I consult on communication issues for Neustar, an Internet infrastructure company. Neustar works behind the scenes to ensure the smooth operation of many critical systems like DNS, the .us and .biz domain extensions, local number portability and digital rights management.
One of the cool things about working for them is the chance to attend the events they sponsor. Last week Neustar sponsored a security briefing for senior federal IT personnel focused on Cybersecurity and Domain Name System Security Extensions (DNSSEC). The speakers were Rodney Joffe, SVP and Senior Technologist at Neustar; Merike Kaeo, founder of Double Shot security and a prominent security expert; and Edward Lewis, a Director at Neustar and author of numerous RFCs dealing with DNS and DNSSEC.
What they all described was very sobering. Bottom line, there are fundamental protocols of the Internet that were not designed to be secure. And there is only so much anyone can do to protect themselves.
There’s no way I can communicate all the material presented in this post — I’m just not that good a note taker. But I can share how they framed the escalating security threats.
Merike led off the presentations. She grouped threats into four categories — Protocol Errors, Software Bugs, Active Attacks and Configuration mistakes. Here’s how she charted the evolution of online threats:
In the Past – Deliberate malware was rare, bugs were just bugs, mitigation was trial by fire and the regulatory structure did not exist.
Today – Highly organized criminals are designing specific malware, bugs are now avenues for attack, mitigation is understood but deployment issues remain, and regulations struggle to assess the reach and impact of cybercrime, though global coordination is much better
She also shared some interesting insights into the cyber attacks in Estonia in May of 2007. Merike is Estonian and was in the country at that time. She shared how cyber literate the population is in that country, and how they fended off the attacks far better than media reports indicated.
Rodney titled his presentation “Black Swans and Other Phish,” a reference to the Nassim Taleb theory, not the new Natalie Portman movie. His overall message was the miscreant of the distant hacking past became the spammer of yesterday. The spammer became the hardcore online criminal of today, hired by organized crime and nation states alike.
Some other interesting point for me:
- DDoS attacks first arose to attack anti-spam efforts
- Malware specifically designed to steal personal information and credentials appeared around 2005
- In 2007 nation states got into the dark game
In an effective demonstration, Rodney brought up a false FBI web site by typing in an IP address corresponding to www.fbi.gov. The cache had been poisoned, and that morning a fake web site was announcing to the world it was the real site of the FBI. Many in the room were clearly surprised by how easy it is to poison the cache of such a high profile government site.
Rodney also talked about the need for better information sharing between government and private networks. (Actually, he said government shares nothing, so anything would be an improvement.) Neustar will be launching a new service soon that will offer agencies full visibility OUTSIDE their networks, and analysis based on actual packet inspection, not just sampling. This gives them a dashboard so they can monitor, understand and then (hopefully) mitigate.
There was no mistaking Ed as the engineer of the group, in his jeans and flannel shirt. He’s also one of the foremost experts on DNSSEC in the world, and feels that finally there is consensus around a critical point. Finally, people are realizing that the cost of implementing DNSSEC pales in comparison to not implementing it.
The biggest challenge of DNSSEC is not the signing, it’s the key management. The more or less final version of DNSSEC has been ready since 2004, and got a huge visibility boost with Dan Kaminsky’s revelations on DNS vulnerabilities in the summer of 2008. That same year, OMB mandated DNSSEC for the .gov domain.
Ed sees that as a good first step, although it doesn’t address the security of others caching .gov IPs. There’s still a lot of work to be done, but Ed is a lot more confident that he used to be. First, because of the cost question mentioned above. Second, because the security problem is real. Finally, because there is no better solution to the problem.
He also cautioned the government audience to focus on the right end goal. The goal is a secure DNS, not a deployment to meet a mandate.
I left the briefing a lot smarter on this topic, and a lot more worried. There seems to be more official recognition of online dangers, and one of the presenters referenced the fact that Janet Napolitano has announced she wants to hire 1,000 cybersecurity professionals over the next three years.
But it was also mentioned the Chinese government is training 10,000-20,000 cybersecurity students per year in their national defense universities. The land where the Internet was invented is starting from behind in this race. We’d better start sprinting!
Just another sobering reminder that we (USA) are behind the times. Though I do see some bright spots from the military/Army standpoint, i.e. USCYBERCOM, new MOS (255S Information Protection Tech), and more training; red/blue teaming between Joint forces. We are still so very far behind China and other nations in terms of a set cyber posture.
Great article and insights…
I have a couple of questions.
1. Were there any mention of the client/resolver side and what Microsoft, Apple and the UNIX/Linux world is up to?
2. I am assuming the same issues presents itself for large enterprises and multi-national corporations.
Donnovan – Thanks for comment. No on resolver side, but I’m happy to forward your question. Yes, same issues for other large organizations, focus on government due to audience at briefing.