Feeds

Amazon, eBay, banks snub anti-fraud DNS tech, sniff securo bods

'Other defences' available, they'll move when they're good and ready - Nominum

The essential guide to IT transformation

Despite the best attempts of security vendors, neither online stores nor the financial industry seem particularly keen to adopt DNSSEC tech - an anti-fraud mechanism that makes it difficult for fraudsters to spoof legitimate websites.

DNSSEC (DNS Security Extensions) uses public-key encryption and authentication to guard against the domain name cache poisoning attack famously highlighted by security researcher Dan Kaminsky back in 2008. The technology works by building up a chain of trust.

The cryptographic checks make it difficult for attackers' machines to masquerade as the servers that translate domain names understandable by humans, such as amazon.com, into the numerical IP addresses used by computers to talk to each other over networks. These checks could thwart attempts by hackers to redirect people visiting, say, ebay.com, to a malicious website dressed up to look exactly like the real thing. Shoppers tricked into buying stuff from a spoofed web bazaar could unknowingly hand over their payment details to crooks rather than the genuine online shop.

Domain-name-server vendor Secure64 claims it ran checks to discover how many e-commerce companies had addressed DNS security vulnerabilities, and claimed it had discovered that none of the top 100 e-commerce firms - including Amazon and eBay - had fully implemented DNSSEC.

Secure64 also said that none of these 100 largest e-commerce sites showed evidence of even testing deployments of DNSSEC, such as digitally signing their DNS data.

Neither Amazon nor eBay responded to requests by El Reg to comment on Secure64's findings or to our questions about their positions to DNSSEC more generally.

The banking and financial services industry also appears to be avoiding DNSSEC implementation, said the security firm. Secure64's researchers examined the name server infrastructure of 384 of the largest banks and financial institutions worldwide, and said that none had fully deployed DNSSEC. Only one organisation showed evidence of even a trial deployment of DNSSEC.

By contrast, US federal agency rollouts of DNSSEC are quite far along, even though many agencies are years behind a December 2010 deadline to deploy DNSSEC which was set by the Federal Information Security Management Act.

Two-thirds of 359 US government agencies and domain-holding sub-agencies are now cryptographically signing their DNS data, according to the latest available figures from Secure64, up 57 per cent year-on-year. Four out of five of the agencies that have signed their domains have gone live with DNSSEC technology after establishing a chain of trust to their parent domain, we're told.

However six of the agencies (2 per cent of the sample) digitally sign their domains incorrectly, according to Secure64. These configuration problems could lead to problems visiting the websites or sending email to those affected organisations.

"Without DNSSEC's security protocols in place, website addresses can be hijacked," explained Mark Beckett, VP of marketing at Secure64. "This means a surfer seeking to visit a site might easily be re-routed to a fake hacker-run site. This is an important concern for e-commerce companies and banking institutions because personal or financial information could be stolen and used for fraudulent purposes. In addition, because our email systems also rely on the DNS to direct emails to the appropriate recipient, an attacker that hijacks the DNS can also intercept email messages for the purpose of conducting espionage or fraud."

Beckett said the perception that introducing DNSSEC is difficult is wrong and that Secure64 and its competitors have tools to make the migration easy, a factor that makes the slow adoption of the technology in banking in e-commerce all the more puzzling. He argued that the problem addressed by DNSSEC remained both real and pressing.

“The slow DNSSEC adoption in these industries is disturbing because these threats have such a significant downside for banks, e-commerce companies and other organisations that rely on DNS infrastructure for their core business functions. Last year alone, there were a number of highly-publicised examples of vulnerabilities in DNS being exploited by bad guys, which required private companies and government agencies to hastily organise responses. T

"The slow adoption of DNSSEC is puzzling because implementing these DNS security protocols is inexpensive and simple using proven solutions that have been developed for DNSSEC rollouts. The problem is real and the solution is simple and cheap. There’s no reason companies shouldn’t make this a higher priority.”

Other DNS software vendors were not able to comment on Secure64's figures immediately, but their spokespeople did tell El Reg that enabling DNSSEC is a low priority for corporations more focused on cloud computing and virtualisation projects.

Craig Sprosts, network software biz Nominum's veep of platforms and applications, said: "DNSSEC provides strong protection against DNS cache poisoning but other defences beyond UDP source port randomisation have become available since the infamous Kaminsky vulnerability. Enterprises have multiple security priorities and will make the move to DNSSEC when the security it delivers aligns with their business priorities." ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?