« November 2008 | Main | January 2009 »

December 2008

12/26/2008

The Sorry State of Internet Security

Today the ChicagoTribune.com published an article entitled "Russian hackers target U.S., Europe for profit and politics". Clearly there is a threat here and a risk to anyone who uses email, who shops on line, or who accesses personal data on line. These threats have been around for some time but they seem to be moving from teenage hacker mischief to sophisticated criminal money-making operations. The Russian government has proven to be inept or maybe uninterested in stopping these criminals.

Yet the greatest source of malware and SPAM is the good ole US of A, according to the Security Threat Report: 2009 from Sophos. Yes, we are #1! And the US government appears to be equally inept or maybe uninterested in stopping these criminals.

Sophos's key "statistics and findings at a glance":

  • Biggest malware threats - SQL injection attacks against websites and the rising tide of scareware
  • New web infections - one new infected webpage discovered by Sophos every four and a half seconds (Three times faster than in 2007)
  • Malicious email attachments - five times more at end of 2008 than at the beginning
  • USA hosts the most malware on the web (37 percent), usurping China's position in 2007
  • USA computers relay the most spam (17.5 percent)
  • Increasing allegations of state-sponsored cybercrime, as China, North Korea, Russia and Georgia amongst those accused of espionage and assaults via the Internet

It appears we have found the enemy and he is us.

Why such a problem? The infrastructure of the Internet and the hardware and software running PCs predates the Internet and was designed for access and not security. It can never be made secure due to architectural design limitations. Also, we base many of our defenses at the PC level and not within the basic infrastructure of the web. This is like trying to stop terrorists when you answer your front door. The problem is illustrated on the security page of PC World.

So what can we do? As I have been saying for some time, the cheapest, easiest and most impactful change is to authenticate the DNS by adopting DNSSEC. DNSSEC will expose the fake web sites and it is essential to stopping SPAM.

The US Government is showing some leadership here by signing the .gov zone next month and requiring agencies to adopt DNSSEC in 2009. I assume the .mil zone will be doing this shortly also, as that zone is under frequent attack (see Cyber attack has Pentagon worried).

The next thing the US Government can do is to sign the root zone. A signed root will spur DNSSEC adoption although it is not required for individual entities to adopt DNSSEC. 

These are two easy steps. They will save everyone a lot of money, will spur the economy through technologies and applications that use the authentication DNSSEC provides, and they will improve confidence in Internet communications. There is no downside and little expense involved.

We don't need a cyber czar or a commission to do this. It is time to act.

Posted at 03:35 PM | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

12/23/2008

Authentication: How DNSSEC will improve our lives - part 2

DNSSEC is simple to implement and is ready to go (see Secure64 DNS Signer) and provides an internet-wide authenticated database that can be used by many applications beyond validating web sites. It can be a repository for other public data, such as email certificates.

Lack of authentication is one of the basic security weaknesses of the web. Many people are trying to address it in their own special complex way (see Network World).

Consider if you will an authenticated web. One where you can be sure of reaching your intended web site. One where you can be sure that email came from the person in the "From" column, one where you can send and receive private email (by private I mean encrypted so that no one can spy on your email).

Now let's look at how it can improve health care efficiency. With an authenticated web your medical tests could be sent to you in an encrypted email. You could exchange private emails with your doctor. Your doctor could be emailed those same results. Even your medical chart could be available to your doctor in real time on her PDA.

There are  solutions that do this today but at what cost/complexity to build and to maintain? At what complexity for the user? Email certificates are common in the corporate world but they are cumbersome and you can't send an encrypted email without a certificate exchange. They don't meet the grandmother test for ease of use.

In the absence of authentication through the DNS database Identity management solutions are expensive and complex to buy or build and to maintain.

With DNSSEC providing an internet wide authenticated database this is all possible with very little cost and complexity for the user. It just works.

Posted at 04:12 PM in DNSSEC | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,

12/15/2008

Surround yourself with smart people

One piece of sage advice in hiring as well as life is to surround yourself with people smarter than yourself. That is easier for some than for others. My co-founder at Secure64, Bill Worley, has certainly found that almost impossible to do throughout his long career.

Bill opened up a little and discussed his background at IBM and Hewlett Packard and his role in the development of RISC and EPIC architectures in this interview with the SANS Technology Institute. Without the immunity to malware and the ability to protect "secrets" in memory, we would have been unable to launch our DNS and DNSSEC products.

I think I won out on the smarter people strategy when I partnered with Bill.

Posted at 02:39 PM | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , ,

12/12/2008

Personal responsibility and dignity

Another day, another headline story about dishonesty. The news today that former NASDAQ Chairman Bernie Madoff allegedly defrauded investors of $50 billion seems fitting in a week when we discovered that Illinois Governor Rod Blagojevich allegedly was attempting to sell Barack Obama's Senate seat.

The Blagojevich story is entertaining in its absurdity. It's like a Woody Allen film in real life. But the Madoff scandal will have disastrous repercussions. Investors understand that markets go up and down but when fraud is thrown in, especially on such a massive scale, it can have a terribly chilling affect on an already dismal financial picture.

There appears to be no sense of responsibility or wrongdoing from either of these guys.

Do we need to bring back public whippings, or worse, to knock some sense into people?

Posted at 03:57 PM | | Comments (0) | TrackBack (0)

12/10/2008

Risk is essential to capitalism

Outside of Secure64, one of my other duties is to sit on the board of DISH Network, the Satellite television provider. Satellite TV is what brought broadband to most homes by providing unbeatable competition to the cable industry. Cable responded with the triple play and tremendous upgrades to their infrastructure. This in turn prompted broadband initiatives from telephone providers. Today most consumers enjoy a number of choices for their TV, telephone and broadband service.

And all of this happened because business and finance were willing to take extraordinary risks. There was no bailout for failure.

One of the risks in this business is rocket launch failure. Today the Ciel II satellite launched from Kazakhstan. You can view it here: Ciel II Launch Highlights. If you have never witnessed a rocket launch I would add it to your lifetime to do list. Here is an example of the risk: Launch Failure.

There is nothing wrong with taking risks, our economy depends upon it.

Posted at 04:22 PM | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

12/08/2008

How DNSSEC will improve our lives: Part 1 - email

Up to now the awareness of DNSSEC has been pretty limited. In fact, very few people have any awareness of the DNS even though it is essential for all IP based activity, including web sites, email, and VoIP telephony. This is not a bad thing or that amazing. Like any technology, we just want things to work and we want them to be as simple as possible. Very few people would drive a car if they had to install their own brakes and shock absorbers.

So what do internet users want? Let’s start with email.

How about getting rid of SPAM and phishing?

 

How about making your email private? By private I mean that only the recipient can read your email and only you can read emails sent to you.

 

How about being sure that email comes from the purported sender (the one in the “From” column) and assurance that emails you send are not redirected or altered?

 

There are many products that address these needs but they are expensive, complex (think of the joy of installing and updating anitvirus and spyware products), incomplete, and don’t pass the Grandmother test for ease of use.

 

DNSSEC is a basic element required to deliver all of this without requiring users to do anything. It will cost infrastructure providers very little to deliver DNSSEC. It will save users billions in wasted money, time, and frustration. It gives users more confidence in email.

 

And that is just part of what it will do for email alone.

Posted at 03:12 PM in DNSSEC | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

12/04/2008

.tel begins to take registrations

Yesterday the .tel domain began taking its first round of registrations. The .tel domain is operated by Telnic. It is not your typical top level domain but instead uses the Domain Name System (DNS) to store all of your contact information (see Network World for a review of services offered through Telnic).

Telnic mentions that they have resolved security issues for .tel sites. I'd like to know more before trusting this service.

What is significant about .tel is the usage of the DNS for data beyond simple URLs and IP addresses. The DNS is the World's largest distributed database. It can have a lot more uses beyond looking up web sites. These uses are a key reason to move as rapidly as possible to deploy DNSSEC (see short video on DNSSEC), because data so stored should be stored securely. DNSSEC is the only mechanism ready-to-go that provides internet-wide authentication required for these uses.  

I'll write about other potential lifestyle changing applications that are enabled by DNSSEC in my next post.

Posted at 03:12 PM in DNSSEC | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , ,

12/03/2008

Industry Coalition Announced to Increase Adoption of Domain Name Security Extensions (DNSSEC)

A coalition, The DNSSEC Industry Coalition , has been formed to facilitate adoption of DNSSEC. The mission of the group is to inform, enable development of standards and best proactices and to encouage collaboration between business, government and education regarding DNSSEC adoption. A copy of today's press release announcing the group follows:

Industry Coalition Announced to Increase Adoption of Domain Name Security Extensions (DNSSEC)

DNSSEC Industry Coalition Forms to Streamline Implementation Across Domain Name Registries

RESTON, VA, Dec 03, 2008 (MARKET WIRE via COMTEX) -- The DNSSEC Industry Coalition is a global group of registries and industry experts whose mission is to work collaboratively to facilitate adoption of Domain Name Security Extensions (DNSSEC) and streamline the implementations across Domain Name Registries. Members work together to establish a consistent set of tools and applications, shared best practices, specifications and shared nomenclature. DNSSEC Industry Coalition members include both generic Top-Level Domain and country code Top-Level Domain registries along with industry and educational experts of the Domain Name System.

".ORG, The Public Interest Registry initiated this coalition to encourage industry collaboration and streamline implementations for early widespread adoption of DNSSEC," says Alexa Raad, CEO of .ORG, The Public Interest Registry. "Encouraging the adoption of needed upgrades to the DNS infrastructure in the interest of the greater good is a core part of the .ORG mission."

In the Coalition members are gathered from across the industry to facilitate adoption and share best practices. Coalition members include Top-Level domain registries of .ORG, The Public Interest Registry, the .org registry operator; Afilias Limited, the .info registry operator; .SE (the Internet Infrastructure Foundation), the .se registry operator; EDUCAUSE, the .edu registry operator; Nominet, the .uk registry operator; VeriSign, Inc., the .com, .net, .tv, and .cc registry operator; and NeuStar, Inc., the .biz and .us registry operator. The coalition is also supported by industry security experts such as Shinkuro, Inc.; NL Net Labs; Internet Society; Kirei AB; and Secure64 Software Corporation. With DNSSEC, Internet users know that their Internet-based communications such as web site visits and email correspondence actually connect to the parties they intend to reach. DNSSEC thwarts attacks such as pharming, cache poisoning, and DNS redirection that have been used to commit fraud, distribute malware, or steal personal or confidential information. For more information on DNSSEC, please visit http://www.dnssec-deployment.org.

"The DNS is the place where an attacker has the most leverage and DNSSEC could have a significant impact on thwarting attacks to the many and varied applications that use the DNS and the infrastructure itself," says Paul Mockepetris, the founder of the Domain Name System and Chief Scientist and Chairman of the Board of Nominum, Inc. "Digital signature technology is profoundly important to the future of the DNS, and having industry experts work together to test DNSSEC in production is the only way to reduce theory to practice." Membership to the DNSSEC Industry Coalition is open to domain name registries and industry securities experts. Hailing itself as an action oriented group, it seeks organizations willing to contribute and support the widespread adoption of DNSSEC. For more information on the DNSSEC Coalition, please visit http://dnsseccoalition.org.

About .ORG, The Public Interest Registry

 Trusted across all ages, backgrounds and nationalities, .ORG is where people turn to find credible information, get involved, fund causes and support advocacy. .ORG, The Public Interest Registry empowers the global noncommercial community to use the Internet more effectively and, concurrently, takes a leadership position among Internet stakeholders on policy and related issues. The .ORG domain is the Internet's third largest "generic" or non-country specific top-level domain with more than 7 million domain names registered worldwide. .ORG, The Public Interest Registry, was founded by the Internet Society in 2002. It is based in Reston, Virginia, USA.

For More Information:

Kate Russell RMR & Associates (for Public Interest Registry)

Phone: +1 (303) 230.0045 x19***

Posted at 10:38 AM in DNSSEC | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

12/01/2008

Cyber Monday!

Well here we are on Cyber Monday. A search of that term yields a virtual mall of shopping sites and sponsored links.  Black Friday sites also pop up. There certainly is money to be made from online shopping. It even has a sponsor, the National Retail Federation's Shop.org division.

The term Cyber Monday originates from the presumption that workers are spending today shopping online using their computers at work. Employers are doing their part to keep the economy moving along, but I’m not sure if they are as keen on the concept.

With retail increasingly dependent on a safe and secure internet, one would think there would be great interest in a simple and inexpensive way to ensure their customers arrive at the correct web site. According to USA Today, phishing attacks soared 300% during the Thanksgiving time period in 2007 and are expected to be worse this year. And there are many other ways that shoppers can be redirected.

However, during this shopping season virtually zero retail sites employ DNSSEC. DNSSEC would authenticate the online web sites for shoppers so they could be sure they were at the correct place with no man in the middle spying on them.

Why don’t retailers deploy DNSSEC? It’s inexpensive and simple to deploy and provides a great deal of comfort for customers. Retailers have not deployed DNSSEC because virtually none of the infrastructure providers outside of Sweden have deployed DNSSEC. The .com, .us and .net top level domains are not yet signed with DNSSEC. By not signing these domains, adoption of DNSSEC by individual web sites is complicated.

All of this will probably change within the next year. The US Government will be deploying DNSSEC in the .gov domain, the Public Interest Registry will deploy it in the .org domain, and Afilias will deploy it in the .info domain. Undoubtedly DNSSEC will be deployed in the .com domain by VeriSign. Secure shopping is a key part of their mission.

But until 2009, here is a link to ABC News on how to make Cyber Monday a (relatively) safe one.

Posted at 02:49 PM in DNSSEC | | Comments (0) | TrackBack (0)

Enter your email address:

Delivered by FeedBurner

About Steve Goodbarn

Categories

Steve's Blogroll

Archives

Disclaimer

  • All views and opinions expressed on this blog belong to me, the author, and are not those of any current or past employers, investors, or anyone else.
Blog powered by TypePad