Recent hacker attacks on the International Monetary Fund and other prominent targets have reportedly involved “phishing” e-mails that falsely appear to come from a familiar company or individual and attempt to send victims to a bogus website in order to steal information. (When customized to a particular recipient, these are known as “spear phishing” e-mails.)
But a key step toward better Internet-wide protection against such hazards—a long-in-the-works technology known as DNSSEC, which verifies that a domain name points to the correct Web server—is not only years from full deployment but may be scuppered by proposed legislation, experts say.
Phishing has been inferred but not confirmed in the recent data thefts from the International Monetary Fund, where fund employees have been “strongly requested not to open e-mails and video links without authenticating the source,” according to a memo provided to Bloomberg News. And Google said recently that China-based spear phishing has been used against “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
“DNSSEC is the first building block on which the foundation of the whole ‘web of trust’ will be built. We kind of need DNSSEC to fix the basic problem that needs fixing about the way the Internet works—the lack of accountability,” says Paul Vixie, chairman and chief scientist of Internet Systems Consortium, a nonprofit developer of Internet software and protocols.
“DNS” stands for “domain name system,” and the system itself translates domain names (for instance, www.technologyreview.com) into numerical Internet addresses that computers understand, in this case 18.104.22.168. But hackers can hijack this system and swap the numbers in order to send you somewhere else, so DNSSEC (“SEC” stands for “security extension”) adds information that can be used to verify that the numbers are the right ones.
The past year has seen adoption at an accelerating pace. By now, 66 of 306 top-level domains (such as .org, .com, .gov, and country code domains) have enabled the use of DNSSEC. However, less than 1 percent of domains for specific companies and organizations have signed up.