Steve Goodbarn

I've been "off the grid" for the better part of a week but the world did not slow down to accommodate the break.

A flaw has been discovered in BIND 9, the software powering most DNS servers. SC Magazine reports that this is worse than the Kaminsky vulnerability and is being actively exploited. Here is the memo from the US CERT Vulnerability Notes.

Anyone running BIND should apply the patch immediately.

It has been an active month and information is still streaming from Blackhat and the Defcon conferences. So I'll have some posts on these this weekend.

Carolyn Duffy Marsan's Network World article "DNS remains vulnerable one year after Kaminsky bug" highlights both the tremendous progress in DNSSEC adoption and the fundamental lack of progress on the part of many in maintaining the DNS and even applying the patch to the bug that was also released a year ago.

The progress?

• Awareness of DNS and its vulnerabilities. This was invisible prior to Dan Kaminsky because the major software and security vendors have no solutions and the technical press ignored glaring security weaknesses in the structure of the internet. There is now general awareness. 

• Awareness, adoption and support for DNSSEC is an order of magnitude greater. The root servers will be signed by the end of this year. The .gov domain and even more importantly the .org top-level domains are signed. This signing process is crucial for easy adoption of DNSSEC by individual government agencies and by domains under the .org domain. Adoption is underway by Federal agencies. Verisign is committed to signing .com and .net by 2011. All Federal agencies will adopt DNSSEC by the end of 2009. Windows 7 and newer versions of Linux have DNSSEC awareness.

• Products exist that make DNSSEC adoption simple and cost-effective.

By fully automating the many functions needed to install and operate DNSSEC, users with relatively simple skills can adopt DNSSEC quickly and easily. OK there is really only one product, from my company Secure64. But others are trying.

On the down side, there are going to be a lot of sites that will be caught off guard by DNSSEC. The DNS is very forgiving of negligent systems administration. DNSSEC requires key roll overs at least monthly. Any software performing DNSSEC should have that automated feature. I do not feel sorry for poorly maintained sites because that is where malware hides. Adopting DNSSEC will force an Internet-wide improvement in security for that reason alone.

So my hat is off to Dan. If we ever get a "Knight and Protector of the Internet Order" award (and why not?) he should be in line for the first one.

The Homeland Security Newswire reported a Cambridge University Study that highlights significant privacy shortcomings with social networking sites.

The study couldn't come at a better time. The recent hack of Twitter's company and employee information from Google's cloud platform was largely engineered by gathering personal data on employees from social networking sites.

Social networking by its very nature is at odds with privacy.  The study indicates a practice of reducing privacy awareness among members. Obvious precautions, such as limiting access to your profile, are commercially uncompetitive and so those actions are not the default setting. Requiring significant privacy-related actions by users (or hassle) is also not in their best interests. And the study found that sites emphasizing privacy had the lowest privacy score according to their 260 point rating system. Most sites make private information available to third parties.

It won't take long for compliance officers to take note of this trend. Having a Facebook account or actively using Twitter could become career limiting. It already is if you or your friends post risque pictures or tales of adventure for public consumption. Recruiters look for this when screening candidates. 

So whether you are on LinkedIn, MySpace or Facebook, pay attention to your profile and access to personal information.

One constant Internet feature is a never-ending stream of security updates from a multitude of vendors. I write about patching frequently because I find this process so annoying and the public's response so accepting of the current situation.

Each vulnerability until patched is at least one way that you are at risk of identity theft, outright theft or loss of privacy. When you consider the number of patches, the fact that patching can be incomplete and how long the vulnerabilities existed before receiving a patch, it is fair to say your system is never secure. And it only takes one time for malware to be planted.

Most significantly for me is the loss of time, slow response speeds, uncertainty and the constant diligence required that drags on our lives. You could leave your back door unlocked all the time and nothing would happen, but knowing that it is unlocked makes a vacation to the Caribbean less relaxing. 

Do a search on the words "Apple security update", "Microsoft Patch Holes", "Adobe Security Update", "Firefox Security Update" or "Linux Security Update", . . . you get the picture. Millions of results.

And we are going backwards. The patches in recent years have become more numerous and critical and are in many cases opening new holes as they close old ones. And this process is increasingly affecting cell phones and other handheld devices.

Expect the problem to get worse. Hacking is moving from the teenage level into state sponsored spying (including the US Government) and "crime that is organized". Lots of people benefit from your insecurity.

We rely on operating environments that can never be made secure. The OS and the hardware do not have the needed design elements. Until we address those problems my advice is to be careful with how you use the Internet (and your cell phone) and be diligent about software updates.

More details have emerged on how Twitter was hacked on Google's cloud platform. According to this article by Ian Paul of PC World, all it took was a little detective work from a French hacker, who used social media to identify key people and unlock a number of their passwords. It's identity theft 101.

The only reason this breach was discovered is because it was published. It is almost certain that others have been similarly hacked and their data used for stock market trading and other nefarious purposes. This technique is just too easy not to have been exploited by others.

It's not hard to guess people's passwords if you know their birthday, anniversary and other data that can easily be found on social networking sites. Using lost password features built into every application, it is then possible to get still more access (Dan Kaminsky has illustrated this in great detail). And they don't even need social media to hack your data. See this video from ABC News on how easy it is to hack celebrity cell phones.

The more connected you are, the more exposed you are. Like introducing a virus into a colony, once someone in a group is compromised, the whole tribe is exposed. You are only as strong as the weakest link. How many Twitter or Facebook friends to you have? How about your co-workers?

We live in password hell. For the memory challenged there is no real alternative to using the same password for different applications, or writing it down on something easily accessible. Have you clicked "yes" on the message "do you want [your browser] to remember this password"? Enough said.

When passwords are the only mechanism for authentication that throws the burden on the individual.

DNSSEC provides a mechanism to authenticate that you are you (or more specifically that the IP address of your device is indeed your device). So when someone from France tries to log on as you or when they ask for a password re-set, the system would know it was not your device and could stop them.

When you combine authentication with a password, even a simple password, you have a much more powerful way of protecting personal information and, as illustrated by the Twitter/Google hack, private information of employers and their employees.

Google and every other cloud computing vendor who cares about their customers must adopt DNSSEC as soon as possible. Without it their products are incomplete and their users are at risk. 

Here is a link to Walter Cronkite's broadcast of Armstrong's first steps. 

Could we do anything this grand today in less than 9 years?

Hacker's have been able to access Twitter's data that was located on Google's cloud computing platform. Some of this data has been published by TechCrunch.

It's any corporation's nightmare. Strategy, personnel records, financial data and meeting notes have all been exposed. Twitter and their users seem to be a big target for hackers and malware if you read the sidebar on the SC Magazine site.

How did this happen? Apparently an employee used the password "password" for their account. That is about as dumb as you can get in security. But this is more than requiring upper and lower case, numbers, and squirrel noise symbols in passwords that only Stephen Hawking can remember. Passwords are simply not adequate for authentication.

There are myriad ways hackers can compromise a database and cloud computing (keeping the data on the Internet) may be more secure that leaving it on a corporate server that is equally accessible. 

If Google and Twitter had their wits about them they would have a better authentication mechanism for access. The simplest and most secure way to start this is to employ DNSSEC. Anyone reading this blog knows the benefits of DNSSEC, but perhaps hearing it from an expert like Dan Kaminsky will illustrate how this can unlock an entire world of new applications and ways of doing things that can get our economy going again. So I urge you to take a moment and read this recent interview with Dan by Michael Mimoso in Search Security.

As an update, Dan mentions that getting the root signed is the biggest challenge and this will happen within 2009. Also, the cost and complexity of implementation has been largely addressed and is significantly lower and easier than it has been in the past.

 I hope Google and Twitter are listening.

It was 40 years ago that the first moon landing mission began.

Here are links to several videos, depending on how much time you have:

Ten Minutes  - with voice over 

Two minutes, starting just prior to launch, good quality with 3 views

Or click below:

The Cisco 2009 Midyear Security Report has been released and it contains no surprises:

Report Highlights

• Criminals are exploiting "old-school" vulnerabilities because they believe security experts and individual computer users are paying little attention to these types of threats.
• Compromising legitimate websites for the purpose of propagating malware remains a highly effective technique for criminals.
• Web 2.0 applications, prized for their ease of use and flexibility, have become lures for criminals.
• Criminals are targeting people who use on-line banking with well-designed, localized text message scams—and they're leaving virtually no trail.
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and looks to leverage technology innovation and partner with the private sector. Other countries are also stepping up efforts to enhance cybersecurity and prevent cybercrime.

Specific Threats

• Botnets.These networks of compromised computers serve as efficient means of launching an attack. Increasingly, botnet owners are renting out these networks to fellow criminals, effectively using these compromised resources to deliver spam and malware via the software-as-a-service (SaaS) model.
• Spam.One of the most established ways to reach millions of computers with legitimate sales pitches or links to malicious Web sites, spam remains a major vehicle for spreading worms and malware, as well as for clogging Internet traffic. A staggering 180 billion spam messages are sent each day, representing about 90 percent of the world's e-mail traffic.
• Worms.The rise of social networking has made it easier to launch worm attacks. People engaging in these online communities are more likely to click links and download content they believe were sent by people they know and trust.
• Spamdexing.Many types of businesses use search engine optimization to be listed more prominently in searches conducted on Google and other sites. Spamdexing, which packs a Web site with relevant keywords or search terms, is increasingly being used by cybercriminals seeking to disguise malware as legitimate software. Because so many consumers tend to trust rankings on leading search engines, they may readily download one of the fake software packages.
• Text message scams.Since the start of 2009 at least two or three new campaigns have surfaced every week targeting handheld mobile devices. Cisco describes the rapidly growing mobile device audience as a "new frontier for fraud irresistible to criminals." With some 4.1 billion mobile phone subscriptions worldwide, a criminal may cast an extraordinarily wide net and still walk away with a nice profit, even if the attack yields only a small fraction of victims.
• Insiders. The global recession has caused many job losses. As a result, insider threats are an increasing concern for businesses in the months ahead. Insiders who commit fraud can be contractors or other third parties as well as current and former employees.

The report is short on solutions. Despite detailing two significant DNS cache poisoning incidents (a Brazilian Bank and the Checkfree e-payment system attack) and a specific security advisory on DNS vulnerabilities in Cisco products, there is little discussion about the need for DNSSEC and Authentication.

It does not address new risks from IPV-6 traffic and from Shortened URLs (see this article by Mitchell Ashley).

Without an Internet-wide mechanism for identifying who is who this problem is totally unmanageable. Cisco and others may wish to sell a proprietary solution but that is unworkable with something so all encompassing as the Internet. They need to get behind DNSSEC deployment.

We are increasingly dependent on the Internet not just for PC access but for our mobile devices. These devices do not have even the rudimentary, costly and time consuming security that we use on PCs.

SPAM will never be contained until we can authenticate email. It's one of the easiest ways to plant a bot on someone's PC or handheld. DNSSEC enables email authentication. It's a no-brainer. Yet AOL, Microsoft, and Google seem oblivious to it.

We must have an Internet-wide method of authentication that takes the heavy lifting of security off these devices and places it on the Internet where service providers are already focused on security and reliability for their customers. DNSSEC is the only way to do this and it is an inexpensive and uncomplicated solution. Users must demand it from their service providers.

It's time to stop reporting and start doing something about Internet authentication

Another headline news cyberattack has been taking place the past several days on US Government and South Korean Government sites as well as commercial sites including the New York Stock Exchange.  

Some links to the news: AP: Federal Web sites knocked out by cyber attack, Washington Post: Cyberattacks Strike Web Sites in U.S., South Korea, and CNBC Video: Cyberattack Hits Government, Financial Websites. Also US Bank knocked offline...

On the surface this seems like just an annoyance, nothing to worry about. But a little checking among more technical sources indicates this was as much a malware attack as denial of service. See Computerworld: Updated MyDoom Responsible... 

MyDoom is an old virus. This attack is an updated variant. It not only causes the contaminated machine to participate in attacks but also loads malware. Whether the attacking packets were also trying to plant malware/spyware - or even worse succeeded, is unknown to me. But that seems likely. The fact that some of the sites are still down could indicate there is more to this than just denial of service.

There is very little specific information about the attacks with most of the detail coming from South Korean security firm AhnLab. I have not been able to find a meaningful information from a US Government source.

Stay tuned.