Risk
9/25/2008
11:15 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Locking Down The Cloud: Why DNS Security Must Be Improved

What's in a domain name? Everything, when your data is at stake.

Flaws in DNS are giving rise to exploits that could make moving computing functionality into the cloud a risky proposition. Say you're using a software-as-a-service CRM offering. When a salesperson types your SaaS provider's URL, how do you know his browser is linked to the vendor's server, and not a rogue?

Consider the hijacking of Comcast's Internet portal, Comcast.net. In May, attackers gained access to Comcast's Network Solutions administrative accounts and redirected customers to a defaced page. It took several hours for the company to regain control of its domain. Had the attackers been more subtle, they could have inflicted serious financial harm on Comcast by intercepting customer data, rather than simply causing embarrassment.

Security of DNS, which for 20 years has underpinned the Internet's name resolution system, was thrust into the spotlight this year with the discovery by IOActive researcher Dan Kaminsky of a flaw that could have made hijacking a domain name a trivial exploit that took only minutes to execute. How real was the risk? It resulted in the largest simultaneous security software patch in Internet history in July, with 16 vendors with whom Kaminsky shared the flaw--including the major makers of DNS servers, such as Cisco, Microsoft, and Sun Microsystems--releasing their respective patches on the same day.

InformationWeek Reports

If we can't rely on DNS, it's a stretch to let business units access mission-critical applications over the Internet, or trust that sensitive data sent to SaaS providers hasn't been intercepted. This sentiment isn't lost on our readers: In our most recent cloud computing survey, security was by far the most oft-cited concern.

The best answer to date for alleviating the security risks posed to DNS is DNS Security Extensions, or DNSSec, a group of protocols that ensures the authenticity and integrity of DNS name resolution. DNSSec isn't perfect, but it could stop many of the attacks that have bedeviled DNS servers and that rely on redirecting users to sites of the attacker's choosing.

For now, companies depend solely on SSL when moving sensitive data into the cloud. SSL relies on digital certificates to authenticate servers and provide encryption. If the digital certificates are valid, SSL authentication will protect against spoofing. But if an attacker poisons DNS and redirects everyone looking for, say, citi.com to his server, he can then disable SSL for the login, and users will get no error message. Another caveat: SSL failures, such as expired or untrusted certificates and domain name mismatches, are too often treated as inconveniences--developers and users tend to ignore SSL certificate alert warnings.

DNSSec's role is to stop the attack before it gets to the point where the attacker can trick the user.

DIG DEEPER
THREAT LANDSCAPE
DNS is just one of the attack vectors that IT needs to monitor. Download our 2008 InformationWeek Security Survey, free for a limited time.
Ideally, DNSSec would ensure that users are connected to the proper site, while SSL would be used to authenticate the server. There is some movement in this direction. The U.S. Office of Management and Budget has set December 2009 as the deadline to have DNSSec deployed for all .gov sites, and the .org domain is gearing up for a phased rollout beginning in January.

But that's where adoption ends, for now. VeriSign has yet to commit to signing the two most populated top-level domains, .com and .net, which it controls, citing the sheer scale of the undertaking. Microsoft hasn't set a date for providing DNSSec software on clients or its own DNS server, and few service providers have deployed DNSSec-aware DNS servers.

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.