Safeguards against "Phishing" Slow in Coming
The framework for a “web of trust” is still in its infancy, and a pending bill could endanger it.
Recent hacker attacks on the International Monetary Fund and other prominent targets have reportedly involved “phishing” e-mails that falsely appear to come from a familiar company or individual and attempt to send victims to a bogus website in order to steal information. (When customized to a particular recipient, these are known as “spear phishing” e-mails.)
But a key step toward better Internet-wide protection against such hazards—a long-in-the-works technology known as DNSSEC, which verifies that a domain name points to the correct Web server—is not only years from full deployment but may be scuppered by proposed legislation, experts say.
Phishing has been inferred but not confirmed in the recent data thefts from the International Monetary Fund, where fund employees have been “strongly requested not to open e-mails and video links without authenticating the source,” according to a memo provided to Bloomberg News. And Google said recently that China-based spear phishing has been used against “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
“DNSSEC is the first building block on which the foundation of the whole ‘web of trust’ will be built. We kind of need DNSSEC to fix the basic problem that needs fixing about the way the Internet works—the lack of accountability,” says Paul Vixie, chairman and chief scientist of Internet Systems Consortium, a nonprofit developer of Internet software and protocols.
“DNS” stands for “domain name system,” and the system itself translates domain names (for instance, www.technologyreview.com) into numerical Internet addresses that computers understand, in this case 18.104.22.168. But hackers can hijack this system and swap the numbers in order to send you somewhere else, so DNSSEC (“SEC” stands for “security extension”) adds information that can be used to verify that the numbers are the right ones.
The past year has seen adoption at an accelerating pace. By now, 66 of 306 top-level domains (such as .org, .com, .gov, and country code domains) have enabled the use of DNSSEC. However, less than 1 percent of domains for specific companies and organizations have signed up.
Eventually, the system could be a foundation for browser-based blocking or warnings—and for verifying who sent e-mails or authored a document. “DNSSEC will confirm for us the name of the site that I’m dealing with, and that becomes a fact that browsers can take advantage of to help mitigate against certain kinds of phishing attacks,” says James Galvin, director of strategic relationships and technical standards at Afilias, an Internet infrastructure provider. “But that’s a place we have to get to, and we aren’t there.”
Richard Lamb, the architect for DNSSEC deployment at ICANN, the Internet Corporate for Assigned Names and Numbers, says that in the long run, DNSSEC could enhance Internet security enormously. “How (warnings) will get displayed to end users is still in discussion, but in the long term, the end user will be that much more secure—because they won’t be able to get to a site that’s not been validated,” he said. In later iterations of the system, he says, “when you get e-mail from a random person, you could verify not just the address but the actual person, through a cryptographic handshake.”
In the view of some experts, though, Congress will undermine DNSSEC if it passes a bill now under consideration. Under the proposed legislation (pdf), if an Internet service provider receives a court order to block websites peddling stolen media or counterfeit pharmaceuticals, it will be required to redirect a Web user attempting to visit such a site to a takedown notice.
Such redirection is what DNS hackers try to do, and what DNSSEC aims to prevent. “If we end up with legislation on that point, it will be impossible to do end-to-end DNSSEC because it will be illegal in some cases,” says Vixie, who is a co-signer of a report (pdf) blasting the bill.
Even if DNSSEC is fully implemented, it’s no panacea. However, Galvin says, “everything we do on the Internet depends on the DNS, so DNSSEC becomes the foundation for a safer and more secure Internet.”
Meanwhile, users will just have to remember to stop and think before they click. “Technology can take you pretty far, and the technology will improve, and DNSSEC can help,” says Galvin. “But as a practical matter, users do have to take ownership of what happens to them. The best we can hope to achieve is to reduce” their risk.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today