Steve Goodbarn

Today the Wall Street Journal reported an increase in the number and sophistication of cyber crime attacks, particularly at banks and ATMs. According to sources at Gartner and the FBI, such attacks are on the increase and may have doubled in the past 6 months. These attacks are increasingly sophisticated and targeted at specific individuals.

A quick perusal of recent computer security postings is scary:

• From PC mag.com Security Watch:  Transient Malicious Web Pages Proliferate and

• IE8 and ClickJacking

• From Network World: Banks, credit unions scramble in wake of Heartland Breach and
• Downadup/Conflicker worm: When will the next shoe fall?

• From UK Channel 4: Porn hackers target school websites

To keep up to date with the latest exploits, please save the US CERT site into your favorites list of your browser. Of course this covers only the known exploits.

With $900 billion about to be spent on infrastructure and all sorts of other needs and wants, I hope a small sliver is spent on securing the Internet, starting with DNSSEC.

The Whitehouse.gov web site has published the Obama Administration's agenda. There are 8 sub sections under Homeland Security, including one to protect our information networks. I've pasted this section below:

Protect Our Information Networks

Barack Obama and Joe Biden -- working with private industry, the research community and our citizens -- will lead an effort to build a trustworthy and accountable cyber infrastructure that is resilient, protects America's competitive advantage, and advances our national and homeland security. They will:

• Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.

• Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.

• Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.

• Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.

• Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.

• Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.

I am encouraged by these focus points. The Federal Government can make concrete progress to improve internet security by completeing a few low cost steps already underway:

1. This month they began to sign the .gov zone using DNSSEC. This enables agencies (including state and local using the .gov domain) to very easily adopt DNSSEC. By adopting DNSSEC it will be possible to authenticate these web sites and prevent cache poisoning. This hits close to home for President Obama: Latest Campaign on BarackObama.com is Malware.
2. The .gov zone appears to be using BIND 9.5 and nsec. They sould be using NSEC3 and Secure64 DNS Authority and Secure64 DNS Signer, which is NSEC3 enabled, to be as secure as possible. 

3. Sign the root server. See public comments on this topic, which nearly unanimously support signing the root as soon as possible.

I'll cover more of this in another post.

Over 10 million PCs appear to be infected with yet another Windows based worm, according to Network World.

"It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs," says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks.

The worm can spread in several different ways, including infection from a USB stick or a camera. One of the things it appears to do is to turn off security software updates. So something more sinister appears to be planned. This does not sound like fun.

Microsoft responded to this malware some time ago. I downloaded the patch on October 27, 2008. It amazed me to find that was about 40 patches ago. 

Microsoft is a bit defensive about the severity of this threat. Microsoft spends a bundle on security. It is therefore puzzling to me why they have not been more proactive in pushing for DNSSEC deployment.

In fact most of the major software and Internet firms (Google, Cisco, Microsoft, Yahoo, for example) are all but invisible at the many Internet infrastructure conferences and forums leading the effort at DNSSEC deployment. And they have no DNSSEC products of their own to offer. Yet they have the most to gain by reducing their costs and their users costs and improving the user experience - thereby increasing demand. 

As I have said previously in this blog: These attacks can never be stopped until we deploy Internet-wide solutions. The first such solution, DNSSEC, provides Authentication which is a necessary first step. DNSSEC is being implemented right now but with the US Government and Europe leading the way and most of industry sitting on their thumb drives.

Relying on PC and server patching means we are always one step behind the bad guys.

This Cisco Security Expert NetworkWorld blog post of the Top 10 YouTube Hacking Videos caught my eye today. I noticed that he failed to post any Cisco related hacking videos, and so the list is incomplete.

The first video is hilarious as is the second about RFID swiping of your credit card off your ass (hint: buy a steel wallet to be safe).

The rest simply make you fell naked and vulnerable. Enjoy!

Today's Network World Article US Plots Major Upgrade to Internet Router Security highlights the critical role that the Homeland Security Department Science and Technology Directorate is playing in improving the security and reliability of the Internet. With under $13 million in funding this year - and about the same amount for each of the last few years - DHS is developing technologies that will make the DNS and routing an order of magnitude more secure than they are today. With over $800 billion in stimulus money about to be spent in addition to the hundreds of billions already paid out this has to be some of the most effective funding by the US Government. And it will benefit the entire world.

As full disclosure my company received about $1 million in funding in 2008 to develop and commercialize a DNSSEC signer that we introduced last summer. It fully automates DNSSEC functions and makes adoption a low cost, no-brainer. This funding was only part of the money needed to develop the product but it gave us legitimacy to hire programmers and to raise the rest from investors.

As I have been writing in this blog over the past few months, a truly secure Internet eliminates SPAM and web site hijacking and enables cloud computing applications, such as those mentioned by President Elect Obama to improve health care and government efficiency, to be cost effective. It makes the Internet much more efficient, easier to use and less costly for users.

A question comes to mind as to why the many huge private companies have not been able to do this or why the billions that are spend on defense and intelligence have yielded virtually no improvements to Internet security.

A possible answer is that a lot of companies are making money from the insecure web. Overprovisioning, security appliances, software, consulting and services built around security are big business.  And maybe the intelligence community is happy to have everyone else be a little vulnerable to spyware. Or maybe its just momentum and inside the box thinking.

In any case, I have to hand it to Doug Maughan and his team at Homeland Security for getting a huge bang for the buck out of their research grants.

I've been out with the flu and sinus for the past week. Thanks to pretty much the same drugs they gave 40 years ago I am once again back at work. At least 40 years ago one could not go out of their mind listening to the news all day.

And what a week it has been! Nortel - North America's largest telecom equipment manufacturer - filing for bankruptcy today, Cisco dealing with a billion dollar financial fraud at one of their partners, Tim Geithner failing to pay $34,000 in taxes (but still qualified to run Treasury and the IRS), Roland Burris joining the Senate while his appointer Blagojevich gets impeached, layoffs, conflict in the Middle East, yada yada yada. . .

But some things never change. Yet another unexpectedly cold winter, despite the catastrophic threat of global warming. Another important Patch Tuesday from Microsoft, and continuing malware issues. Oracle issuing 41 patches. Another SSL exploit disclosed. Citigroup, a black hole for taxpayer bailout money, once again in crisis as it gets cut up like a side of beef.

And we have the continuing Linux/Windows debate. I think there is a place for both proprietary and open source operating systems but they both have major security issues.

To be fair, Microsoft is fighting an untenable battle by having to defend each PC with its own suite of security applications. This is like fighting terrorists by posting a soldier outside of every home and leaving the border crossings unguarded and the highways without the state patrol. It's an Internet wide problem requiring an internet wide solution.

We need to bolster Internet infrastructure security, starting with DNSSEC, and take as much of the burden away from consumers and network systems administrators. It makes SSL and VPN truly trustworthy, among many other benefits. It will lower costs for everyone and improve confidence in Internet based applications. This is all possible today with current products.

And we can be encouaged that the US Government and several key internet infrastructure providers are taking a leadership role in the adoption of DNSSEC as noted in DNSSEC This Month.

I hope signing the root will be one of the (least costly and ultimately most impactful) goals of the first 100 days of the Obama Administration.

Twitter disclosed that several high profile accounts had recently been hacked, including that of President-Elect Obama (see article from CNN, whose reporter Rick Sanchez also had his Twitter account hacked, and President-Elect Barack Obama Falls Victim to Twitter Hack  at eWeek by Brian Prince). These hacks are in addition to a phishing attack over the weekend that targeted Twitter users.

I don't use Twitter or Facebook or Myspace because I am familiar with Internet security issues and I want to minimize my chances of having personal information or contacts compromised. If security could be improved I would consider using these services. But many people find these essential to their social and business lives. What can be done to make them more dependable without requiring a fee or endless anti-spyware/antivirus/firewall upgrades?

The easiest, least costly and hassle-free step would be the adoption of DNSSEC by infrastructure providers. This includes signing the root zone, which is currently jammed up in US Government politics. The burden of security should not be on the consumer, it should be part of our Internet infrastrucure. DNSSEC protects consumers while costing them nothing and requiring them to do nothing. It's a no-brainer.

I hope this latest exploit spurs the new administration to move forward with DNSSEC adoption.