Steve Goodbarn

The impending April 1 trigger date for the Conficker Worm to "do Something - we don't know what" has created a media frenzy. I've received a notice from my anti-virus provider, it has been a headline on Yahoo, Network World, NPR, CBS (see my previous post on 60 Minutes), CNET, the Washington Post, Fox Business and The New York Times.

Microsoft must be on overdrive with people logging in to check for updates. They issued the original patch last fall.

This may be another Comet Kohoutek or Y2K event, or the real danger may not manifest itself for some time or in a less conspicuous but perhaps more insidious manner. We just don't know.

What is good about this worm is that it may spur some action to improve the sorry state of Internet security. Internet users need to stay current with software updates and with anti-virus/anti-malware software. It's easy to let this go or to try to save some money by not installing proper software, but the results can be at least inconvenient and at most can result in theft of your identity, your credit and perhaps your cash.

DNSSEC is the essential first step in dealing with these threats. Until we have that we will be living with an insecure Internet. If this gets DNSSEC implemented in the root servers then it will have been a good thing.

But for now it pays to be diligent and vigilant.

The March 29th 60 Minutes featured an interesting segment with Leslie Stahl that uncovered some of the threats we face on line. Although the segment did not cover DNSSEC, it indicates why we need to start thinking about Internet-based web security. DNSSEC is an essential first step to that goal.  

Watch CBS Videos Online

She raises the issue of holding providers such as Google accountable for Internet security. This would be a disaster - no one can or should control the web. But the US Government is showing leadership by adopting DNSSEC this year and they can establish best practices for everyone to follow.

Secure64 makes DNSSEC adoption simple, fast, and inexpensive. There are no technical or cost barriers to doing this.

Because DNSSEC establishes the ability to authenticate, it enables users and service providers to cut off malicious sites and to establish effective email authentication.

To get DNSSEC adopted the next thing the government can do is to sign the root server. They could do it tomorrow and we would all be a lot safer.

Watch CBS Videos Online

This story is timely because we are approaching April 1, a potential trigger date for the Conficker worm. Stay tuned.

I have been traveling the past 3 weeks and need to learn to travel and blog at the same time.

Last week I attended the IT security Entrepreneur's Forum at Stanford University. This conference attempts to unite security technology entrepreneurs with funding sources and customers in the investment and Government markets. It's attended by some heavy hitters. It's my 3rd year of attendance and it is obvious that we are losing ground in IT security. Some of the keynote take aways:

• "We have no common defense in cyber space, everyone is defending their own castle," "there is a gap between the knowns and the unknowns," "attribution is difficult," "people do not understand the width and breadth of the problem" Keith Alexander, Director of the National Security Agency

• John Thompson, CEO of Symantec, noted that when he started at Symantec 10 years ago they saw 5 threats per day and it is now 15,000 threats per day, or over 600 per hour. To deal with these threats requires a "complexity of the environment that is more than can be managed, and you cannot secure what you cannot manage." Also, "profits follow architectural control", leading to a struggle for control that limits our ability to work for a common solution.

These points emerged again and again at the conference yet not one person mentioned DNS and DNSSEC, which touch everything with an IP address. It is the only way to get security to scale Internet wide.

Security researcher Dan Kaminsky made this point at a DNSSEC coalition meeting I attended at Google's Washington office on Friday the 13th. The Government has taken a lead on DNSSEC by signing the .gov zone and requiring all agencies and communications carriers to adopt by the end of 2009. But they can do more. 

The single greatest thing we can do to improve our infrastructure RIGHT NOW, AT NO ADDITIONAL COST, is to sign the DNS root servers. Comments on this matter were closed last fall yet the world waits.

I guarantee that if the root were signed tomorrow the infrastructure threat level would be reduced for next year's forum.

Afilias announced that they will begin providing DNSSEC signing service to their customers: Afilias to Provide 1-Click DNSSEC Service to Simplify DNS Security Rollout.

Afilias provides DNS services for a number of top level domains, including .org, .info, .mobi, .me, and .in (India country domain). They have been a leader in DNSSEC development and implementation.

This service makes DNSSEC a total "no-excuses, no-brainer" for their customers. The .org domain, which is run by Afilias for the Public Interest Registry, has announced their intent to adopt DNSSEC shortly.

Personally, I would rather have people buy DNSSEC software from Secure64, because it makes DNSSEC implementation and operations equally easy for entities that host their DNS. But most of the market outsources DNS services. Having large service providers also provide this service is critical  for widespread adoption. 

The GSA is now operational with DNSSEC for the .gov domain and the keys have been published.

See:  www.dotgov.gov/. So officially the first generic top level domain is now using DNSSEC. I do not know of any agencies that are signing their zones but all of them will be doing it by the end of 2009, making .gov sites the safest on the Internet.

Who will be next?