Feeds

Amazon, eBay, banks snub anti-fraud DNS tech, sniff securo bods

'Other defences' available, they'll move when they're good and ready - Nominum

3 Big data security analytics techniques

Despite the best attempts of security vendors, neither online stores nor the financial industry seem particularly keen to adopt DNSSEC tech - an anti-fraud mechanism that makes it difficult for fraudsters to spoof legitimate websites.

DNSSEC (DNS Security Extensions) uses public-key encryption and authentication to guard against the domain name cache poisoning attack famously highlighted by security researcher Dan Kaminsky back in 2008. The technology works by building up a chain of trust.

The cryptographic checks make it difficult for attackers' machines to masquerade as the servers that translate domain names understandable by humans, such as amazon.com, into the numerical IP addresses used by computers to talk to each other over networks. These checks could thwart attempts by hackers to redirect people visiting, say, ebay.com, to a malicious website dressed up to look exactly like the real thing. Shoppers tricked into buying stuff from a spoofed web bazaar could unknowingly hand over their payment details to crooks rather than the genuine online shop.

Domain-name-server vendor Secure64 claims it ran checks to discover how many e-commerce companies had addressed DNS security vulnerabilities, and claimed it had discovered that none of the top 100 e-commerce firms - including Amazon and eBay - had fully implemented DNSSEC.

Secure64 also said that none of these 100 largest e-commerce sites showed evidence of even testing deployments of DNSSEC, such as digitally signing their DNS data.

Neither Amazon nor eBay responded to requests by El Reg to comment on Secure64's findings or to our questions about their positions to DNSSEC more generally.

The banking and financial services industry also appears to be avoiding DNSSEC implementation, said the security firm. Secure64's researchers examined the name server infrastructure of 384 of the largest banks and financial institutions worldwide, and said that none had fully deployed DNSSEC. Only one organisation showed evidence of even a trial deployment of DNSSEC.

By contrast, US federal agency rollouts of DNSSEC are quite far along, even though many agencies are years behind a December 2010 deadline to deploy DNSSEC which was set by the Federal Information Security Management Act.

Two-thirds of 359 US government agencies and domain-holding sub-agencies are now cryptographically signing their DNS data, according to the latest available figures from Secure64, up 57 per cent year-on-year. Four out of five of the agencies that have signed their domains have gone live with DNSSEC technology after establishing a chain of trust to their parent domain, we're told.

However six of the agencies (2 per cent of the sample) digitally sign their domains incorrectly, according to Secure64. These configuration problems could lead to problems visiting the websites or sending email to those affected organisations.

"Without DNSSEC's security protocols in place, website addresses can be hijacked," explained Mark Beckett, VP of marketing at Secure64. "This means a surfer seeking to visit a site might easily be re-routed to a fake hacker-run site. This is an important concern for e-commerce companies and banking institutions because personal or financial information could be stolen and used for fraudulent purposes. In addition, because our email systems also rely on the DNS to direct emails to the appropriate recipient, an attacker that hijacks the DNS can also intercept email messages for the purpose of conducting espionage or fraud."

Beckett said the perception that introducing DNSSEC is difficult is wrong and that Secure64 and its competitors have tools to make the migration easy, a factor that makes the slow adoption of the technology in banking in e-commerce all the more puzzling. He argued that the problem addressed by DNSSEC remained both real and pressing.

“The slow DNSSEC adoption in these industries is disturbing because these threats have such a significant downside for banks, e-commerce companies and other organisations that rely on DNS infrastructure for their core business functions. Last year alone, there were a number of highly-publicised examples of vulnerabilities in DNS being exploited by bad guys, which required private companies and government agencies to hastily organise responses. T

"The slow adoption of DNSSEC is puzzling because implementing these DNS security protocols is inexpensive and simple using proven solutions that have been developed for DNSSEC rollouts. The problem is real and the solution is simple and cheap. There’s no reason companies shouldn’t make this a higher priority.”

Other DNS software vendors were not able to comment on Secure64's figures immediately, but their spokespeople did tell El Reg that enabling DNSSEC is a low priority for corporations more focused on cloud computing and virtualisation projects.

Craig Sprosts, network software biz Nominum's veep of platforms and applications, said: "DNSSEC provides strong protection against DNS cache poisoning but other defences beyond UDP source port randomisation have become available since the infamous Kaminsky vulnerability. Enterprises have multiple security priorities and will make the move to DNSSEC when the security it delivers aligns with their business priorities." ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.