Given that the Russian military attack on Georgia was preceded by an Internet attack, it would seem pretty obvious that Internet security should be a priority.
This raises the question: Does the US Government want the Internet/email system to be insecure?
Some background:
One of the key components to the infrastructure of the Internet is the
Domain Name System (DNS), which operates on DNS nameservers.
For various technical reasons, computers connected to the
Internet all have numerical addresses. Currently, these
consist of four sets of up to three digits, each separated by a dot.
The is called the Internet Protocol (IP) address.
For example, the site www.example.com has
an IP address of 208.77.188.166.
You can try this out yourself. If you type "www.example.com" (without the quotes) into the address spot on your browser, you will see an example website. If you type "208.77.188.166" you will go to the exact same site.
The DNS nameservers are the devices that perform this translation for you. That was, you don't have to memorize long strings of otherwise meaningless digits. This will become even more important in the near future, when we transition to Internet Protocol Version 6 (IVP6), which will have numerical addresses like:
0123456789abcdef0123456789abcdef
The DNS nameservers contain enormous tables that translate the alphabetical addresses into numeric ones. If an attacker could somehow change the information in those tables, then unsuspecting users could end up at the wrong place.
This would be much more that a mere nuisance. If you typed in www.mybank.com and went to your favorite online bank, you would expect to have to log in with your user name and password. You then would be able to send money to someone else. If an attacker created a fake site (which is easy to do), and directed you to the fake site, then the attacker could steal your user name and password.
Several months ago, a security flaw was discovered. This flaw enabled attacks to alter the information in the DNS nameservers. Fixes were quietly introduced and deployed.
However, there is a problem. The Internet is organized in a hierarchical system. The "root" of the system is controlled by the US government, specifically, by the National Telecommunications and Information Administration. They haven't secured the root of the system.
This is described in a recent article at Wired:
I have no specific reason to think that this is anything other than "bureaucratic inertia." After all, surely the Government wants our email to be secure. Surely they want us to keep our passwords safe. Surely they want us to be able to protect our most sensitive information.
We know this because the government has been spending money to encourage the use of Electronic Health Records (EHR). People are not going to want to use EHR if they do not believe that the Internet is secure.
You can try this out yourself. If you type "www.example.com" (without the quotes) into the address spot on your browser, you will see an example website. If you type "208.77.188.166" you will go to the exact same site.
The DNS nameservers are the devices that perform this translation for you. That was, you don't have to memorize long strings of otherwise meaningless digits. This will become even more important in the near future, when we transition to Internet Protocol Version 6 (IVP6), which will have numerical addresses like:
0123456789abcdef0123456789abcdef
The DNS nameservers contain enormous tables that translate the alphabetical addresses into numeric ones. If an attacker could somehow change the information in those tables, then unsuspecting users could end up at the wrong place.
This would be much more that a mere nuisance. If you typed in www.mybank.com and went to your favorite online bank, you would expect to have to log in with your user name and password. You then would be able to send money to someone else. If an attacker created a fake site (which is easy to do), and directed you to the fake site, then the attacker could steal your user name and password.
Several months ago, a security flaw was discovered. This flaw enabled attacks to alter the information in the DNS nameservers. Fixes were quietly introduced and deployed.
However, there is a problem. The Internet is organized in a hierarchical system. The "root" of the system is controlled by the US government, specifically, by the National Telecommunications and Information Administration. They haven't secured the root of the system.
This is described in a recent article at Wired:
Experts Accuse Bush Administration of Foot-Dragging on DNS Security Hole
By Ryan Singel
August 13, 2008
Despite a recent high-profile vulnerability that showed the net could be hacked in minutes, the domain name system -- a key internet infrastructure -- continues to suffer from a serious security weakness, thanks to bureaucratic inertia at the U.S. government agency in charge, security experts say.
If the complicated politics of internet governance continue to get in the way of upgrading the security of the net's core technology, the internet could turn into a carnival house of mirrors, where no URL or e-mail address could be trusted to be genuine, according to Bill Woodcock, research director at the nonprofit Packet Clearing House...
...The Internet Assigned Numbers Authority -- which coordinates the internet -- has been prototyping a system to sign the root-zone file for the last year, but they can't do the same for the internet's top servers without approval from the Department of Commerce.
That's where the rub is, according to Kolkman...
...But changing that system could be perceived as reducing U.S. control over the net -- a touchy geopolitical issue. ICANN is often considered by Washington politicians to be akin to the United Nations, and its push to control the root-zone file could push the U.S. to give more control to VeriSign, experts say...
I have no specific reason to think that this is anything other than "bureaucratic inertia." After all, surely the Government wants our email to be secure. Surely they want us to keep our passwords safe. Surely they want us to be able to protect our most sensitive information.
We know this because the government has been spending money to encourage the use of Electronic Health Records (EHR). People are not going to want to use EHR if they do not believe that the Internet is secure.
Technology
Politics
Comments
I can't wait for November - and next January.
Posted by: J-Dog | August 15, 2008 8:13 AM
??? Root servers were all patched before the announcement. This sounds like BS. It doesn't really matter for them anyway. They are fixed locations that everybody that wants to knows the IP address of. I.e. they really aren't the problem.
Posted by: Markk | August 15, 2008 9:02 AM
Think about the security of caller ID in digital telephony. It can be spoofed because the government demanded that spoofing remain an option, allowing the government to impersonate people or organizations over the telephone, or what spies call 'false-flagging'.
Now think about the security of DNS protocols on the internet. Want to guess why it can be spoofed?
In the trade they call it a design feature.
Posted by: Axis of Weasel | August 15, 2008 9:22 AM
Markk: reading the quoted text, they talk about "signing the root-zone file". I think they're talking about DNSSEC, which is another layer of safety on top of the recent DNS port randomization changes, when the relaying DNS servers support and verify DNSSEC transactions. Yes, the root servers were patched against the protocol weakness, but are they now running with DNSSEC?
Posted by: Winter Toad | August 15, 2008 10:00 AM
I'd be inclined to blame incompetence rather than malice on this one. The state of government preparedness on network security has been unexciting for some time. As for motivation, all systems are insecure against a warrant(or a national security letter, if you think that rule of law is for other people). Leaving systems technically insecure just makes life easier for foreign and nonstate actors.
The feds are definitely pulling lots of unsavory stuff on the network; but they don't need software insecurities to do so.
Posted by: phisrow | August 15, 2008 1:14 PM
1. Even if it's all signed, until the resolvers use DNSSEC also, the signatures will be of limited value. Wide deployment of DNSSEC is critical here, but there are those who contend that DNSSEC is itself flawed.
2. Even if the root isn't signed, if all the TLDs are signed the same purpose is served. Signing the root is important, but signing .com, .org, .net, .gov, .mil, and the others, is important too, and will be a fine interim solution.
3. The Internet Architecture Board, of which Olaf Kolkman is chair and of which I am a member, is working with ICANN to get the root signed.
Posted by: Barry Leiba | August 16, 2008 11:32 AM
Apart from politics, economy and financing, individual and industrial privacy are also at stake. Its still good with the fact that the US Gov is manning the ICANN, things would have been much worse if a 'red' nation like China was allowed to gain control of it.
Posted by: Amiya Sarkar | August 26, 2008 1:56 AM