Amazon, eBay, banks snub anti-fraud DNS tech, sniff securo bods
'Other defences' available, they'll move when they're good and ready - Nominum
Despite the best attempts of security vendors, neither online stores nor the financial industry seem particularly keen to adopt DNSSEC tech - an anti-fraud mechanism that makes it difficult for fraudsters to spoof legitimate websites.
DNSSEC (DNS Security Extensions) uses public-key encryption and authentication to guard against the domain name cache poisoning attack famously highlighted by security researcher Dan Kaminsky back in 2008. The technology works by building up a chain of trust.
The cryptographic checks make it difficult for attackers' machines to masquerade as the servers that translate domain names understandable by humans, such as amazon.com, into the numerical IP addresses used by computers to talk to each other over networks. These checks could thwart attempts by hackers to redirect people visiting, say, ebay.com, to a malicious website dressed up to look exactly like the real thing. Shoppers tricked into buying stuff from a spoofed web bazaar could unknowingly hand over their payment details to crooks rather than the genuine online shop.
Domain-name-server vendor Secure64 claims it ran checks to discover how many e-commerce companies had addressed DNS security vulnerabilities, and claimed it had discovered that none of the top 100 e-commerce firms - including Amazon and eBay - had fully implemented DNSSEC.
Secure64 also said that none of these 100 largest e-commerce sites showed evidence of even testing deployments of DNSSEC, such as digitally signing their DNS data.
Neither Amazon nor eBay responded to requests by El Reg to comment on Secure64's findings or to our questions about their positions to DNSSEC more generally.
The banking and financial services industry also appears to be avoiding DNSSEC implementation, said the security firm. Secure64's researchers examined the name server infrastructure of 384 of the largest banks and financial institutions worldwide, and said that none had fully deployed DNSSEC. Only one organisation showed evidence of even a trial deployment of DNSSEC.
By contrast, US federal agency rollouts of DNSSEC are quite far along, even though many agencies are years behind a December 2010 deadline to deploy DNSSEC which was set by the Federal Information Security Management Act.
Two-thirds of 359 US government agencies and domain-holding sub-agencies are now cryptographically signing their DNS data, according to the latest available figures from Secure64, up 57 per cent year-on-year. Four out of five of the agencies that have signed their domains have gone live with DNSSEC technology after establishing a chain of trust to their parent domain, we're told.
However six of the agencies (2 per cent of the sample) digitally sign their domains incorrectly, according to Secure64. These configuration problems could lead to problems visiting the websites or sending email to those affected organisations.
"Without DNSSEC's security protocols in place, website addresses can be hijacked," explained Mark Beckett, VP of marketing at Secure64. "This means a surfer seeking to visit a site might easily be re-routed to a fake hacker-run site. This is an important concern for e-commerce companies and banking institutions because personal or financial information could be stolen and used for fraudulent purposes. In addition, because our email systems also rely on the DNS to direct emails to the appropriate recipient, an attacker that hijacks the DNS can also intercept email messages for the purpose of conducting espionage or fraud."
Beckett said the perception that introducing DNSSEC is difficult is wrong and that Secure64 and its competitors have tools to make the migration easy, a factor that makes the slow adoption of the technology in banking in e-commerce all the more puzzling. He argued that the problem addressed by DNSSEC remained both real and pressing.
“The slow DNSSEC adoption in these industries is disturbing because these threats have such a significant downside for banks, e-commerce companies and other organisations that rely on DNS infrastructure for their core business functions. Last year alone, there were a number of highly-publicised examples of vulnerabilities in DNS being exploited by bad guys, which required private companies and government agencies to hastily organise responses. T
"The slow adoption of DNSSEC is puzzling because implementing these DNS security protocols is inexpensive and simple using proven solutions that have been developed for DNSSEC rollouts. The problem is real and the solution is simple and cheap. There’s no reason companies shouldn’t make this a higher priority.”
Other DNS software vendors were not able to comment on Secure64's figures immediately, but their spokespeople did tell El Reg that enabling DNSSEC is a low priority for corporations more focused on cloud computing and virtualisation projects.
Craig Sprosts, network software biz Nominum's veep of platforms and applications, said: "DNSSEC provides strong protection against DNS cache poisoning but other defences beyond UDP source port randomisation have become available since the infamous Kaminsky vulnerability. Enterprises have multiple security priorities and will make the move to DNSSEC when the security it delivers aligns with their business priorities." ®