The majority of U.S. government websites miss DNS security deadline
January 23, 2010
According to various reports, about 81 percent of large U.S. federal agencies have failed to meet a Dec. 31, 2009 deadline to fully deploy new technology that would make it a lot more difficult for potential hackers to spoof their Web sites.
Only 19.3 percent of U.S. government agencies were found to have fully secured their DNS servers with the new measures, which is known as DNS-SEC, or DNS Security Extensions. A study by Domain Name System vendor Secure 64, which researched no less than 362 government agencies to see how many had digitally signed their .gov domains has confirmed the report.
DNS-SEC uses 128-bit public security key encryption technology and digital authentication to prevent the kinds of DNS cache poisoning attacks researcher Dan Kaminsky warned of in the summer of 2008.
The way the new technology works is that it digitally signs each step in the hierarchical DNS structure, making it significantly harder for miscreants to spoof the servers that translate domain names into numerical IP addresses.
The overall threat of DNS cache poisoning was lessened by some minor changes implemented in the spring of 2009 that added more randomness to DNS queries.
However that measure didn't eliminate all of the vulnerability and there's still a lot at risk that can 'poison' a DNS server.
Ironically, the Obama Administration's failure to meet this critical cybersecurity deadline comes at a time when dozens of U.S. companies including Google, Yahoo and Adobe have all reported cyberattacks by Chinese hackers.
"The 19.3 percent number is believable," says Paul Hoffman, Director of the VPN Consortium and an active participant in DNS-SEC standardization efforts at the Internet Engineering Task Force. "NIST has been working on DNSSEC, but the individual agency IT departments aren't doing anything about it. DNS-SEC is simply not a priority for now."
Government officials declined to say why the agency hasn't enforced the DNS-SEC deadline for executive branch departments.
"The Dec. 31st deadline was a little aggressive," says Steve Crocker, an Internet pioneer who is CEO of Shinkuro, an Internet security company engaged in DNSSEC-related work. "I would take it as a very positive sign that there was any movement at all. What I'm hearing is that of the many, many things that all the federal CIOs are forced to pay attention to, DNSSEC is one that is likely to get attention in 2010."
With specific regard to the encryption of DNS databases, the government is committed to data protection and integrity. The steps taken to date by departments and agencies are being evaluated for their effectiveness.
Crocker says it's realistic for the majority of federal agencies to support DNSSC in their .gov subdomains by the end of this year, however.
He added "missing the mark by one year is pretty good news in this business. There is a gradual tightening of Internet security going on up and down the protocol stack. DNS-SEC isn't the be-all-and-end-all, but it's an important part. The technical community has been working on DNSSEC for about twenty years now. The top part of .gov is signed, and now we're seeing the other pieces coming along."
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing