5 Years After Major DNS Flaw is Discovered, Few U.S. Companies have Deployed Long-Term Fix

Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC ) to alleviate this threat.

By Carolyn Duffy Marsan
Tue, January 29, 2013

Network World — Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC ) to alleviate this threat.

In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.

While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks.

[ SCHOOL DAYS: 10 top colleges for tech CEOs ]

Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is miniscule.

Recent surveys conducted by DNS vendor Secure64 show little deployment of DNSSEC:

None of the top 100 major U.S. e-commerce companies tested by Secure64 was using digital signatures to sign their zones, nor were any of these organizations validating DNSSEC queries. Although popular top-level domains including .com are signed, none of the 100 e-retailers tested including Amazon.com had established a chain of trust, or verified electronic signatures, at each DNS lookup node.
One out of 384 worldwide financial services companies tested by Secure64 was signing its zone, and none had established a chain of trust. The financial services firm that showed signs of DNSSEC deployment was the quasi-federal organization Sallie Mae.

"For whatever reason, the importance of securing their DNS has not raised itself up to a high enough level of priority for these organizations," says Mark Beckett, vice president of marketing for Secure64. "Perhaps they don't know there is a hole in the DNS and that if it is attacked, their customers could have their personal or financial information compromised."

A similar survey conducted weekly by the National Institute of Standards and Technology indicates that only 10 out of more than 1,000 U.S. industry websites have fully deployed DNSSEC. DNSSEC pioneers include Comcast, Data Mountain Solutions, Infoblox, PayPal and Sprint. Another nine websites -- including those operated by Dyncorp, Simon Property Group and Juniper Networks -- demonstrated partial deployment of DNSSEC in the NIST survey.

"The tools and other functions are there to do [DNSSEC]," says Chris Griffiths, director of high-speed Internet engineering at Comcast, which deployed DNSSEC a year ago. "I know that other folks are looking at it. ... In general, people are in the planning stages and at this point they probably need to move that along."

1 2 3 next page »

Originally published on www.networkworld.com. Click here to read the original story.

More from CIO

You are here: Technology Topics » Security » News

Most Recent Security Stories

White Papers »

2012 Confidential Documents at Risk Study by the Ponemon Institute

This study, which surveyed 622 IT and security practitioners with an average of more than 11 years of experience, answers this question.

IDC: Benefits of Unified Endpoint Data Management in Embracing BYOD

This report describes how a unified approach to endpoint data management addresses the challenges IT faces with BYOD and the consumerization of IT.

Inquiry Spotlight: Consumer-Facing Identity

The challenges of consumer-facing identity management, access management, and authentication differ in ways subtle and dramatic from those of the employee-facing variety.

Top 10 Endpoint Backup Mistakes

When considering endpoint backup options, be sure you're making the right decisions. Protecting data on endpoints has become more challenging because of recent trends like exponential data growth, the rise in endpoints, BYOD, and SaaS applications.

8 Must-Have Features for Endpoint Backup

Save IT time and maximize user productivity by choosing the right features. Protect corporate data while benefiting administrators and users.

Gartner Critical Capabilities Report

Gartner rates Druva "Excellent" for endpoint backup in Critical Capabilities report. Given the rise of mobility and BYOD, endpoint backup must evolve to meet the unique needs of the mobile & office workforce.

Webcasts »

Customer Success Video (State of Michigan)

Learn how the State of Michigan is utilizing DeepSight security intelligence to protect critical infrastructure.

PGI Customer Success Video

Learn how PGI is using Symantec Managed Security Services to protect their systems, while allowing them to focus on running, and building, their business.

Simplifying the Complexity of Mobility: A Holistic Approach to Develop a Mobile Enterprise Strategy

Simplifying the Complexity of Mobility

Vblock Specialized System for SAP HANA

Overview video from DJ Long about the new Vblock Specialized System for SAP HANA.

ActiveSync on BlackBerry 10: What Does it Enable?

Find out how ActiveSync works with BlackBerry® 10 to enable basic security and device management features. See what's involved in setup. And learn about BlackBerry® Enterprise Service 10, for full Enterprise Mobility Management.

Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs

SAM: A must have IT tool to help reduce costs and minimize business and legal risks.