August 18, 2009

3 minutes on TV News

No, it wasn't 60 minutes... it was just 3 minutes... on Denver's TV2, "the Deuce".  I was invited for an interview on Nina Sparano's INTERNET CAFE to talk about what the department of homeland security is up to to protect cyber-space. 

It isn't possible (or even appropriate) to go into deep technical detail on a TV session for a general audience.  So I gave a quick overview of the problem of DNS hijacking.  Homeland Security has been really concerned that the fundamental layers of the internet are vulnerable to attack (BGP & DNS being the 2 chief interests).  The fact is, you can put up all the firewalls, IPS and other protections on your web or email, but they won't do any good if people don't even get to you because your domain has been hijacked.

So I gave a quick overview of the problem:  What it is, what happens, why it is so bad...  Then a brief bit on the security extensions DNSSEC that the DHS has been helping to fund and promote.  Finally, who's deploying it (.gov is the poster child, as well as .org and others) and how it will roll out over the next couple of years. 

It was fun, and seemed to go well.   And it really makes you think when you have to delete all the techno-babble and boil the conversation down into the fundamental questions and motivations and priorities.  Maybe this is an exercise for any technical pundit to do now and then.  Talk technology without going into the technology details.  See if it plays in Peoria.  Or Denver. 

Here's TV2's blog on the story.

Posted by Joe Gersch at 10:22 AM | | Comments (1) | TrackBack (0)

|

August 11, 2009

DNS attack or DDoS attack? Waddayathink?

Yesterday I said I had my doubts that the Twitter situation was a DNS attack because a lot more sites than Twitter would have gone offline.  (comment was posted at Byron Acohido's blog.)  DNS is like that.  DNS servers serve up the IP addresses of LOTS of sites from a single server, not just one.

So, I did a DIG against twitter.com and found out that it was hosted by DYNECT (DYNDNS).  Tom Daly of DynDNS and I have conversed in the past, and he had written to us at Secure64 that they weren't under attack.  He even posted some comments about it http://dynamicnetworkservices.com/journal/AboutDDoSAttacks.

 I can't agree more that people seem to confuse DNS attacks with DDoS attacks in the press.  Probably because that letter "N" looks so much like that letter "o".  Or not. 

So it will probably still be awhile before we get some real data from twitter about what really happened.

On a related subject:  There's been some comments on CircleID  about how unlikely it is that this was a political DDoS attack against one person. 

Posted by Joe Gersch at 03:52 PM | | Comments (2) | TrackBack (0)

Technorati Tags: , ,

|

August 10, 2009

He's ba-a-a-a-a-a-ackkk; twitter twitter

Wow!  It's been way too many months since I've written anything here.  My bad.  I'd make lame excuses about being busy and traveling and such, but such is life.

Recent news:  I actually got invited to be on the local news in Denver for a short live interview on the twitter outage.  It was fun!  I actually had people write to me to say they saw me on TV.  How cool is that? 

And the subject:  why should people care about DDoS attacks against twitter.  And in 3 short minutes on the air, I explained that twitter isn't just a social networking site, that it is becoming a legitimate communications medium -- witness the reports about demonstrations in Iran that came from facebook and twitter.  When you pick up the phone, you expect a dial tone.  What if it isn't there?  When you tweet, you expect it to work.... and what if it isn't there?  Besides, it's not just twitter.... DDoS can be directed against anyone's servers.  It's not common, but it is nasty.  So don't just look at someone else's misfortune, look at what would happen to your business if your DNS were to get DDoS'ed.  And don't wait for it to happen, it's too late by then.  Do something about it now. 

It's too bad security isn't an issue until after you're attacked......

Next.... what really happened at twitter?  What got attacked?  There are some conflicting reports out there.

Posted by Joe Gersch at 02:32 PM | | Comments (0) | TrackBack (0)

|

February 20, 2009

Kaminsky at Washington Blackhat: DNSSEC is needed

Dan Kaminsky spoke again at Blackhat/Washington about the dangers lurking in DNS, and this time he spent more time talking about DNSSEC.  He even mentioned our company, Secure64, because he feels that to make DNSSEC more widely deployed, we need to AUTOMATE, AUTOMATE, AUTOMATE.   We couldn't agree more!  A summary of his speech is in this article in Internet news .  For the time being, a complete copy of his presentation is at his doxpara.com web site.

It's well worth looking at Dan's slides because he goes into a lot of details and stories about not only how things can go wrong, but jut how wrong they can go.    And he calls a spade a spade.  About signing the root, about Trust Anchor Repositories, about the technical and political barriers to widespread adoption. 

But he posits that these are just temporary issues -- they are solvable.  DNSSEC can and must be widely deployed.  It's great to see Dan taking on more of an evangelist role!



Yup. 

Posted by Joe Gersch at 03:25 PM in Current Affairs, DNS / BIND / DNSSEC | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

February 18, 2009

Putting Wood Behind the Cyber-Security Arrow

Whether you agree or disagree with the recent legislation for stimulating the economy there are going to be some interesting outcomes.  As an example, the homeland security department is getting much more funding to address issues such as airport security technologies as well as CYBER-SECURITY.  This recent headline from HSWire (a homeland security journal) talks about the need to do more:
(click on the headline to see the whole article):

U.S. under growing cyber attacks

Published 18 February 2009

The number of cyber attacks on U.S. government computers and networks grow; there were 5,488 tracked incidents of unauthorized access to U.S. government computers and installations of hostile programs in 2008, compared to 3,928 such incidents in 2007, and 2,172 in 2006

Yesterday, Joe wrote about putting some wood behind the arrow.  This funding is certainly a good start.

Joe also mentioned that we had attended a number of national meetings regarding technologies and priorities for national cyber-security initiatives.  At these meetings we emphasized that complexity can be the enemy of security, and that today's operating systems are too large and too complex to even be capable of "security hardening".  Our belief is that genuinely secure operating systems need to be deployed in critical infrastructure.  Hardening will never be sufficient.   I was interviewed on this topic by the SANS Institute on this topic a couple of months ago.  To see the interview about fundamamentally secure operating systems, see this SANS article.

--all the best, Bill Worley

Posted by Bill Worley at 02:43 PM in Current Affairs, Operating Systems, Standards, Vulnerabilities | | Comments (0) | TrackBack (0)

|

February 16, 2009

Obama does Cyber-Security!

I find it remarkable that we now have a U.S. President who is technically savvy.

 He is blackberry-addicted, knows how to use email, recruits volunteers and mobilizes people using the web as a tool... and is actually AWARE that CYBER-SECURITY is an incredibly important issue.  Wow!

It was heartening last week to see an article on the front page of the Wall Street Journal mention the appointment of Melissa Hathaway as the cyber-security czar for the national security council.  That's the POPULAR PRESS talking about cyber-security.  The technical rags are writing about it as well, here's on in E-Week "In the Obama Era Routing has to Change, Too

Over the last couple of years there have been a lot of preliminary meetings on improving our nation's cyber-security infrastructure.  Bill Worley and/or I have attended meetings at Sandia, MIT, Johns Hopkins, let alone Blackhat & Defcon.  Those meetings set the stage; now is the time to put some wood behind the arrow.  Thank you Mr. President! 

But... will we throw away everything and start all over, as mentioned in this NY Times article?  Or will we make the existing net safer, as mentioned in the CircleID blog posting?

Mostly I see an evolutionary approach, but with a few disruptive technologies thrown in from time to time.  And because of this belief, I am very glad to see that these articles are emphasizing two of my favorite topics on shoring up the existing internet -- by solidifying DNS and BGP with DNSSEC and BGPSEC.   Sure there are lots of other security holes in the internet, but these two need attention quickly. 

Keep it up Mr. President.  Change we can believe in. 

Posted by Joe Gersch at 04:07 PM in Current Affairs, DNS / BIND / DNSSEC, Vulnerabilities | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

|

January 19, 2009

Homeland Security does Cyber Security!

Homeland Security has some really good programs regarding cyber-security.   This article in NETWORK WORLD emphasizes two of them:  BGP security and DNS Security.  Doug Maughan, the program manager highlighted in the article, has been leading these efforts at DHS.  He certainly deserves the credit -- he's been a leading force behind DNSSEC development and commercialization for years.  He funded efforts at Sparta labs to develop DNSSEC tools and also partially funded the project at my company, Secure64, to commercialize an automated DNSSEC signing appliance.

He has also funded the research program at CSU led by Dr. Dan Massey to monitor and alert BGP hijacking attempts. 

All of this is good stuff, and I'm glad to see Doug get the attention that he greatly deserves.  Now let's hope that the incoming federal government funds even more of these efforts.  The priority for developing and commercializing fundamental cyber-security technologies is really important.

Posted by Joe Gersch at 10:05 AM in DNS / BIND / DNSSEC | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

January 07, 2009

Happy New Year!

I just got off a world-wide phone conference with the DNSSEC deployment working group.  There was a good discussion on getting DNSSEC more widely deployed, including barriers and accelerators.

A big issue that people were worried about was the publication of TRUST-ANCHORS.  How do people know they are trustable?  Where do you go to get trust-anchors?  How do you publish to a trust anchor repository?  Should the registrars be involved?

So... let's be pragmatic and proceed with baby steps. 

The TAR-fetcher program I mentioned in an earlier posting should be easily installed by a typical ISP using YUM or some equivalent installation program.  When the program runs, it should allow some simple configuration settings to say which TARS it should fetch.  (I call this "small", "medium" and "large")  Now comes the baby steps...

To start, an operator wants to verify that nothing has broken by turning on DNSSEC.  Only a few trust-anchors should be installed (maybe .gov, .org, .se and a few others).

After a trial period, the operator could change the configuration to "medium", which would include more trust anchors.  Finally, "large" might include the trust anchors associated with .com or other miscellaneous anchors.

These baby steps allow for incremental optimization and experimentation... on a widespread basis with thousands of ISPs, enterprises and institutions. 

As far as TAR-fetcher programs go, the auto-trust program from nlnetlabs (www.nlnetlabs.nl) is something worth looking at.  Paul Wouters from Xelerance has proposed a utility program to configure and prime DNSSEC.  I'll experiment with that and let you know the results in a future posting.

Posted by Joe Gersch at 09:26 AM in DNS / BIND / DNSSEC | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

December 18, 2008

removing risk or adding value: the bipolar nature of DNSSEC

People don't like to buy insurance.  But they continue to buy insurance because they have to.  They must deal with risk, be it for medical insurance, life insurance or whatever.

The most interesting insurance salesman I ever heard about would drive a hearse when visiting potential life insurance clients.  Although it's macabre, he made his point on dealing with risk....

But people still won't buy insurance if they don't have to.  Or they don't buy enough.

Up until now, DNSSEC has been sold like an insurance policy.  It's there to reduce risk. You don't want bad things happening to good people, and you certainly want to protect people from fraudulent web site hijacking.

But DNSSEC is NOT just about dealing with risk.  It can be about adding value as well. People are much more willing to spend time and money on something that brings value than on just buying an insurance policy.

What kinds of things can DNSSEC enable?  Well, think about DNS as the world's largest public data base.  It can contain other things besides internet addresses.  Examples include certificates, SSH fingerprints, text records and so forth.  Once the DNS can be trusted (that's where DNSSEC comes in), all sorts of killer apps can be developed to provide positive value to end users.  Ideas have been proposed for anti-spam, and identity management for SSH logins.  There are ideas for iPhones and BlackBerries, not just laptops.  

Once the DNSSEC infrastructure begins to scale up, keep an eye out for these new DNSSEC-enabled applications.  At that point DNSSEC will be much more than just "removing the negative".... it will be about "adding the positive"  -- as in positive value creation.  Now that's a market-maker!

Posted by Joe Gersch at 01:15 PM | | Comments (0) | TrackBack (0)

|

December 10, 2008

DNSSEC Awareness

Earlier, I wrote about making DNSSEC deployment happen more widely by separating out the work for DNSSEC signing (the "transmitters") from DNSSEC validating resolvers (the "receivers").  Baby steps are going to be needed to get each side of the equation working, and to eventually build up to a huge deployment.

The activities necessary to get the "receivers" ramped up are: awareness, education, easy-trust-anchors, and diagnostics.  Last-time I wrote about easy-trust-anchors.  Let's go back to awareness & education.

I wrote to the author of the "DNSSEC in 6 minutes" but haven't heard back yet.  I hope to hear soon, but if not, I'll develop my own document.  The cookbook can be quite simple, especially if it references the TAR retrieval scripts.  But how do we get people to know how to do this?  This is the AWARENESS issue.  And maybe INCENTIVES, too...

For starters, we can work with the DNSSEC deployment working group, chaired by Jim Galvin.  There's bound to be good ideas to get wide distribution of the cookbook. 

A new group, the DNSSEC Industry Coalition, has also just formed, as written up in this NetworkWorld article.  As a member of this group, I am thrilled that we are talking about using DNSSEC for more than just protecting against cache poisoning, but using secure DNS to enable new killer applications such as anti-spam and other ideas.  This type of thing might provide the INCENTIVES to get the masses rolling.  Getting registrars involved in the education process will surely help, and that is a major focus of the industry coalition.

In the meantime, if you have any ideas on awareness and education, send them to me and I'll pass them on to the group.

Posted by Joe Gersch at 05:05 PM in DNS / BIND / DNSSEC | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

Next »

Enter your email address:

Delivered by FeedBurner

About

Disclaimer

  • All views and opinions expressed on this blog belong to me, the author, and are not those of any current or past employers, investors, or anyone else.

Categories

Resources

Blogroll

Archives

Misc

  • Add to Technorati Favorites
Blog powered by TypePad