The typical end-of-year security story generally involves a looming cyber threat or yet another major misstep by Microsoft. Well, there's good news on the security front this year -- and, like our other picks, it's gone largely unnoticed. A major hole in security has been plugged with the full deployment of Domain Name System Security Extensions (DNSSec) at the Internet's authoritative root zone. (InfoWorld awarded one of the main drivers of fixing the flaw in its CTO 25 awards earlier this year, but little has been said since.)
The extensions will make it much more difficult for black hats to engage in cache poisoning, an attack that strikes at the fundamental nature of the Internet. "If you can't trust your DNS server, you can't trust anything," says Paul Smith, a senior analyst for Symantec's Hosted Services division.
DNSSec tries to prevent spoofing attacks by allowing websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
The DNS was not originally designed with strong security mechanisms, and technological advances have made it easier to exploit vulnerabilities in the DNS protocol that put the integrity of DNS data at risk.
Cache poisoning occurs when a hacker manages to inject bogus data into a recursive name server's cache, causing it to give out that bad information to unsuspecting local clients. ("Authoritative" name servers know where to find particular IP addresses when asked; "recursive" name servers have to search for the answer.) The attack could be used to send Internet users to malicious sites or hijack email.
The vulnerability was discovered in 2008 by Dan Kaminsky, a well-known security researcher who also developed a fix for the flaw. He suggested a patch that involved randomizing ID sequences.
Other patches have been developed and deployed, but Kaminsky and others generally believed that DNSSec was the best long-term solution. In the last few years the spread of botnets has added huge amounts of computing power to the arsenal of hackers, which makes it more likely they can carry defeat the patches, Smith says.
The vulnerability of the patches was more than theoretical. In 2009, there were several serious DNS attacks. In one, Irish Internet service provider Eircom reported it was a victim of cache poisoning, which resulted in two major outages and customers being redirected from popular websites such as Facebook to bogus websites.
Another occurred when Brazilian bank Bradesco confirmed that some of its customers were redirected to websites trying to steal their passwords because its Internet service provider, Net Virtua, was the victim of a cache poisoning attack.
"There was discussion always in the protocol community about the vulnerability of DNS and the need for DNSSec deployment, but [thanks to Kaminsky] the issue did get a big boost from the outside," Scott Rose, an expert in DNS security, tells our sister publication Network World. "He raised the issue of what can happen when you attack the DNS. It's not just about redirecting browsers but subverting email. All the other attacks that Kaminsky outlined brought the issue to the forefront."
The top underreported tech stories of 2010:
This article, "What you missed: A major Internet security hole was finally plugged," was originally published at InfoWorld.com. Get the latest insights in network security issues and trends at InfoWorld.com.
This story, "What you missed: A major Internet security hole was finally plugged" was originally published by InfoWorld.