The evolution of DNS

DNS, that is the Domain Name System protocol and services, is a fundamental pillar of Internet since it allows to resolve domain names in IP addresses. Recently the number and severity of attacks to the DNS infrastructure have increased noticeably (see for example this US-CERT Alert). At the same time, the discussion on who should manage and how this global infrastructure should be managed, keeps expanding.

Alternative proposals to the ICANN overseen global DNS infrastructure have appeared, starting from the “.onion” hidden TOR domains to, among others, the more recent OpenNIC project and the Blockchain-based BDNS system.

The security and privacy of Internet access and navigation depend crucially on the resolution of domain names to IP addresses. Even if the deployment of DNSSEC will help to improve security and privacy, it is badly needed to give more consideration DNS and help designing a forward path for it as a global service which must be able to guarantee access, privacy, security, integrity, fairness etc. It is a lot to ask, but we will really need it.

Monitoring Outgoing Traffic to Detect Intrusions

Monitoring outgoing traffic to detect intrusions in IT systems is not a new concept but often it does not seem to be enough appreciated, understood and implemented.

IT security defences cannot guarantee us against every possibile attack, so we must be prepared to the event of an intrusion and to manage the associated incident.

The first step in incident management is to detect an intrusion. Traditional tools like Anti-Virus, Intrusion Detection/Prevention Systems (IDS/IPS) etc. do their job but they can be bypassed. But intrusions can also be detected by monitoring the outgoing traffic.

In my recent personal experience, some intrusions have been detected and stopped because the outgoing traffic was monitored and blocked. Since the deployed malware was not able to call back home, it did not do anything and there was no damage; and since the outgoing traffic was monitored, the intrusion was immediately detected.

But monitoring the outgoing traffic to detect intrusions is becoming more and more difficult. For example attackers are adopting more often stealth techniques like using fake DNS queries. An interesting example has been recently described by FireEye in “MULTIGRAIN – POINT OF SALE ATTACKERS MAKE AN UNHEALTHY ADDITION TO THE PANTRY” . In this case, malware is exfiltrating data by making DNS calls to domains with names like log.<encoded data to exfiltrate>.evildomain.com . Obviously the DNS query fails, but in the logs of the receiving DNS server it is written the name of the requested domain, that is the data that the malware is exfiltrating.

As attackers are getting more creative to hide the back communication between malware and their Command & Control services, IT Security will need to devise more proactive approaches to monitoring and blocking outgoing traffic.

Social Engineering, Password Reset and DNS Hijack

The DNS provider Web.com has been subject to a Social Engineering attack which allowed a pro-Palestine hacking gang to successfully reset the password of a few important customers, and use the new password to change the resolution of their domain name to other sites. See for example here for a description of the attack.

Again and again, as of today the technical side does not look to be the weak side of  ICT Security. In particular cryptography is sound and reliable, and many technical ICT security products deliver what the promise.

On the other side, username + password show another time how much inappropriate they are to support our current security needs. But what can we use instead?

The general problem lies mostly in our ability to make a system “secure” by including logical, physical and procedural measures to give a 360 degrees protection. Indeed, the security level of a system is that of its weakest point, which for most systems means that they are really insecure.