Modernizing Authentication — What It Takes to Transform Secure Access
The most relied upon parts of our daily lives tend to be taken for granted. So it's no surprise then that everyone's placid existence suddenly flips to sheer horror and panic when they prove to be capable of harming us in some irreparable ways.
Online, the ongoing DNS debacle has shaken some faith in what we've relied on for so long.
The Domain Name System provides a simple service which has made the World Wide Web a very accessible and inviting place for the over a billion or so web surfers around the globe. Its task is to automatically translate easy to remember domain names such as EnterpriseITPlanet.com into their much more machine-friendly IP address (188.8.131.52). It's a heck of a lot more convenient for end users and has served this task very capably for years.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iIt's all been going on swimmingly well and quite transparently for everyone simply surfing around. That is until one security analyst by the name of Dan Kaminsky stumbled on the flaw and a technique that could exploit it much faster than before. His basic overview of the problem can be found on his blog.
In simple terms, he found a way that could allow malicious individuals or groups to blast away DNS responses to affected software for a site's subdomain and get their version of IP addresses to stick for any particular requested DNS query on that domain. It all gets very messy when you consider that most everyone blindly trusts any and every legitimate website they call up. Given that this attack vector could seamlessly sneak in false responses to for any domain, all sorts of bad things can go down.
An example of a large threat would be for online banking services, which could have their IP addresses silently changed on an affected ISP's DNS server. Customers requesting to visit their banking site are pointed at a different server, enabling unsavory individuals to set up a copy of the official site and pull in account information from anyone using a compromised DNS entry. It's a scary example but it could extend far beyond simple customer access to banking funds into security threats for all manner of companies with a web presence.
How it Hit the Fan
Security researchers walk that fine line of wanting to give companies a bit of time to work out flaws in their systems before they release any information. It makes them a hero and prevents large-scale exploits from popping up suddenly. The alternative would be releasing the details and seeing the crippling effects on the community while earning themselves quite a few enemies in the process.
Unfortunately there are some cases where there's a bit of jumping the gun, which leads to a few tense days as everyone gets up to speed and begins deploying hastily put together patches. Software vendors have been keen on getting this particularly worrying exploit fixed in a hurry, so much so that the PR horn tooting has been kept to a minimum although you'll no doubt find third party software being touted as the one true fix.
It has not all gone well.
Reports of poor performance after installing fixes and a bit of a delayed reaction on the part of at least one major vendor has probably left quite a few server admins dazed and confused. OpenDNS had been an early source of hope, sporting its own flaw-free DNS resolving capabilities.
The good new so far has been that the right people have been taking this seriously and the flaw's effectiveness has been somewhat limited by all of the updates floating around for the respective software running on DNS servers. There are always those who are slow on the uptake, though, and their results can't be trusted. Thankfully there are handy tools such as DNS-OARC's DNS randomness test that will check to see if your current DNS server is sufficiently random enough with its queries to other servers so as to limit its vulnerability.
This one was a nail-biter. It had all the makings of a large-scale disaster but it seems like everyone has dodged a major bullet. The experience has sparked renewed calls for improved security in the form of DNSSEC. But if history is any guide, companies will likely be happy to trudge along with yet another Band-Aid on the patchwork of temporary fixes that is the current state of the Internet.
Which begs the question, "What's next to watch out for?"
This article was first published on EnterpriseITPlanet.com.