Will DNS threats finally undo organisations, or are they ready to take control?

codeThe Domain Name System (DNS) is one of the least understood but most crucial parts of any IT environment. Although it’s operated via a global network of servers under the control of ISPs, non-profits, registries and others, attacks can strike to the heart of any organisation. DDoS, phishing, malware downloads, C&C communications and even data exfiltration can all take place via DNS channels.

Because it’s always on and running in the background, converting domain names to IP addresses so users can surf the web, it’s a great conduit for attackers. But that also makes it a useful place to gain advanced insight and control. I spoke to a range of industry experts on the key challenges and opportunities facing firms.

A new favourite

DNS attacks are becoming increasingly popular with nation state hackers. Sea Turtle and DNSpionage campaigns over the past couple of years have targeted Middle Eastern governments and military organisations. They typically compromise key DNS servers, and change the queries stored in them to enable man-in-the-middle phishing attacks designed to secretly steal important passwords. Part of the problem, according to Nominet’s head of IT security, Cath Goulding, is that the protocol is decades old.

“DNS was designed nearly 50 years ago. The people who created it could not possibly imagine the threats that we face today,” she tells me via email. “The advanced malware that we see could not be conceived 50 years ago, so DNS was not designed to defend against it. Humans simply can’t manually monitor the amount of data that passes through it, so we must rely on algorithms and machine learning to keep us safe.”

Gary Cox, technology director for Western Europe at Infoblox, adds that DNS is increasingly being targeted by hackers as other avenues are blocked.

“DNS has become more and more popular as a result of other security gaps being filled – by things like next-gen firewalls, IDS/IPS systems, highly capable endpoint protection going well beyond just basic Anti-Virus,” he explains to me. “New attack vectors are continually explored and exploited, and the latest twist from a DNS perspective is that DNS over HTTPS (DoH) is now being used to circumvent DNS security controls.”

According to DNS pioneer and Farsight Security CEO, Paul Vixie, services like DoH “are well intentioned but policy-ignorant, and many threats to the user or to the rest of the user’s network are able to bypass security controls when the user bypasses the local name service.”

Another example of a DNS bypass attack which has garnered an increasing number of headlines over the past year is DNS rebinding. In this attack, hackers first get victims to click on malicious links or online adverts, with rebinding techniques enabling them to bypass the network firewall and use the victim’s browser as a proxy to target any devices on this network. It’s predicted that this type of attack could become increasingly popular in compromising IoT endpoints.

What can we do?

So how can IT security leaders hope to mitigate the risk of a DNS-based attack? After all, with the DNS servers themselves usually out of their control, there’s a limit as to what they can do, right? Well, yes and no. Goulding argues that by using analytics services that search DNS traffic, organisations can turn the ubiquity of DNS to their advantage, using it as an early warning system to spot and block attacks before they’ve had a chance to impact the organisation.

“Utilising a DNS monitoring tool is the first step to mitigating the DNS risk,” she explains. “And while not every firm can afford high-level DNS protection, taking steps to ensure staff education is crucial, too. For many workers, they might not be clear what is and what isn’t a malicious link or malicious add. Ensuring staff have the tools they need to work out what might be malicious and what not be malicious will ensure company safety.”

ISACA board director, Asaf Weisberg, adds that DNSSEC should be rolled across the industry “to strengthen authentication in DNS, by using a DNS Zone’s private key to digitally sign the DNS data, and allowing the resolver to confirm the validity of the DNS data through a corresponding public key that is being retrieved as part of the DNS query.”

However, efforts thus far have been poor. It’s claimed that less than 20% of DNS stakeholders have adopted the specifications – a figure ICANN wants improving urgently. Without this kind of cross-industry response, DNS could remain a security blind spot for organisations for many years to come.


Internet of DDoS: IoT Botnets Lend Urgency to Anti-DDoS Measures

cyber attackThe past few days have once again pushed that cybersecurity staple the DDoS attack (yawn) into the spotlight. First Brian Krebs suffered what was widely trailed as the ‘biggest attack ever’, topping out around 620Gbps, and then a French hoster claimed it was submerged by an attack topping 1Tbps. The interesting point of the second attack is that it’s said to have been carried out by an IoT botnet.

What does this mean for organisations across the globe? You’d better start budgeting for extra spending on DDoS mitigation services. I spoke to Arbor Networks principal engineer, Roland Dobbins, to find out more.

IoT botnets are nothing new, he claimed. In fact, they’ve been used to launch not only DDoS but send spam, launch MitM attacks and more for several years. Even as recently as August, experts reported an IoT botnet used to try and take organisations affiliated with the Rio Olympics offline prior to the Summer Games. Other examples include cyber extortionists trying to take gaming networks offline.

So exactly why are these embedded computing devices so attractive to cybercriminals?

“Because so many of these devices are shipped with insecure defaults, including default administrative credentials, open access to management systems via the internet-facing interfaces on these devices, and shipping with insecure, remotely exploitable code,” Dobbins told me by email.

“A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities – indeed, many vendors of such devices do not provide security updates at all.”

Another problem is that IoT devices – which can range from webcams and DVRs to set-top boxes – aren’t typically things a user spends much time in front of, so it might not be obvious they’re being exploited, he said.

“There are tens of millions of vulnerable IoT devices, and their numbers are growing daily; they’re generally always turned on; they reside on networks which aren’t monitored for either incoming or outgoing attack traffic; and their networks where they’re deployed often are high-speed connections, which allows for a relatively high amount of DDoS attack traffic volume per compromised device,” explained Dobbins.

Fighting back

So what can be done to mitigate the risk to businesses?

Best practice includes hardening network infrastructure, improving visibility into traffic and having adequate DDoS mitigation capabilities – none of which is going to be cheap, unless you’re lucky like Krebs and get protected by Google’s Project Shield.

“In particular, ISP and MSSP network operators should ensure that they participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks, as well as request assistance as circumstances warrant,” Dobbins told me.

It’s also important for operators to measure DDoS attack volumes against their baseline for normal traffic so as not to over or underestimate attacks.

“This is vital when determining which DDoS defence mechanisms and methodologies to employ during a given attack, as well as in providing accurate information to other network operators in the global operational community,” he concluded.

Stopping the attacks as they are fired out is all very well, but how about trying to shore up those pesky IoT devices which have become such a boon to cybercriminals? A new architectural approach has been proposed by a non-profit group known as the prpl Foundation. It suggests that a hardware-led approach is key to securing embedded computing devices. Its guidance document is a must-read for anyone interested in IoT security.

It sets out four key elements that are needed to improve IoT security:

Open source software which will improve the quality of code and increase the likelihood of timely security updates.

Interoperable standards to help to drive up the quality of engineering, especially in the connectivity layer which has frequently been exposed by researchers such as Miller and Valasek.

Secure boot based on a root of trust anchored in the silicon to prevent hackers from reflashing the firmware. This could have helped prevent the Ukrainian power outages of 2015 and potentially also SYNful Knock.

SoC virtualisation to containerise each software element running on the chip, keeping critical components safe, secure and isolated from the rest.

The prpl Foundation has already released its own hypervisor and other elements to make its Security Framework proposal a reality. But will the industry go for it?

Up until now the common perception has been that users prioritise usability and low cost over security. But according to a new report on the smart home by prpl, this isn’t the case. It polled 1,200 consumers across the globe and found that 60% thought the user should take control of securing the smart home. What’s more, a plurality (42%) claimed they would pay a premium for more secure devices.

So there it is IoT industry. Over to you.


China’s hacking problem: more sinned against than sinning?

hackerLast week I finished off an analysis of the China/cyber espionage stories that have been flying around in recent months, with a surprising conclusion – in many circumstances the country may well be as much a victim of attack as a perpetrator.

We are unlikely to ever find out the extent of state-sponsored cyber attacks on the US and its allies, although thanks to several high profile reports which name and shame Beijing it’s clear that the tip of the iceberg is well and truly showing.

However, we can be more clear about how secure or otherwise China’s IP address space is and make some general observations.

I spoke to several information security experts about this and they were all in agreement that China is a particularly attractive place to launch attacks from, simply because there are so many compromised PCs as well as enough bulletproof hosting firms there to use with impunity.

HKCERT senior consultant, SC Leung, explained to me how compromised computers, of bots, in China are helping cyber criminals from outside the country.

“The zombie computer, or bot, steals the data (using its IP address) and sends it back to the attacker. When tracing the compromise police can only find the bot computer IP address. The attacker can further command the bot to send the data to Dropbox or a third party forum, and then retrieved it directly or indirectly.  This long chain of investigation of different servers (probably in different jurisdictions) hampers the investigation.” 

It’s also worth mentioning that not all attacks are being carried out by external forces to compromise Chinese IP addresses which are then used as a staging point to attack other countries. China has a massive internal problem with home-grown cyber crims targeting their own – stealing data, IP, bank credentials and even blackmailing by DDoS or other means.

It’s interesting to note that a week or so after I published this story, the FT ran an interesting piece which reached the same conclusions, claiming that the government is failing to provide coherent oversight on information security matters and that the forensics industry is virtually non-existent in China.

Apart from changing these two problems, there needs to be greater user education and awareness to ensure fewer PCs are vulnerable to outside attack, and a crack down on bulletproof hosters.

At the moment, the Party seems to be happy to close down porn sites in high profile raids, willfully censor its citizens and hit out at any US accusations of cyber subterfuge, but not to get its own house in order.

Cleaning up its address space first would would surely improve China’s standing internationally and may even help foster more cross-border co-operation, rather than the relentless mud-slinging of late.