Amazon, eBay, banks snub anti-fraud DNS tech, sniff securo bods

'Other defences' available, they'll move when they're good and ready - Nominum

Seven Steps to Software Security

Despite the best attempts of security vendors, neither online stores nor the financial industry seem particularly keen to adopt DNSSEC tech - an anti-fraud mechanism that makes it difficult for fraudsters to spoof legitimate websites.

DNSSEC (DNS Security Extensions) uses public-key encryption and authentication to guard against the domain name cache poisoning attack famously highlighted by security researcher Dan Kaminsky back in 2008. The technology works by building up a chain of trust.

The cryptographic checks make it difficult for attackers' machines to masquerade as the servers that translate domain names understandable by humans, such as amazon.com, into the numerical IP addresses used by computers to talk to each other over networks. These checks could thwart attempts by hackers to redirect people visiting, say, ebay.com, to a malicious website dressed up to look exactly like the real thing. Shoppers tricked into buying stuff from a spoofed web bazaar could unknowingly hand over their payment details to crooks rather than the genuine online shop.

Domain-name-server vendor Secure64 claims it ran checks to discover how many e-commerce companies had addressed DNS security vulnerabilities, and claimed it had discovered that none of the top 100 e-commerce firms - including Amazon and eBay - had fully implemented DNSSEC.

Secure64 also said that none of these 100 largest e-commerce sites showed evidence of even testing deployments of DNSSEC, such as digitally signing their DNS data.

Neither Amazon nor eBay responded to requests by El Reg to comment on Secure64's findings or to our questions about their positions to DNSSEC more generally.

The banking and financial services industry also appears to be avoiding DNSSEC implementation, said the security firm. Secure64's researchers examined the name server infrastructure of 384 of the largest banks and financial institutions worldwide, and said that none had fully deployed DNSSEC. Only one organisation showed evidence of even a trial deployment of DNSSEC.

By contrast, US federal agency rollouts of DNSSEC are quite far along, even though many agencies are years behind a December 2010 deadline to deploy DNSSEC which was set by the Federal Information Security Management Act.

Two-thirds of 359 US government agencies and domain-holding sub-agencies are now cryptographically signing their DNS data, according to the latest available figures from Secure64, up 57 per cent year-on-year. Four out of five of the agencies that have signed their domains have gone live with DNSSEC technology after establishing a chain of trust to their parent domain, we're told.

However six of the agencies (2 per cent of the sample) digitally sign their domains incorrectly, according to Secure64. These configuration problems could lead to problems visiting the websites or sending email to those affected organisations.

"Without DNSSEC's security protocols in place, website addresses can be hijacked," explained Mark Beckett, VP of marketing at Secure64. "This means a surfer seeking to visit a site might easily be re-routed to a fake hacker-run site. This is an important concern for e-commerce companies and banking institutions because personal or financial information could be stolen and used for fraudulent purposes. In addition, because our email systems also rely on the DNS to direct emails to the appropriate recipient, an attacker that hijacks the DNS can also intercept email messages for the purpose of conducting espionage or fraud."

Beckett said the perception that introducing DNSSEC is difficult is wrong and that Secure64 and its competitors have tools to make the migration easy, a factor that makes the slow adoption of the technology in banking in e-commerce all the more puzzling. He argued that the problem addressed by DNSSEC remained both real and pressing.

“The slow DNSSEC adoption in these industries is disturbing because these threats have such a significant downside for banks, e-commerce companies and other organisations that rely on DNS infrastructure for their core business functions. Last year alone, there were a number of highly-publicised examples of vulnerabilities in DNS being exploited by bad guys, which required private companies and government agencies to hastily organise responses. T

"The slow adoption of DNSSEC is puzzling because implementing these DNS security protocols is inexpensive and simple using proven solutions that have been developed for DNSSEC rollouts. The problem is real and the solution is simple and cheap. There’s no reason companies shouldn’t make this a higher priority.”

Other DNS software vendors were not able to comment on Secure64's figures immediately, but their spokespeople did tell El Reg that enabling DNSSEC is a low priority for corporations more focused on cloud computing and virtualisation projects.

Craig Sprosts, network software biz Nominum's veep of platforms and applications, said: "DNSSEC provides strong protection against DNS cache poisoning but other defences beyond UDP source port randomisation have become available since the infamous Kaminsky vulnerability. Enterprises have multiple security priorities and will make the move to DNSSEC when the security it delivers aligns with their business priorities." ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.