A Cunning Disregard For Security

This seems very odd.  The Internet -- including web sites and
email -- has been found to have a very serious security flaw.
 Civilized places such as Sweden and Puerto Rico are already
fixing the problem.  There are plans to improve security for
US .gov and .mil sites (government and military , respectively).
 Yet, the most important fix for the rest of us, which is
under the control of the US government, is being delayed.



Given that the Russian military attack on Georgia was href="http://www.csmonitor.com/2008/0813/p01s05-usmi.html">preceded
by an Internet attack, it would seem pretty obvious that
Internet security should be a priority.



This raises the question: Does the US Government want the
Internet/email system to be insecure?



Some background:


One of the key components to the infrastructure of the Internet is the
Domain Name System (DNS), which operates on DNS nameservers.
 For various technical reasons, computers connected to the
Internet all have numerical addresses.  Currently, these
consist of four sets of up to three digits, each separated by a dot.
 The is called the Internet Protocol (IP) address.
 For example, the site www.example.com has
an IP address of 208.77.188.166.



You can try this out yourself.  If you type "www.example.com"
(without the quotes) into the address spot on your browser, you will
see an example website.  If you type "208.77.188.166" you will
go to the exact same site.  



The DNS nameservers are the devices that perform this translation for
you.  That was, you don't have to memorize long strings of
otherwise meaningless digits.  This will become even more
important in the near future, when we transition to Internet Protocol
Version 6 (IVP6), which will have numerical addresses like:



 0123456789abcdef0123456789abcdef



The DNS nameservers contain enormous tables that translate the
alphabetical addresses into numeric ones.  If an attacker
could somehow change the information in those tables, then unsuspecting
users could end up at the wrong place.  



This would be much more that a mere nuisance.  If you typed in
www.mybank.com and went to your favorite online bank, you would expect
to have to log in with your user name and password.  You then
would be able to send money to someone else.  If an attacker
created a fake site (which is easy to do), and directed you to the fake
site, then the attacker could steal your user name and password.
 



Several months ago, href="http://www.nytimes.com/2008/08/09/technology/09flaw.html?ex=1376020800&en=e5444e66b3d40843&ei=5124&partner=permalink&exprod=permalink">a
security flaw was discovered.  This flaw enabled
attacks to alter the information in the DNS nameservers.
 Fixes were quietly introduced and deployed.



However, there is a problem.  The Internet is organized in a
hierarchical system.  The "root" of the system is controlled
by the US government, specifically, by the National Telecommunications
and Information Administration.  They haven't secured the root
of the system.



This is described in a recent article at Wired:



href="http://blog.wired.com/27bstroke6/2008/08/experts-accuse.html">Experts
Accuse Bush Administration of Foot-Dragging on DNS Security Hole


By Ryan Singel

August 13, 2008



Despite a recent high-profile vulnerability that showed the net could
be hacked in minutes, the domain name system -- a key internet
infrastructure -- continues to suffer from a serious security weakness,
thanks to bureaucratic inertia at the U.S. government agency in charge,
security experts say.



If the complicated politics of internet governance continue to get in
the way of upgrading the security of the net's core technology, the
internet could turn into a carnival house of mirrors, where no URL or
e-mail address could be trusted to be genuine, according to Bill
Woodcock, research director at the nonprofit Packet Clearing House...



...The Internet Assigned Numbers Authority -- which coordinates the
internet -- has been prototyping a system to sign the root-zone file
for the last year, but they can't do the same for the internet's top
servers without approval from the Department of Commerce.



That's where the rub is, according to Kolkman...



...But changing that system could be perceived as reducing U.S. control
over the net -- a touchy geopolitical issue. ICANN is often considered
by Washington politicians to be akin to the United Nations, and its
push to control the root-zone file could push the U.S. to give more
control to VeriSign, experts say...



I have no specific reason to think that this is anything other than
"bureaucratic inertia."  After all, surely the Government wants
our email to be secure.  Surely they want
us to keep our passwords safe.  Surely they want us to be able
to protect our most sensitive information.  



We know this because the government has been spending money to href="http://www.govtech.com/em/160521">encourage the use of
Electronic Health Records (EHR).  People are href="http://healthblawg.typepad.com/healthblawg/2008/08/does-the-dns-security-hole-worry-the-ehr-and-phr-worlds.html">not
going to want to use EHR if they do not believe that the
Internet is secure.  


More like this

I can't wait for November - and next January.

??? Root servers were all patched before the announcement. This sounds like BS. It doesn't really matter for them anyway. They are fixed locations that everybody that wants to knows the IP address of. I.e. they really aren't the problem.

Think about the security of caller ID in digital telephony. It can be spoofed because the government demanded that spoofing remain an option, allowing the government to impersonate people or organizations over the telephone, or what spies call 'false-flagging'.

Now think about the security of DNS protocols on the internet. Want to guess why it can be spoofed?

In the trade they call it a design feature.

By Axis of Weasel (not verified) on 15 Aug 2008 #permalink

Markk: reading the quoted text, they talk about "signing the root-zone file". I think they're talking about DNSSEC, which is another layer of safety on top of the recent DNS port randomization changes, when the relaying DNS servers support and verify DNSSEC transactions. Yes, the root servers were patched against the protocol weakness, but are they now running with DNSSEC?

I'd be inclined to blame incompetence rather than malice on this one. The state of government preparedness on network security has been unexciting for some time. As for motivation, all systems are insecure against a warrant(or a national security letter, if you think that rule of law is for other people). Leaving systems technically insecure just makes life easier for foreign and nonstate actors.

The feds are definitely pulling lots of unsavory stuff on the network; but they don't need software insecurities to do so.

1. Even if it's all signed, until the resolvers use DNSSEC also, the signatures will be of limited value. Wide deployment of DNSSEC is critical here, but there are those who contend that DNSSEC is itself flawed.

2. Even if the root isn't signed, if all the TLDs are signed the same purpose is served. Signing the root is important, but signing .com, .org, .net, .gov, .mil, and the others, is important too, and will be a fine interim solution.

3. The Internet Architecture Board, of which Olaf Kolkman is chair and of which I am a member, is working with ICANN to get the root signed.

Apart from politics, economy and financing, individual and industrial privacy are also at stake. Its still good with the fact that the US Gov is manning the ICANN, things would have been much worse if a 'red' nation like China was allowed to gain control of it.