Security Watch

Kerberos 4, No More

MIT drops support for Kerberos 4; DNSSEC; port scans; AIM worms and fradulent Whois records.

• By Russ Cooper
• 01/03/2006

Adoption of DNS Security Extensions (DNSSEC), the “next generation” of the Internet’s Domain Naming System, isn’t getting the attention that many security experts would like it to. A lack of motivating drivers, such as widespread spoofing attacks on the DNS environment that consumers could recognize if DNSSEC was deployed, is cited as the most obvious reason deployment hasn’t taken priority.

Unlike SSL, used in virtually all online monetary transactions, the value of digital certificates associated with DNS registrations has yet to be demonstrated. DNSSEC would allow a browser to know with certainty whether or not it’s at the site it expected to be. However, history has shown that consumers lack the ability to make such a determination based on SSL digital certificates, and there’s little reason to believe that they would fare any better with domain certificates.

The most obvious problem is a lack of user education. If a site’s DNS certificate failed validation, then the domain should not be allowed in a consumer’s browser. However, no such capability exists within the browser. Furthermore, so few sites have implemented DNSSEC that making that determination at, say, a corporate DNS server, cannot be done as the vast majority of Web sites would be disallowed. In the words of one Cybertrust expert, “It’s a chicken and egg problem: Until they’ve got the DNS environment mostly DNSSEC, it’ll be difficult to see its value.”

The best proposal put forward during the discussion seemed to be the idea that search engines would rank sites that have implemented DNSSEC above those that haven’t, giving financial motivation to implement DNSSEC. However, since no search engines have shown any inclination to do so, such an idea remains just that -- future thinking in the hopes of implementation.

Research suggests that contrary to popular belief, port scans alone may not be a reliable indicator of impending hacker attacks. An analysis of quantitative attack data gathered by the University of Maryland over a two-month period shows that port scans precede attacks only 5 percent of the time.

In this day and age there’s very little value in performing probes ahead of attacks. Not only does it potentially provide a heads-up for the victim, it’s also largely unnecessary. Fingerprinting of systems was used historically to tailor the attacks that would be run against a given system, but today's attacking is often the "Swiss army knife" approach -- everything and anything that might work. It matters not which worked, only that something did.

Port scans are definitely bandwidth wasters, but shouldn't be ignored simply because research suggests they may not be precursors to attacks. However, the use of identifying who is doing the scanning is minimal. Repeat offenders might be blocked, but those blocking lists are going to end up very lengthy and may reduce router performance. The more important thing to remember is that such probes are fairly constant, and having default deny implemented at all routers is the critical method to ensure they have the least value to the miscreant sending them.

Malicious Code
Several AIM worms were distributed recently, spreading (at least in part) by sending AOL Instant Messaging messages to buddies in the victim’s current Buddy List. Those messages contain a link back to the existing victim. When clicked, they attempt to exploit the new victim via one of several Internet Explorer vulnerabilities.

Cybertrust reminds you to recommend to your users to always ask any IM client whether it did, or did not, send a link in its previous message. Victims propagating a worm this way will be unaware of what the person is asking.

Human Factors
The U.S. Government Accountability Office (GAO) estimates that more than 2 million domain names have been registered with "patently false" data.

The GAO investigated 900 domain names in the .com, .net and .org namespace, as reported by Whois servers, expected to contain contact information for those domains. The estimated 2 million records reportedly “patently false” contained “data that appeared obviously and intentionally false without verification against any reference data." Clearly these were records that any reasonable domain registrar could have noticed, assuming of course it ever bothered to check. Another 1.6 million records are estimated to contain at least one missing “required field,” strongly suggesting that the word “required” has a different meaning to domain registrars than it does to the U.S. population and the GAO.

The GAO was asked to determine the viability of the error reporting mechanisms for the Whois maintainers. They submitted 45 errors that were clearly false, and reported the results after 30 days. Less than 25 percent were corrected at the end of the 30 days, no explanation was offered as to why the others were still incorrect.

Whois databases are heavily abused, whether it’s by Web site owners who want to derive demographic information from their visitors (thereby performing countless Whois queries to try and determine country, city, etc.) or online/telemarketers who look for phone numbers to solicit new business from. As a result, many contacts provide false or incomplete information as a matter of course when registering a domain. Since no clear rules exist to protect those that provide valid contact information, it’s hard to see how this problem is going to be resolved.

The U.S. Government wants accurate Whois information in order to aid law enforcement efforts related to online issues, which is laudable. Domain contacts want to ensure their privacy, equally laudable. As long as Whois is a publicly available service, it’s more likely that privacy will win over law enforcement, given that domain registrars would rather make money from customers wishing to ensure their privacy than provide law enforcement with more accurate information for no tangible compensation.

Privacy
A school psychologist's records detailing students' confidential information and personal struggles were accidentally posted to the school system's Web site and were publicly available for at least four months, until a newspaper reporter recently discovered them.

It’s hard to imagine how such confidential records could be allowed onto a school’s Web site so arbitrarily. One would think they would be looking for such information, if not entirely preventing it from happening in the first place by ensuring the system containing the confidential information was not even capable of talking to the Web server.

That said, there’s no doubt that education institutions are, far too frequently, understaffed and ill-equipped to handle security situations. What will be interesting to see is when a Federal regulation insists such records be kept confidential, and another governmental agency doesn’t keep that confidentiality, how will fines be imposed?