Half of federal Web sites fail DNS security test

By , Network World |  Security, DNS, DNS security

Half of U.S. government Web sites are vulnerable to commonplace DNS attacks because they haven't deployed a new authentication mechanism that was mandated in 2008, a new study shows.

The Office of Management and Budget (OMB) issued a mandate requiring federal agencies to deploy an extra layer of security — called DNS Security Extensions or DNSSEC — on their .gov Web sites by Dec. 31, 2009.

However, an independent study conducted this month shows that 51% of agencies are out of compliance with the requirement to deploy DNSSEC, which is also necessary for high marks in agency report cards under the Federal Information Security Management Act or FISMA.

DNSSEC FAQ 

DNSSEC is an Internet standard that prevents hackers from hijacking Web traffic and redirecting it to bogus sites. It allows Web sites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption.

In order to be effective, DNSSEC must be deployed across the entire Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .gov, .com and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

DNSSEC was enabled in the root zone last July. More than a dozen top-level domains - including .org for non-profits, .edu for universities and .net for networking companies - support the standard.

Related Events: DNS gains added measure of security starting today 

Secure64 Software Corp., a DNS vendor, tested 360 federal agencies for evidence of digital signatures on their .gov domains. The company ran the same test a year ago and found that only 20% of federal Web sites were in compliance with the DNSSEC mandate.


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness