DNSSEC – A False Sense Of Security?

Its just been announced that Australia will plan to deploy DNSSEC (DNS Security Extensions) in .au. Given that there is an election on in Australia, its received very little media coverage.

Here is an extract from an auDA Announcement: (DNSSEC) “facilitates the digital signing of internet communications, helping to ensure the integrity and authenticity of transmitted data.”

Wow – sounds good eh? To the average person on the street (think of your parents here), they might look at this and say – “Wow I’m protected”. That’s great news. But the REAL story is very different. Ask any Senior IT Security person three questions about DNSSEC:

1. How does it protect me from having my $$$ (say in Internet Banking) being siphoned off by malicious software such as Zeus? The answer is that it doesn’t. This malicious activity occurs in a persons web browser.

2. Does DNSSEC ensure my data is kept confidential when its transmitted over the Internet? Again, the answer is no. What DNSSEC does do, is ensure that when you look up a domain name, the request coming back to your computer hasn’t been tampered with. Of course, once it arrives at your computer it can be tampered with there!

3. What is the likelihood that I am going to fall victim to a man-in-the-middle attack or cache poisoning attack? These are things that DNSSEC allegedly prevents. The answer is that is almost nil. Having said that, some people see man-in-the-middle attacks on the the DNS, as a sleeping timebomb waiting to go off. Given the inherently insecure nature of the Internet, I have to agree.

So why are we doing this? Its just one layer of defense against DNS vulnerabilities. Its not the great “silver bullet” that people make it out to be. Don’t get me wrong, its great that people are doing something (better than nothing) – but this is like putting a bandaid over a wound that needs major surgery. You are not addressing the CAUSE of the problem.

What Does DNSSEC Mean For Domain Investors

At the moment, not a lot. There is no “mandate” for people or companies to start digitally signing anything. What we will see is pressure put on registries, registrars and large corporates to start getting the infrastructure in place to faciliate DNSSEC.

Its something to keep an eye on.

Twitter DNS Records Compromised By Iranian Cyber Army

It appears that Twitters DNS Records have been compromised and people going to Twitter.com are being redirected to another website.

There is an obvious lesson to be learned about keeping your credentials safe! This isn’t the first Twitter security incident – a few months ago their web admin password was “password” !

If I was a betting man, I’d say that’s probably gonna be easy for the kids to guess.

In a blog post a few minutes ago, Twitter stated:

“Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”

The question is, how many ID’s and Passwords does the Iranian Cyber Army now have? After all, they could have easily started capturing them if they redirected the DNS records. I’m sure more details will come to light about exactly what happened. Watch this space!