Slow Fix: DNS Flaw 5 Years Later

Wednesday, January 30, 2013 @ 02:01 PM gHale

It is one thing to find a bug, it is quite another to act on a fix, and that really comes into play when five years after the disclosure of a serious vulnerability in the Domain Name System, only a handful of U.S. ISPs, financial institutions or e-commerce companies deployed DNS Security Extensions (DNSSEC).

Security researcher Dan Kaminsky found in 2008 a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic redirects from a legitimate website to a fake one without the website operator or end user knowing, according to a report in Network World.

Back to Basics: Security 101
Drive-bys Tops EU Threat Reports
Agencies Join in Security Plan
Ensuring Software Security Policies

While DNS software patches are available to help plug the hole, experts agree the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks.

Despite the promise of DNSSEC, the number of U.S. corporations that deployed this added layer of security to their DNS server is miniscule.

Surveys conducted by DNS vendor Secure64 show little deployment of DNSSEC:
• None of the top 100 major U.S. e-commerce companies tested by Secure64 was using digital signatures to sign their zones, nor were any of these organizations validating DNSSEC queries. Although popular top-level domains including .com end up signed, none of the 100 e-retailers tested including had established a chain of trust, or verified electronic signatures, at each DNS lookup node.
• One out of 384 worldwide financial services companies tested by Secure64 was signing its zone, and none had established a chain of trust. The financial services firm that showed signs of DNSSEC deployment was the quasi-federal organization Sallie Mae.

A similar survey conducted weekly by the National Institute of Standards and Technology indicates that only 10 out of more than 1,000 U.S. industry websites have fully deployed DNSSEC. DNSSEC pioneers include Comcast, Data Mountain Solutions, Infoblox, PayPal and Sprint. Another nine websites — including those operated by Dyncorp, Simon Property Group and Juniper Networks — demonstrated partial deployment of DNSSEC in the NIST survey.

Companies that show no signs of deploying DNSSEC: Fifth Third Bancorp, Bank of America, Cardinal Health, Charles Schwab, Delta Air Lines, Disney, eBay, Target, WellPoint and Wells Fargo. Even high-tech firms such as Apple, Cisco, Google, IBM and Symantec haven’t deployed DNSSEC yet, the NIST survey shows.

Universities, which are often at the cutting edge of network technology, are similarly slow at deploying DNSSEC. Of 346 university domains monitored by NIST, only 17 have fully deployed DNSSEC. Leaders include Bucknell University, University of California Berkeley and Indiana University.

The only sector in the United States that is deploying DNSSEC is the federal government, which law requires it to do. Federal agencies were under a mandate from the Office of Management and Budget to have supported DNSSEC by Dec. 31, 2009.

Recent surveys show the majority of U.S. federal agencies have met that mandate:
• Secure64 found 65% of the 359 agencies it tested were signing their domains and that 80% of these organizations had fully deployed DNSSEC standards.
• Similarly, NIST found 76% of the 1,396 U.S. government domains tested had operational DNSSEC, and another 5% were in progress of deploying this standard.

Leave a Reply

You must be logged in to post a comment.