Search DNSSEC Blog


Wednesday, November 10, 2010

Kaminsky To Release 'Phreebird' For Easy DNSSEC

Free toolkit lets organizations, developers test-drive new DNS security protocol

Renowned researcher Dan Kaminsky tomorrow at Black Hat Abu Dhabi will release a free toolkit that lets organizations test-drive DNSSEC deployment and also demonstrates his claims that the protocol is simple to implement.

"I've been making a lot of claims and promises about what DNSSEC is capable of and why the security industry should care. This is the argument I've been putting forth, in code form. This is for real," says Kaminsky, who will make the Phreebird Suite 1.0 kit available tomorrow on the Black Hat website. Kaminsky gave a sneak peek demonstration of Phreebird at Black Hat USA in July.

Phreebird Suite 1.0 is a real-time DNSSEC proxy that sits in front of a DNS server and digitally signs its responses. "This is a collection of technologies [that show how] DNSSEC can be very easily deployed on the server side and trivially on client side," he says. The code is not for operational use, he says, but for testing out the technology.

"This code is cool. It makes DNSSEC easy to achieve," Kaminsky says. "It makes it easy to take your existing DNS deployment and supplement it with DNSSEC services."

The goal is to show how DNSSEC could be used to "bootstrap" trust -- a.k.a. authentication -- across organizations, he says, authenticating clients, business partners, customers, contractors, and other groups with one another. DNSSEC has been in the works for nearly two decades: It was finally fully deployed in the root this summer and so far has been implemented in the .gov, .net, .edu, and .org. domains. The .com domain will be signed by DNSSEC in March. The protocol is considered the key to preventing attacks exploiting the now-infamous cache-poisoning vulnerability Kaminsky revealed at Black Hat USA in 2008.
Kaminsky hopes to dispel concerns that DNSSEC will be complex, disruptive, and expensive to deploy in organizations. "Application developers don't want to be cryptography experts," Kaminsky says. "They just want the key ... and to move on."

Phreebird automatically generates keys and provides real-time signing. There is "zero configuration" on the server side with the tool. "There is enough context in the DNS reply to figure out all of the necessary settings for how to sign it. You don't have to have a huge amount of preconfiguration. This is a revolution here," Kaminsky says.

The tool requires using GoDaddy for creating a test .org domain, and in the end it takes about 30 seconds to get valid, signed records via the Internet, according to Kaminsky.

On the client side, Phreebird includes Phreeload, a tool that adds DNSSEC support to OpenSSL applications and sits at the authentication layer. DNSSEC can be used in lieu of of X.509 certificates: Phreebird's Phreeload tool basically provides authentication without certificates, using DNSSEC instead. "At present, it's surprisingly difficult and expensive to validate key material via X509 and CAs [certificate authorities]. I'm demonstrating how to make it easy and inexpensive to validate the same material using DNSSEC," Kaminsky says.

Kaminsky is also working on a Phreebird tool that lets email systems use DNSSEC for authenticating correspondents. "When my mom receives an email from the bank, she should know it's from the bank," he says.

Meanwhile, Kaminsky is urging fellow researchers to hack at Phreebird to look for vulnerabilities. He's hoping to get up-front input on any major vulnerabilities.

Source: Kelly Jackson Higgins, DarkReading, Retrieved on November 10, 2010 from


Tuesday, November 9, 2010

Observers recommend broader role for government in cybersecurity

Public service campaigns to promote safe Web surfing and developing best practices for fending off cyberattacks are not constructive activities for the government, a panel of cybersecurity experts told Federal Communications Commission officials on Friday.

FCC is now identifying the five most critical threats to the Internet, as well as a plan to address such risks in accordance with the Obama administration's National Broadband Plan, a roadmap for attaining ubiquitous, affordable high-speed Internet access. To assess the threat landscape, the agency on Friday sought the input of about 10 security officials who work for Internet service providers, research institutions and the government.

The most vocal participants said the mercurial nature of attacks makes it nearly impossible to devise defensive procedures or rely on computer users to ensure that viruses don't spread. The most effective role for the government is preparing for the unknown, they said.

October marked the government's annual cybersecurity awareness month. This year's theme was the notion that cybersecurity is a shared responsibility among the government, network services providers and Web surfers.

But James Lewis, a senior fellow at the Center for Strategic and International Studies, a Washington think tank, said educating end users will not protect the Internet.
"I've kind of given up on the end points. We had National Cybersecurity Awareness month last month. A complete waste of time," he said. "We're never going to get the end, the edge, to be safe. It's never going to happen."

Instead, the government should concentrate on which agency or combination of agencies, such as FCC and the Homeland Security Department, should coordinate with ISPs, Lewis said. They should cooperate to ensure that customers, including federal workers, are supplied almost automatically with the best defenses against malevolent intruders.

An example of the need for such proactive tactics is the shift from attacks against networks to botnets. Botnets -- organized by cybercriminals -- invisibly hijack multiple Internet users' computers or mobile devices to spread content that steals personal information through the users' communications with others.

"We've seen less attacks on the Internet, or at us, and more using us to go after financial gain," said Ed Amoroso, senior vice president and chief security officer for AT&T. "The threat that seemed so real two or three years ago around attacks at infrastructure really in two years has changed."

Studying past attacks to defend against future threats, therefore, may not be productive, he added. "It's hard to lay out a concrete set of best practices and follow it because what we do is so fluid that we have to be willing to take the playbook and throw it out and start a new one the next week or the next month, depending on what the threat is." Amoroso said that today he is obsessed with how botnets are affecting his customers but tomorrow he could be worried about vulnerabilities with different risks and fixes.

A more effective approach for protecting government and private sector computers would be practicing solutions to worst-case scenarios, the panelists said. "Have you had a day yet where you came in and you had a directive at work, where it said: 'Don't turn on your Blackberry . . . It's probably infected. If you do, all this awful stuff is going to happen,' " Amoroso said. "And you would go, 'Ok, what do I do?' "

The government has not discussed those sorts of situations, he said. "I think this idea of preparing for a battle that we can't define today is the way we need to start to operate," Amoroso said.

But other participants said there are some strategies to reduce risks that government and industry should immediately carry out.

"It's true that this problem is not going to go away. That doesn't mean we give up on trying to solve it," said Ari Schwartz, senior Internet policy adviser at the National Institute of Standards and Technology. He likened the situation to fighting fires. "We're never going to have an end to all fire accidents. But we can come up with different standards, different technologies, different policies that help us mitigate them," such as building codes and smoke alarms, Schwartz said.

Many preventive measures are expensive for ISPs to deploy across the country. That's where the government can step in to help, even without subsidies, which the industry generally opposes, panelists noted.

The federal government -- the largest U.S. consumer -- can wield its purchasing power to require that ISPs include security enhancements in all federal contracts. Such technologies include the Domain Name System Security Extensions (DNSSEC) protocol, a set of standards for identifying server addresses that ensures that when computers and mobile devices talk to each other, hackers can't misdirect their communications to fake websites.

If agencies bought only products that support DNSSEC, that would help the Web industry afford to develop the same protections for all products and services nationwide, said Andy Ellis, senior director of information security and chief security architect for Akamai, a content delivery company.

"That's not a subsidy. That's the government as a consumer, saying, 'We feel that level of security is important for us and therefore we'll pay for it,' "Ellis said. "When the government decides to do that, people will build it. And once you've built a technology, you're really happy to go sell it to everybody else."

Source: Observers recommend broader role for government in cybersecurity, Aliya Sternstein, NextGov, Retrieved on November 9, 2010 from