Proposal for Signing the DNSSEC Root

The U.S. National Telecommunications and Information Administration (NTIA) is soliciting comments on signing the DNSSEC root. Ignore the caption on the page: this is not about DNSSEC deployment, which is already happening just fine. It's about who gets to sign the root zone. more»

Why DNS is Broken, in Plain English

At ICANN's meeting in Egypt last week, I had the opportunity to try and explain to various non-technical audiences why the Domain Name System (DNS) is vulnerable to attack, and why that is important, without needing a computer science degree to understand it. Here is the summary. more»

Users Don't Like Forwarded Spam

A message on Dave Farber's Interesting People list complained that Comcast was blocking mail forwarded by DynDNS, a popular provider of DNS and related services for small-scale users... Actually, they're blocking it because a lot of it is spam. This is a problem that every mail forwarder and every mail system encounters; the only unusual thing here is that DynDNS is whining about it. It's yet another way that spammers have broken the mail for the rest of us. more»

Gartner on New Generic Top Level Domains

Gartner, the well known IT consulting company, has published a report on the new top level domains that will appear some time next year. The report totally misses the mark. In a pure US centric vision, it focuses on ".com" as the must-have TLD, totally overlooking the fact that a ".com" is mostly worthless e.g. in Germany, where ".de" is the TLD one must have to succeed locally... more»

Personal Names, Politics and Cybersquatting

Thinking about the www.kerryedwards.com auction reminds one of the uneasy relationship between personal names, politics and cybersquatting. When reporters learned that the domain name was taken by Kerry Edwards, the Indiana bail bondsman, at least some headlines were quick to brand Mr. Edwards' conduct as cybersquatting. The Chicago Sun-Times, for example, ran the headline "Kerry Edwards is the Name, Cybersquatting is the Game." Mr. Edwards, of course, had registered his own name as a domain name long before Kerry picked Edwards as a running mate. more»

Day 30: Kaminsky DNS Bug Disclosure

In a highly anticipated presentation, Internet security researcher Dan Kaminsky today gave details of the much talked about Domain Name System (DNS) vulnerability issue which has been intensely covered since it was publicly announced a month ago on Jul 8th. Although original plans entailed keeping the bug details undisclosed for 30 days in order to allow for necessary security patches to be implemented around the world, details of the bug were eventually leaked-and-confirmed 13 days after its public announcement. Even so, just hours ago in jam-packed ballroom during the Black Hat conference, Kaminsky delivered his 100-plus-slide presentation detailing the DNS flaw that, if exploited, could potentially "destroy the Web". more»

Apple Finally Patches DNS Flaw

Apple which has been under criticism by security experts for being slow in patching a major DNS flaw, has at last issued a patch in a security update for its OS X operating system and other software late Thursday. Apple is among a handful of companies that security experts have said moved far too slow in reacting to the DNS bug. Other vendors, including Cisco and Microsoft, had patches ready when the existence of the flaw was disclosed on July 8, 2008. But some network administrators have reported compatibility problems with those early patches. more»

DNS Attack Creator Becomes a Victim of His Own Creation

Moore, the creator of the popular Metasploit hacking toolkit has become the victim of a computer attack. It happened on Tuesday morning, when Moore's company, BreakingPoint had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas area. One of BreakingPoint's servers was forwarding DNS traffic to the AT&T server, so when it was compromised, so was HD Moore's company. more»

Possible First Attacks on DNS Flaw Have Been Reported

The existence of the DNS flaw was revealed earlier this month by security researcher Dan Kaminsky and the code that could act as a blueprint for an attack via the flaw was published last week by Metasploit. On Friday, a user named James Kosin posted an excerpt from a server log to a Fedora Linux mailing list, claiming it proved attacks based on the DNS flaw had begun. Kosin post reads... more»

Not a Guessing Game

On Tuesday July 8, CERT/CC published advisory #800113 referring to a DNS cache poisoning vulnerability discovered by Dan Kaminsky that will be fully disclosed on August 7 at the Black Hat conference. While the long term fix for this attack and all attacks like it is Secure DNS, we know we can't get the root zone signed, or the .COM zone signed, or the registrar / registry system to carry zone keys, soon enough. So, as a temporary workaround, the affected vendors are recommending that Dan Bernstein's UDP port randomization technique be universally deployed. Reactions have been mixed, but overall, negative. As the coordinator of the combined vendor response, I've heard plenty of complaints, and I've watched as Dan Kaminsky has been called an idiot for how he managed the disclosure. Let me try to respond a little here, without verging into taking any of this personally... more»

Shouting 'Bug' on a Crowded Internet…

In the last few weeks we've seen two very different approaches to the full disclosure of security flaws in large-scale computer systems. Problems in the domain name system have been kept quiet long enough for vendors to find and fix their software, while details of how to hack Transport for London's Oyster card will soon be available to anyone with a laptop computer and a desire to break the law. These two cases highlight a major problem facing the computing industry, one that goes back many years and is still far from being unresolved. Given that there are inevitably bugs, flaws and unexpected interactions in complex systems, how much information about them should be made public by researchers when the details could be helpful to criminals or malicious hackers? more»

Just a Matter of Time Before DNS Attack Code Might Surface

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon. Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, says one security expert. The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. more»

How Much Do You Think a .ORG, .BIZ, or .INFO Domain Costs?

Whatever you think the answer is (typically about ten bucks), the answer is likely to change radically for the worse, based on new contracts that ICANN is planning to approve. On July 28th ICANN posted proposed new contracts for .ORG, .BIZ, and .INFO, for a public comment period that ends four days from now, on the 28th. There's a lot not to like about these proposed contracts, but I will concentrate here on two related particularly troublesome areas, pricing and data mining. more»

Anti-Phishing and Hong Kong

Planning for a short trip to Hong Kong tomorrow reminded me of Jonathan Shea, something I wanted to blog about but was waiting for the hype around the new generic Top-Level Domains (TLDs) to cool down. Jonathan Shea is an old friend who is in-charge of ".hk". I had the pleasure to catch up with him in Paris ICANN meeting. Before Jonathan, let me talk about something related that happened in Paris. At the Cross Constituency Meeting, there was a presentation by the Anti-Phishing Working Group (APWG). In summary, they were proposing working with registries to take down domain names that are suspected to be involved in phishing. more»

ICANN Board Approves Sweeping Overhaul of Top-level Domains

The Internet Corporation for Assigned Names and Numbers (ICANN) has just approved the relaxation of the rules for the introduction of new Top-Level Domains -- a move that could drastically change the Internet. The new decision -- some calling it of historic importance and others predictable -- will allow companies to register their brands as generic top-level domain names (TLDs). For instance, Microsoft could apply to have a TLD such as '.msn' and Apple apply for '.mac'. more»