ReadWriteEnterprise

One of the more embarrassing revelations from last week's RSA Security conference in San Francisco was that bigger businesses take longer to discover security breaches. The DNSchanger Trojan, which was in the wild in 2009 and whose proprietors were busted last November, is still leaving damage behind in government systems days before a scheduled deadline (now extended) for it to have been eradicated.

And yet the DNS changing malware - so deceptively simple it can't even legitimately be called a hack - may yet be undetected in targeted systems. At RSA last week, SANS Institute Faculty Fellow Ed Skoudis, a world-renowned author in the anti-malware field for over two decades, reiterated the dangers of leaving the DNS command and control channel open to outside influence.

A rumor repeated enough times on the Web is too often given the same status as truth. Then, by the time the rumor is discredited, the story is old and dead anyway, and the next rumor has taken hold. Take the case of the DNSChanger Trojan. Last November, as RWW's David Strom first reported, the FBI indicted seven men suspected of involvement with an Estonian malware distribution firm. That malware, which plagues U.S. Government systems to this day, simply changed PCs' DNS server settings to point to those operated by the firm. And that firm directed unsuspecting users to sites containing ads that the firm hosted, and allegedly profited from.

Naturally, you'd want to shut that down. The problem last November was, doing this would disrupt Internet service to users worldwide, including government systems believed to have been targeted. So the FBI sought and received a court's permission to have a well-respected non-profit group run legitimate DNS servers at the same addresses, up until the addresses changed by the Trojan could be replaced. That lease was set to expire tomorrow, and as it turned out, it wasn't enough time. Sensationalist news sources just love a countdown - if it's ticking, it must be a time bomb.

OpenDNS announced a technology preview today for Macs running their DNS services called DNSCrypt. Think of this as doing for the DNS protocol what HTTPS does for the Web protocols. Like its mainline service, it is freely available, and Windows and Linux versions are promised for next year. You can download the code here for the Mac OS. They will eventually post all of their code on GitHub for public scrutiny.

The Internet Systems Consortium (ISC) is reporting a major vulnerability in BIND 9, with an apparent exploit in the wild. According to the announcement, servers running BIND 9 and performing recursive queries should upgrade immediately.

The actual exploit for this vulnerability is not yet reported. ISC says that it will cause a resolver to cache an invalid record, then crash when responding to queries that request that record.

If you ever needed ammunition for your management about getting better network-based defenses for your enterprise, a new study by F5 Networks should help you. Earlier this fall, the company asked 1000 IT managers from around the world about their existing security measures and the cost of various exploits that they have observed over the past year. Strikingly, 100% of them have observed DNS attacks and nearly as many have observed denial of service attacks, both of which are worrisome.

His vision was to internationalize the oversight body of the Internet naming system, to structure it less like a spider and more like a starfish. (A starfish, you see, can regrow lost limbs.) To some extent, the dashing security expert Rod Beckstrom has accomplished that as President and CEO of ICANN since mid-2009, most notably by removing the U.S. Dept. of Commerce from its direct oversight role over ICANN.

Come the end of his term next July, Beckstrom will leave the President and CEO role of ICANN, presumably to resume his career as a world-renowned security expert. But in the twilight period of his term he may have to fight at least two more significant battles, neither of which may conclude before his departure. First and foremost is ICANN's adoption of a controversial generic top-level domain (gTLD) plan for the domain name system - one which would give any applicant with $185,000 to spare (PDF available here) a new root domain of its own alongside .com, .net, and .org.