from http://searchsecurity.techtarget.com/answer/Getting-started-with-a-DNSSEC-implementation

Share

DNSSEC signature can crash Bind name servers

2011-05-27T08:26:00.000-07:00

"Where a Bind name server is set up as a caching resolver, it is vulnerable to DoS attacks which could cause it to crash. ISC describes the issue in its advisory Large RRSIG RRsets and Negative Caching can crash named and categorises the problem, which can be triggered remotely, as 'high' severity.

The DNSSEC extension plays a key role in the latest security problem to hit the widely used name server. It appears that the internal memory manager can become confused when it has to cache signed entries for non-existent domains. ISC's Larissa Shapiro has confirmed to The H's associates at heise Security that servers which do not themselves offer DNSSEC functionality are also vulnerable.

According to ISC, to exploit the bug an attacker must be running a DNSSEC-signed authority server for a domain. He would then be able to induce DNS lookups for non-existent names on that domain (for example by sending out spam), which would trigger the bug on the vulnerable name server. Versions 9.4-ESV-R3, 9.6-ESV-R2, 9.6.3, 9.7.1, 9.8.0 and earlier are all affected. ISC has released updates which should fix the problem."

Source: Retrieved on May 27, 2011 from h-online.com/open/news/item/DNSSEC-signature-can-crash-Bind-name-servers-1251729.html

Share

BIND Update Patches Security Flaw

2011-05-09T13:56:00.000-07:00

The Internet Systems Consortium (ISC) recently released Update 9.8.0-P1 for its BIND DNS server, which closes a potential denial of service vulnerability.
"Signed server replies (RRSIG) can cause a BIND server to crash under certain circumstances," The H Security reports. "ISC says that the vulnerability only occurs, however, if the vulnerable server supports response policy zones (RPZs)."
"ISC says the DoS has not yet been used for actual attacks, but the firm is keeping an eye on a number of DNSSEC validators that have sent answers to the BIND server which unintentionally caused crashes," the article states.
Go to "Update for BIND server patches DoS hole" to read the details.

Source: esecurityplanet.com/headlines/article.php/3933016/article.htm, Retrieved on May 9th, 2011

Share

New Insights into DNSSEC Adoption

2011-04-25T11:52:00.000-07:00

DNSSEC survey conducted by IID, in coordination with Online Trust Alliance. Click here for details.

Share

.CO Registry Deploys DNSSEC

2011-03-04T09:23:00.000-08:00

"Joins a select group of Registry operators leading the charge in the implementation of a suite of new security features that will help create a more secure internet.

.CO Internet S.A.S., the Registry operator for the .CO domain, yesterday announced that it has completed deployment of Domain Name System Security Extensions (DNSSEC) into the Internet root zone. The company claims that in doing so, it joins a select group of Registry operators leading the charge in the implementation of a suite of new security features that will help create a more secure internet.

It avers that DNSSEC is a set of specifications for securing certain kinds of information provided by the Domain Name System (DNS) that is designed to protect the Internet from specific types of attacks, such as DNS cache poisoning, which can lead to cyber-crimes such as identity theft. With full end-to-end deployment, it will eventually allow internet users to know with certainty that they have been directed to the precise website they intended to reach.

The company says that the smooth implementation of DNSSEC follows several months of careful planning and a successful test phase in January 2011. A strong partnership with Neustar, Inc., the .CO Registry's technology services partner, was a critical success factor.

"We're proud to be announcing the successful implementation of DNSSEC today," said Nicolai Bezsonoff, COO of .CO Internet. ".CO is one of the fastest growing domain extensions in the world, and registrants and end users can rest assured that we are committed to providing the highest level of internet security - both now and into the future."

"By implementing DNSSEC so soon after the launch of .CO as a global domain, the .CO Registry has reaffirmed its commitment to ensuring the security and integrity of the .CO name space," said Tim Switzer, Vice President of Domain Name Registry Services at Neustar. "We look forward to continuing to support the .CO Registry as it plays an increasingly active role in addressing the security challenges of the 21st century - and in helping to develop the policies, standards and practices that govern the global internet.""

Source: Retrieved on March 4th from webhosting.info/news/1/.co-registry-deploys-dnssec_0303114161.htm

Verisign Selected to Operate .gov Domain Name Registry

2011-02-04T23:33:00.000-08:00

General Services Administration Selects Verisign to Provide All Aspects of Domain Name Registration Service to Federal, State and Local Governments

"Verisign is honored to be granted the responsibility of operating the .gov and fed.us domain name registries," said Mark McLaughlin, president and chief executive officer of Verisign. "Our unmatched operational excellence and proven security expertise offers the GSA a trusted and experienced partner, poised to protect its infrastructure against threats now and into the future. In addition to providing GSA the best in industry service to reliably meet its evolving demands, we are prepared to deliver value-added services that the GSA and its customers may require."
In making its selection, the GSA determined Verisign readily addressed all of the items it identified as essential for operating the .gov domain name registry. These included:

Designing and operating a registry infrastructure capable of scaling to meet the needs of the GSA, while maintaining best-in-class reliability and accessibility
Operating a network infrastructure that supports both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
Full support of DNSSEC
Unmatched security and stability

Source: http://www.sys-con.com/node/1700866

Performance hit could be the price of DNS security

2011-01-26T16:38:00.000-08:00

Recent security fixes to the Domain Name System have bought the Internet community time to implement a more permanent solution in the form of the DNS Security Extensions, but the job of putting the protocols into place has only begun, said one industry observer. And when DNS zones are signed securely, there will likely be a trade-off in performance.

A study by Infoblox, which makes network management automation tools, showed a fourfold increase in the number of digitally signed zones from 2009 to 2010, said Vice President of Architecture Cricket Liu. But that still amounted to only 0.022 percent of zones that had been signed with DNSSEC.

Implementing DNSSEC to ensure that IP address information received in response to DNS queries is legitimate is complicated by two factors. First, the system requires a chain of trust for validating digital signatures, which means they will not work unless the protocols are enabled on a substantial portion of the Internet. Fortunately, the root zone at the top of the DNS hierarchy has been signed, and a number of top-level domains immediately under it have also been signed.

“The last big domino to fall is going to be .com, which is scheduled to be signed in March,” Liu said Jan. 25 during a talk in Washington. “This is the year of no excuses because .com is signed this year.”

Source: "Performance hit could be the price of DNS security", William Jackson, Retrieved on Jan 26, 2011 from gcn.com/articles/2011/01/26/dnssec-performance-trade-off.aspx

Share

VeriSign Launches Cloud Security Service

2010-12-06T10:34:00.000-08:00

VeriSign Inc. has just launched its newest cloud computing service designed to ease the implementation of Domain Name System Security Extensions (DNSSEC). Bizjournals states that the DNSSEC provides an additional layer of security to all users of the internet by protecting against cache websites and "man-in-the-middle" attacks. These attacks occur when forged data is used to redirect users to fraudulent websites and unintended addresses.

The VeriSign DNSSEC Signing Service will allow companies to incorporate signing and provisioning into their databases while reducing costs, according to Bizjournals. This service is designed specifically for registrars who provide DNS hosting and management services for their registrants without the additional complexity of signing and managing the keys associated with DNSSEC.

Source: VeriSign Launches Cloud Security Service, Retrieved on December 6, 2010, from bbb.org/us/post/verisign-launches-cloud-security-service--8435

Share

Kaminsky To Release 'Phreebird' For Easy DNSSEC

2010-11-10T12:31:00.000-08:00

Free toolkit lets organizations, developers test-drive new DNS security protocol

Renowned researcher Dan Kaminsky tomorrow at Black Hat Abu Dhabi will release a free toolkit that lets organizations test-drive DNSSEC deployment and also demonstrates his claims that the protocol is simple to implement.

"I've been making a lot of claims and promises about what DNSSEC is capable of and why the security industry should care. This is the argument I've been putting forth, in code form. This is for real," says Kaminsky, who will make the Phreebird Suite 1.0 kit available tomorrow on the Black Hat website. Kaminsky gave a sneak peek demonstration of Phreebird at Black Hat USA in July.

Phreebird Suite 1.0 is a real-time DNSSEC proxy that sits in front of a DNS server and digitally signs its responses. "This is a collection of technologies [that show how] DNSSEC can be very easily deployed on the server side and trivially on client side," he says. The code is not for operational use, he says, but for testing out the technology.

"This code is cool. It makes DNSSEC easy to achieve," Kaminsky says. "It makes it easy to take your existing DNS deployment and supplement it with DNSSEC services."

The goal is to show how DNSSEC could be used to "bootstrap" trust -- a.k.a. authentication -- across organizations, he says, authenticating clients, business partners, customers, contractors, and other groups with one another. DNSSEC has been in the works for nearly two decades: It was finally fully deployed in the root this summer and so far has been implemented in the .gov, .net, .edu, and .org. domains. The .com domain will be signed by DNSSEC in March. The protocol is considered the key to preventing attacks exploiting the now-infamous cache-poisoning vulnerability Kaminsky revealed at Black Hat USA in 2008.
Kaminsky hopes to dispel concerns that DNSSEC will be complex, disruptive, and expensive to deploy in organizations. "Application developers don't want to be cryptography experts," Kaminsky says. "They just want the key ... and to move on."

Phreebird automatically generates keys and provides real-time signing. There is "zero configuration" on the server side with the tool. "There is enough context in the DNS reply to figure out all of the necessary settings for how to sign it. You don't have to have a huge amount of preconfiguration. This is a revolution here," Kaminsky says.

The tool requires using GoDaddy for creating a test .org domain, and in the end it takes about 30 seconds to get valid, signed records via the Internet, according to Kaminsky.

On the client side, Phreebird includes Phreeload, a tool that adds DNSSEC support to OpenSSL applications and sits at the authentication layer. DNSSEC can be used in lieu of of X.509 certificates: Phreebird's Phreeload tool basically provides authentication without certificates, using DNSSEC instead. "At present, it's surprisingly difficult and expensive to validate key material via X509 and CAs [certificate authorities]. I'm demonstrating how to make it easy and inexpensive to validate the same material using DNSSEC," Kaminsky says.

Kaminsky is also working on a Phreebird tool that lets email systems use DNSSEC for authenticating correspondents. "When my mom receives an email from the bank, she should know it's from the bank," he says.

Meanwhile, Kaminsky is urging fellow researchers to hack at Phreebird to look for vulnerabilities. He's hoping to get up-front input on any major vulnerabilities.

Source: Kelly Jackson Higgins, DarkReading, Retrieved on November 10, 2010 from darkreading.com/authentication/security/app-security/showArticle.jhtml?articleID=228200646&cid=RSSfeed_DR_News

Share

Observers recommend broader role for government in cybersecurity

2010-11-09T11:49:00.000-08:00

Public service campaigns to promote safe Web surfing and developing best practices for fending off cyberattacks are not constructive activities for the government, a panel of cybersecurity experts told Federal Communications Commission officials on Friday.

FCC is now identifying the five most critical threats to the Internet, as well as a plan to address such risks in accordance with the Obama administration's National Broadband Plan, a roadmap for attaining ubiquitous, affordable high-speed Internet access. To assess the threat landscape, the agency on Friday sought the input of about 10 security officials who work for Internet service providers, research institutions and the government.

The most vocal participants said the mercurial nature of attacks makes it nearly impossible to devise defensive procedures or rely on computer users to ensure that viruses don't spread. The most effective role for the government is preparing for the unknown, they said.

October marked the government's annual cybersecurity awareness month. This year's theme was the notion that cybersecurity is a shared responsibility among the government, network services providers and Web surfers.

But James Lewis, a senior fellow at the Center for Strategic and International Studies, a Washington think tank, said educating end users will not protect the Internet.
"I've kind of given up on the end points. We had National Cybersecurity Awareness month last month. A complete waste of time," he said. "We're never going to get the end, the edge, to be safe. It's never going to happen."

Instead, the government should concentrate on which agency or combination of agencies, such as FCC and the Homeland Security Department, should coordinate with ISPs, Lewis said. They should cooperate to ensure that customers, including federal workers, are supplied almost automatically with the best defenses against malevolent intruders.

An example of the need for such proactive tactics is the shift from attacks against networks to botnets. Botnets -- organized by cybercriminals -- invisibly hijack multiple Internet users' computers or mobile devices to spread content that steals personal information through the users' communications with others.

"We've seen less attacks on the Internet, or at us, and more using us to go after financial gain," said Ed Amoroso, senior vice president and chief security officer for AT&T. "The threat that seemed so real two or three years ago around attacks at infrastructure really in two years has changed."

Studying past attacks to defend against future threats, therefore, may not be productive, he added. "It's hard to lay out a concrete set of best practices and follow it because what we do is so fluid that we have to be willing to take the playbook and throw it out and start a new one the next week or the next month, depending on what the threat is." Amoroso said that today he is obsessed with how botnets are affecting his customers but tomorrow he could be worried about vulnerabilities with different risks and fixes.

A more effective approach for protecting government and private sector computers would be practicing solutions to worst-case scenarios, the panelists said. "Have you had a day yet where you came in and you had a directive at work, where it said: 'Don't turn on your Blackberry . . . It's probably infected. If you do, all this awful stuff is going to happen,' " Amoroso said. "And you would go, 'Ok, what do I do?' "

The government has not discussed those sorts of situations, he said. "I think this idea of preparing for a battle that we can't define today is the way we need to start to operate," Amoroso said.

But other participants said there are some strategies to reduce risks that government and industry should immediately carry out.

"It's true that this problem is not going to go away. That doesn't mean we give up on trying to solve it," said Ari Schwartz, senior Internet policy adviser at the National Institute of Standards and Technology. He likened the situation to fighting fires. "We're never going to have an end to all fire accidents. But we can come up with different standards, different technologies, different policies that help us mitigate them," such as building codes and smoke alarms, Schwartz said.

Many preventive measures are expensive for ISPs to deploy across the country. That's where the government can step in to help, even without subsidies, which the industry generally opposes, panelists noted.

The federal government -- the largest U.S. consumer -- can wield its purchasing power to require that ISPs include security enhancements in all federal contracts. Such technologies include the Domain Name System Security Extensions (DNSSEC) protocol, a set of standards for identifying server addresses that ensures that when computers and mobile devices talk to each other, hackers can't misdirect their communications to fake websites.

If agencies bought only products that support DNSSEC, that would help the Web industry afford to develop the same protections for all products and services nationwide, said Andy Ellis, senior director of information security and chief security architect for Akamai, a content delivery company.

"That's not a subsidy. That's the government as a consumer, saying, 'We feel that level of security is important for us and therefore we'll pay for it,' "Ellis said. "When the government decides to do that, people will build it. And once you've built a technology, you're really happy to go sell it to everybody else."

Source: Observers recommend broader role for government in cybersecurity, Aliya Sternstein, NextGov, Retrieved on November 9, 2010 from nextgov.com/nextgov/ng_20101108_4659.php?oref=topnews

Share

Comcast begins DNS security rollout

2010-10-18T11:46:00.000-07:00

First in U.S. to protect customers against Kaminsky-style cache poisoning attacks

Comcast has begun migrating its customers to a new Internet security mechanism that will help protect them from being inadvertently routed to phony Web pages for pharming attacks, identity theft and other scams.
Comcast is the first major ISP in the United States to adopt the new mechanism, which is known as DNS Security Extensions (DNSSEC).

Source: Carolyn Duffy, Marsan, Network World, Retreived on October 18, 2010 from networkworld.com/news/2010/101810-comcast-dns-security.html?hpg1=bn
Share

Afilias Secures Latin American and Caribbean Countries of Antigua, Barbuda, Belize, Honduras, St. Lucia and St. Vicent and the Grenadines with Deployment of DNSSEC

2010-10-13T09:55:00.000-07:00

Afilias, a global provider of Internet infrastructure services, today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for five country code Top-Level-Domains (ccTLDs) in Latin America and the Caribbean region. The ccTLDs whose zones have been secured by DNSSEC include: .AG (Antigua and Barbuda), .BZ (Belize), .HN (Honduras) .LC (St. Lucia), and .VC (Saint Vincent and the Grenadines). These TLDs were officially signed by Afilias on October 5, 2010.

Source: http://www.circleid.com/posts/20101013_afilias_increases_dns_security_in_latin_america_caribbean_dnssec/

Share

Majority of U.S. Federal Domain Names Still Fail to Meet Federal Internet Security Mandate for DNSSEC Adoption

2010-09-22T11:26:00.000-07:00

.gov domains not using DNSSEC according to first independent study into the deployment of Domain Name Security Extensions across all .gov domains by IID

TACOMA, Wash.--(BUSINESS WIRE)--IID (Internet Identity), a provider of technology and services that help organizations secure Internet presence, today announced it has identified major online security holes for U.S. government organizations in its “Q3 State of DNS Report”. According to the report, a majority of Federal agency run .gov domains are not signing their DNS (Domain Name System) with DNSSEC (Domain Name Security Extensions) despite a December 2009 Federal deadline for adoption. DNSSEC is designed to ensure DNS entries are not poisoned in transit, so users are not taken to an unintended Internet destination.

The report was the first independent study into the deployment of DNSSEC across a majority of .gov domains including Federal, state, local, Native American and others. .gov domains are not published publicly, but IID was able to track down a majority of them for this study. IID analyzed the DNS of more than 2,900 .gov domains and found:

421 Federal .gov domains are fully authenticated with DNSSEC out of 1,185 (36 percent)
Two percent of Federal .gov domains signed with DNSSEC are incorrectly configured and fail completely when DNSSEC checks are done at some DNS resolvers
Another two percent of Federal .gov domains have basic DNS misconfigurations that keep them from operating properly at all
Two states, Idaho and Vermont, have successfully authenticated many of their domains with DNSSEC – a good sign for non-Federal adoption

“This should be a wakeup call that DNSSEC, likely for a multitude of reasons, is still not being implemented across a wide spectrum of .gov domains despite a mandate to do so,” said IID president and CTO Rod Rasmussen. “Furthermore and even more worrisome, there is a small percentage of .gov domains that are adopting but not properly utilizing DNSSEC, leaving organizations with a false sense of security and likely problems for their users.”

A January 2010 report prepared by the Center for Strategic and International Studies (CSIS) titled, "In the Crossfire – Critical Infrastructure in the Age of Cyber-War," found 57 percent of 600 IT and security professionals polled had experienced DNS poisoning attacks – which DNSSEC is supposed to stop. According to the IT and security professionals questioned, the cost of downtime incurred from a network infrastructure attack like DNS poisoning on their organizations was more than six million dollars a day.
“DNS is still the wild west of Internet infrastructure and it remains relatively wide open for cyber criminals today," said Online Trust Alliance (OTA) Founder and President Craig Spiezle. "It is essential for organizations to not only adopt DNSSEC, but also utilize various other solutions which help ensure online trust.”

More findings from the IID report including how improperly implementing DNSSEC has actually hamstrung some domains can be found at www.internetidentity.com/resources/trend-reports. Rod Rasmussen will discuss the findings of this report while at the OTA Online Trust & Cybersecurity Forum in Washington, D.C. this Friday, September 24.

About IID

IID (Internet Identity) has been providing technology and services that secure the Internet presence for an organization and its extended enterprise since the company was founded in 1996. It recently started delivering the industry’s first and only solution for detecting, diagnosing and mitigating domain name system (DNS) security and configuration issues for an organization and its extended enterprise. IID also provides anti-phishing, malware and brand security solutions for many of today’s leading financial service firms, e-commerce, social networking and ISP companies, and more. The company is working hard to deliver solutions that help keep the Internet safe and trusted for businesses. IID is headquartered in Tacoma, Washington. More information can be found at www.internetidentity.com.

Source: Business Wire, Majority of U.S. Federal Domain Names Still Fail to Meet Federal Internet Security Mandate for DNSSEC Adoption, Retrived on September 22, 2010 from businesswire.com/news/home/20100922006548/en

Share

Microsoft Points to IE 9 Security Measures

2010-09-17T11:07:00.000-07:00

Internet Explorer 9, released on Wednesday in beta form, doesn't talk to strangers.

At least that's the thinking when it comes to the security parameters in the new browser. Users will get more of a warning than in the past when they download unknown files with IE 9, for instance.

"Our features are kind of like 'stranger danger' against malware and other threats," said Dean Hachamovitch, Microsoft's corporate vice president of Internet Explorer. "Internet Explorer 9 is the only browser that uses download reputation to help users make safety decisions."

For the new browser, Microsoft is tapping filtering technology that has already repelled at least 1.3 billion malicious downloads. The key feature to look for in the IE 9 beta is the download manager, which integrates Microsoft's SmartScreen Filter.

The IE 9 beta introduces the "SmartScreen download reputation" feature, which uses site reputation data to "remove unnecessary warnings for well-known files, and show more severe warnings when the download has a higher risk of being malicious," according to Microsoft's announcement.
Brian Hall, general manager of Windows Live and Internet Explorer, said that IE 8 was the most secure browser ever built. He added that IE 9 simply takes that capability forward with its "database" of trusted and nontrusted Web sites.

"With IE 9, we make it plain what's dangerous and what's not but we understand that our security is never done," Hall said. "We'll have to continue to invest heavily in the ability to create a safe enterprise and customer experience."

Chenxi Wang, principal analyst of security and risk management at Forrester Research, predicted before the IE 9 launch event that "some sort of malware detection and Web site reputation capability built right into the browser" would be seen in the IE 9 beta. However, she'd like to see implementation of other browser security measures. For instance, support could be added for Domain Name System Security Extensions (DNSSEC) to help verify Web sites.

"I'd like to see some kind of visual cue to users whether the Web site they are going to is a DNSSEC-validated domain name," she said.

Trust is an issue with so-called "drive-by installs," where malware can be spread by getting the user to visit a malicious Web page. Users can also be led to click on a malicious link if it's sent by a trusted source.

Will the release of IE 9 bring fewer security bulletins to Windows users? The answer is "No," according to Rob Juncker, vice president of technology at Shavlik Technologies, a company that makes security software.
"Are we saying that we won't see a security bulletin that resembles something along the lines of 'vulnerability in Internet Explorer 9.0 could allow remote code execution?' Absolutely not," Juncker said. He did credit Microsoft somewhat, adding that Microsoft seems to "have realized how to guard the wall better than they have in the past."

Source: Redmonmag.com, Microsoft Points to IE 9 Security Measures, Jabulani Leffall, Retrieved on 09/16/2010 from redmondmag.com/articles/2010/09/15/microsoft-points-to-ie-9-security-measures.aspx

Share

EURid: .eu DNSSEC chain of trust complete

2010-09-07T10:28:00.000-07:00

Brussels, 6 September 2010 - EURid, the registry for the .eu top-level domain, is pleased to announce that .eu has a complete 'chain of trust' for Domain Name System Security Extensions (DNSSEC), an Internet security standard, with the addition of .eu DNSSEC key material to the Internet's root zone.

Source: http://www.reuters.com/article/idUS75194+06-Sep-2010+HUG20100906

Share

Seven Smartcard Keys To The Internet

2010-08-22T09:58:00.000-07:00

There has been a bit of buzz lately regarding an Internet “kill switch” and a handful of trusted individuals given the responsibility of rebooting the Internet, should it go down from cyber attack or be shut down for whatever reason.

The operation is born of the Internet Corporation for Assigned Names and Numbers (ICAAN). ICANN was formed in 1998. It is a not-for-profit public benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable, and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.

ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its role coordinating the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet.
Popsci reports that “part of ICANN’s security scheme is the Domain Name System Security (DNSSEC), a security protocol that ensures Web sites are registered and “signed” (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC, as it’s known, and during a major international attack, the system might sever connections between important servers to contain the damage.”

The lucky seven holders of the smartcard keys are from all over the world. Each key has an encrypted number which is part of the DNSSEC root key that by themselves are useless, but combined they have the ability to restart the Internet. The process of rebooting the web requires five of the seven key holders to be in the United States together with their keys. That’s a pretty lofty responsibility for anyone. You can learn more about the card process in this video.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses the possibility of an Internet crash on Fox Boston. (Disclosures) - http://www.bloggernews.net/125108

Share