Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Rethinking Website Spoofing Mitigation
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/17/2019 | 7:54:52 AM
Re: A new way of looking at a problem,

Also, a token could be issued by the company to validate their authenticity, this would be stored on the customer's browser or computer to ensure they are working with the right organization. This ensures the data is sent to the right company, even if it was not, the domain providers could provide a pop-up to the user stating that this could be a nefarious or ill-advised action, do you want to proceed or not.

One of the other options I mentioned below (from the quote in our earlier discussion) would be to add a token to the site, this would allow the browser to determine if the site was valid by using a SHA256 hash, site descriptor, and purpose all built into this number. This could be used to ensure the site is not a compromised site or if it is a site they have visited before, the browser would determine that much in the same way we use certificates. 

For me, I go to a few sites on a regular for personal and business purposes. There are others but this would help to address the security issue, not all but at least some aspects). Also, we need to start migrating the DNS environment to specifically use DNSSEC and move away from IPv4. This would be much harder for hackers to penetrate defenses because we would secure DNS traffic, reduce MITM attacks, create truly secure connections using IPSec VPN AES256 connections (all built into the protocol - IPv6). We can start identifying where the attack derived from (1-to-1 connections using IPv6) and the token would help to validate the site with the help of ML (I wanted to reiterate the point listed below because ML was only one of the points brought up in the beginning phases of the discussion).



Tokenization is the future of business and personal transactions. Blockchain is looking into that as well.

T
SSTOLFO000
50%
50%
SSTOLFO000,
User Rank: Guru
8/17/2019 | 6:39:54 AM
Re: A new way of looking at a problem,
T

Very wise observation. (I've been a proponent of using ML in security since the inception of my lab at Columbia University, sponsored by DARPA, since 1996.) There are indeed companies that access and analyze DNS and domain registry data to infer suspicious sites using ML and NLP techniques, to head off problems before they start. ML indeed is broadly applicable to many of the problems in cybersecurity. This will help immeasurably, but not completely. The latest work in research is now focusing on Adversarial ML, techniques employed by adversaries to comfound and confuse ML systems. This is accomplished either through "training attacks", where training data consumed by an ML system is poisoned, or "testing attacks", where test data is suitably altered to avoid accurate classification of the ML system. This adversarial attack on ML first appeared by clever spammers who altered their content to avoid detection by the spam filters in email traffic. The same can be applied to domain and DNS data, leaving the problem still unsolved. Attackers are clever, and we have to be dligently one step ahead. My view is a combination of techniques raises the bar high enough to make it very hard for adversaries to succeed in scale. ML based approaches definitely have a role. 
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/14/2019 | 10:21:31 AM
Re: A new way of looking at a problem,
You made some interesting and valid assertions, I think there was a section that you may have overlooked. It stated we should be able to add "ML" or "Machine Learning" to the solution; basically look into creating an intelligent system where the system is constantly looking for illegal or corrupt sites (allow the machine to sift through false positives); this will help carriers to block sites if they are considered nefarious, this will help to improve the entire DNS ecosystem (this process helps to identify key relationships and ascertain if the site is used for valid business or for criminal purposes. It can also be used to help improve performance if use correctly to identify breaks in communication.

Site Spoofing

The ways to use "ML" are endless, we can use it to capture information from the 9 DNS servers across the globe to look for potential actors, we can use the data from Akamai to help and address some of the issues found to even block illegal traffic going to the site (there would need to be a better relationship with the ISPs but I think this would be a start).



Something to think about.

T

 
SSTOLFO000
0%
100%
SSTOLFO000,
User Rank: Guru
8/12/2019 | 6:33:01 AM
Re: A new way of looking at a problem,
Todd

Sensible point. There are a few companies who do access and analyze DNS entries in an attempt to identify spoofing sites. But adversaries are quite clever in making it hard to accurately identify a spoofed domain without a potentially large number of false positives, and false negatives. In one recent example, an enterprise using such a service failed to identify a spoofed site, they were alerted by a customer. 

DNSSEC was proposed over a decade ago and still hasn't become pervasively deployed. It is a community project effort and it is increasingly hard to expect community spirit in the internet's global setting. In the meantime one must expect continuing growth in adversary creativity to create undetected spoofed sites and victimize users to steal their credentials. 

As it now stands, fraudsters have relatively little effort and cost to gather and sell stolen credentials. Flooding them with deceptive credentials changes all of that making their effort expensive; forcing adversaries to pay a price is a good strategy to change the balance of power they now enjoy for free. 
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/8/2019 | 2:15:11 PM
A new way of looking at a problem,
The DNS companies have a huge database. What if the domain providers were able to look at the dns informaiton, implement machine learning and determine if there are companies who have similar domain names or identify if the domain came up days after their creation or just recently. They could identify if this was a problem by sending out an email. In addition, if the domain was brought up by another country, then the originating web owner would be notified of this occurrence, they in turn could notify their clients, partners and the link of any issues associated with their domain.

Also, a token could be issued by the company to validate their authenticity, this would be stored on the customer's browser or computer to ensure they are working with the right organization. This ensures the data is sent to the right company, even if it was not, the domain providers could provide a pop-up to the user stating that this could be a nefarious or ill-advised action, do you want to proceed or not.



This process gives the user an example of how to spoof a site, this needs to be looked at in more detail at a global level (9 dns organization providers), how to improve the existing process, because the existing methods are not working. I think the use of IPv6 with DNSSec could help address some of these issues, we need to fully adopt IPv6 and get off IPv4, most of the hacks occur using that protocol.

Todd

 


The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.