Drug companies are required to state the possible side effects when they advertise. I sometimes wonder if you were chronically suffering from the side effects would you take a drug that caused the symptoms of the disease?

We have a similar situation with anti-virus software that has been put into focus with the latest upgrade from McAfee. See Network World:

Flawed McAfee update paralyzes corporate PCs

As of 3:30 p.m. ET, McAfee's support forum was offline, with a message reading "The McAfee Community is experiencing unusually large traffic which may cause slow page loads. We apologize for any inconvenience this may cause."

 

I've been writing about Internet security and DNSSEC for some time now and the trend is definitely that things are getting worse and not better. Byron Acohdo's post yesterday on The Last Watch Dog,  Are there 6.8 million — or 24 million — botted PCs on the Internet?, provides a good example of the trend.

There appear to be a lot more bots out there than we think, and each effort at shutting them down has less and less of an impact. Without an Internet-wide means of email authentication (which could be done through DNSSEC) the problem will not go away. Email is the most prevalent vector for introducing malware.

I did a quick check on vulnerabilities and hackers over the past week and the story is not pretty. From PCs to servers to mobile devices to network gear to software there are boatloads of issues. Here are a dozen recent items:

• Microsoft slates June update to block IE8 abuse
• Google Chrome Security Fixes
• Attackers hit Google single sign-on password system
• Hot Spot Dangers: That Internet cafe could cost you way more than a cup of coffee
• US_CERT Current Activity Note that this covers products from many vendors critical to IT infrastructure
• Network Solutions sites hacked again: Newest wave infects hosted sites, sends users to Ukrainian attack server
• Security Incidents Rise In Industrial Control Systems
• Hundreds of high profile sites unprotected from domain hijacking
• Australian firms fear Beijing's cyber tentacles
• Documents Reveal Al Qaeda Cyberattacks
• New Hack Pinpoints Cell Phone User's Location, Personal and Business Relationships
• Call Centers for Computer Criminals (focused on ebanking fraud) 

I could go on for a long time with this but anyone who says the situation is improving is at best uninformed. At some point a real effort needs to be made to address the fundamental causes which are weak security within hardware and software. The architecture has to change and we need authentication (DNSSEC) as a starting point. And users need to demand it and be willing to pay for it. They pay in the end anyway for weak security. 

Readers of this blog know of my frustration over the lack of publicity about DNSSEC. There is a constant stream of news about Internet vulnerabilities but little appreciation for the potential of DNSSEC to reduce these problems.

Afilias sponsors a DNSSEC news page on Circle ID that provides a lot of easily absorbed information on DNSSEC. Several posts over the past week are notable for covering the potential benefits, the shortcomings, and how to go about this (non-trivial) implementation.

Here are some highlights:

DNSSEC no Longer Pie-in-the-Sky: Time to Develop a Strategy This post by Ram Mohan of Afilias is a non-technical, easy read explanation of DNSSEC and its benefits. He explains how it can prevent certain attacks and how without DNSSEC even SSL sessions cannot be trusted. And he describes the long preparations that have been underway to allow a smooth transition to DNSSEC this July. Ram is with Afilias which handles DNS for the .org domain, the first top level domain to adopt DNSSEC, with full implementation scheduled for this June. The post begins:

You may have seen media reports a few weeks ago describing how servers behind the so-called Great Firewall of China were found delivering incorrect DNS information to users in the rest of the world, thereby redirecting users to edited Web pages. Reports indicate that this apparently occurred due to a caching error by a single Internet Service Provider. While the problem was fairly limited in scope, it could have entirely been prevented in a world where DNSSEC was fully deployed.

This most recent event highlights the pressing need for adding security in the domain name system. There is currently no comprehensive way to check whether the DNS information your computers receive are genuine, meaning users could find themselves directed to Web sites belonging to hackers or, as in this case, to pages managed by an ISP or Network service provider.

The next post DNS...Wait a SEC points out other vulnerabilities that also need to be considered. There are some excellent examples here:

Take the Puerto Rican Registry as an example. In August of 2006, .PR announced that they would be the second ccTLD to deploy DNSSEC. While their deployment of DNSSEC certainly may have been helpful in thwarting potential Cache Poisoning attacks, assuming that zones and records were also signed, it did absolutely nothing to protect the .PR Registry when hackers exploited a SQL vulnerability to update and redirect name servers to politically motivated sites.

Other recent domain and DNS exploits include social engineering attacks to reset passwords, SQL attacks against registrars, and breached e-mail accounts to retrieve login credentials. Unfortunately, DNSSEC would not have prevented any of these attacks either.

DNSSEC is not a panacea - it does not stop DDoS attacks for instance - but use of DNSSEC would make social engineering and breached email accounts less likely because it provides a means for authenticating who is whom and thereby making such attacks more difficult.

Internet infrastructure depends on insecure hardware and software, including operating systems. So attacks will persist. My company's products are immune to Malware and resist DDoS attacks so that is a safe option.

Real-World Testing Strengthens DSSEC implementation. Verisign operates the root and the .edu, .com and .net domains. When they urge you to test it's worth listening. Registrars and ISPs appear to be behind on implementation and there needs to be a greater sense of urgency or those communities are going to have issues with DNSSEC.

Operational Challenges When Implementing DNSSEC is more technical. What I like about this post is that signing and managing DNSSEC keys is only part of the issue. Most shops are going to have their hands full dealing with configuration problems and equipment that isn't ready for DNSSEC. Doing this alone will take a lot more time and effort than you think if you do it yourself. Fair disclosure: Stephan works for my company, Secure64 Software. We have a lot of experience troubleshooting DNSSEC implementations.

The next several months are going to be interesting for the Internet as the DNS root servers go live with DNSSEC. It could be a bumpy ride for some.

The Register reports about some changes that could impact your Internet and email access in May: Will DNSSEC kill your internet? 5 May will sort the men from the boys.

What is happening is part of the deployment of DNSSEC in the root servers, which is a huge improvement in security for the Internet. On May 5 they begin responding with DNSSEC:

While the vast majority of users are expected to endure the transition to DNSSEC smoothly, users behind badly designed or poorly configured firewalls, or those subscribing to dodgy ISPs could find themselves effectively disconnected.

DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.

The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email.

Why? Here comes the science bit. Normal DNS traffic uses the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes.

Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it's probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.

It could get even more complicated since there is a lot of DNS redirection going on and other mischief with dated, unpatched, and mis-configured network gear and firewalls that may not be able to handle DNSSEC.

DNSSEC will be a big test for email, Internet service providers, and corporate network operators so expect some disruption. This is a good thing because DNSSEC is less forgiving of goofy and poorly maintained sites that are the hosts for malware and bots. Raising the bar may cause some short-term disruption but it will lead to a more secure, reliable, and eventually authenticated internet and email.

The USA is behind on DNSSEC deployment. As reported on the DNSSEC Deployment blog, both US Government agencies and US based registrars are behind in their preparations for DNSSEC.

This could be one heck of a Cinco de Mayo. It might be a good day to go mountain biking or something else outdoors and off the grid.

A common assumption about life, and specifically the technology upon which our civilization depends, is that the things we use continue to improve. In computing the progress is truly breathtaking.

But Internet security is clearly going backwards. The ability of governments, hackers, businesses, and criminal elements to invade our privacy, steal our identity or our assets, or to disrupt our lives is getting greater by the day. Motivations can range from tracking our habits to sell goods/services or to detect terrorist risks, to theft, or simply to threaten and disrupt us in the event of hostilities. 

We face this situation because few customers - including consumers, business, and governments, demand a secure infrastructure. Performance, ease of use, and cost are the drivers with security an afterthought. Until security is made a purchase requirement the Internet will continue to get less secure.

A few examples of the trend:

USCERT Current Activity: This is a list of recent and pending security patches. Notice that just the last month's activity covers almost every major software OS and application upon which the Internet depends.

A Chinese ISP momentarily hijacks the Internet: "Traffic for 10 percent of the Internet, including to the sites of Dell, Apple, Starbucks and CNN, was redirected to China."

This Network World article highlights not only the second recent Internet problem with China but also the weakness in the BGP protocol used by routers and how that exposes the entire Internet:

These networks included about 8,000 U.S. networks including those operated by Dell, CNN, Starbucks and Apple. More than 8,500 Chinese networks,1,100 in Australia and 230 owned by France Telecom were also affected.

The bad routes may have simply caused all Internet traffic to these networks to not get through, or they could have been used to redirect traffic to malicious computers in China.

Hacker conference to address emerging Web threats: The Blackhat conference features a way to compromise SAP ERP applications and Oracle databases.  Critical and private corporate data reside on these systems.

PDF Virus Demonstrated: Viruses embedded in a PDF file.  

Hundreds of Wordpress Blogs Hit by ‘Networkads.net’ Hack: This report by Brian Krebs about Wordpress blogs being hacked and redirecting users to sites that download malware onto their device. It is worth browsing Brian's blog as he provides many examples of government, school and businesses losing money through ebanking malware.

So if you want to improve our lot start asking tough questions about security before you buy.