Re: [ga] Net security's a losing battle

[Sandy Harris <sandy@storm.ca>]

Joanna Lane wrote:
> 
> http://www.zdnet.com/zdnn/stories/news/0,4586,2814883,00.html
> 
> Expert: Net security's a losing battle
> 
> By Wendy McAuliffe
> ZDNet (UK)
> September 26, 2001 11:39 AM PT
> 
> "The complexity of the Internet is increasing more rapidly than our ability
> to secure it, according to Internet security expert Bruce Schneier.

For more of Bruce's papers:
http://www.counterpane.com/publish.html

and for a subscription to his newsletter:
http://www.counterpane.com/crypto-gram.html

His book "Secrets and Lies"  ISBN 0-471-25311-1 is the best overview of
security issues for non-specialists I've seen. A security consulting firm
I work with often gives copies to client company managers. They understand
it and find it relevant to their issues.

For the politics of cryptography, and the long complex battle against
gov't (particularly US gov't) obstruction of security measures that
might block their monitoring, see Steven Levy "Crypto: How the Code
Rebels Beat the Government -- Saving Privacy in the Digital Age",
ISBN 0-670--85950-8. 

An online intro to those issues is my:
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/politics.html#politics 
 
> At the opening of the annual Information Security Solutions Europe (ISSE)
> conference in London on Wednesday, Schneier, who is chief technology officer
> of Counterpane Internet Security, claimed that the problem of Internet
> security will never be resolved.
> 
> "Traditionally, Internet security has been thought of as a technology issue,
> based on the notion that you can build products to plug the holes," said
> Schneier. "But we are losing the battle with computer security. We are
> building new products, but every year gets actively worse."

Yes, but there are things that would have a positive impact. Notably, the
IETF has been at work for some years on protocols for a secure DNS. See:

http://www.toad.com/dnssec/index.html
http://www.ietf.org/html.charters/dnsext-charter.html

Currently, DNS is almost completely insecure. All the servers just accept
whatever another server tells them as gospel.

Currently, if an EvilDoer can intercept DNS queries or subvert a server,
then he or she can do almost anything. Tell you bigcompany.com does not
exist, send anyone who asks for that company to big_company_sucks.org
instead, or send everyone to Pornographic Priscilla's Punishment Pagoda.
Or, by subverting the DNS an e-commerce site relies on, send all that
site's customers to a bogus bank for their credit card transactions.
Or ...

If critical infrastuture relies on the net and therefore on DNS, then
clever variants of DNS attacks can do enormous damage. Other measures
-- such as PGP-signing any important email and widespread use of secure
IPsec tunnels -- can vastly reduce the risks here, but it is far from
certain they can reduce it to zero. 

The obvious fix is to build authentication into the DNS software so
that servers can tell what information they can trust. Most of the
work of specifying appropriate protocols for this has been done.
See the IETF site above. 

I'm not certain what state the implementations are in. Certainly some
work has been done, e.g. in BIND 9 (www.isc.org), but I don't know
how complete that is, or how widely deployed, or whether other DNS
servers have DNSsec support yet.

Once there are viable implementations, questions arise of how to get
zone records (especially the root zones) signed, and more generally
how to run a secure DNS. These will largely be decided in the IETF 
DNS Operations working group:

http://www.ietf.org/html.charters/dnsop-charter.html

However, methinks ICANN might have a role to play in ensuring that
the registrars actually act on this in a timely fashion, and that
Verisign or others do not attempt to hijack the process into becoming
a marketing scheme for proprietary signature technologies.

I raised these questions about a year ago and got responses indicating
that some knowledgable folk considered this out of scope for ICANN and
that, in any case, the IETF work was not finished so the questions did
not arise yet.

That was then, this is now.

If the focus of the next ICANN meeting is to be security, methinks
the question of what ICANN needs to do about DNSsec depolyment goes
right at the top of the agenda.
--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html