Forgot your password?

Close
typodupeerror
Security

.edu announces plans to sign with DNSSEC->

Submitted by
jhutkd
jhutkd writes "Educause (who run the .edu gTLD) announced today that they will deploy DNSSEC and sign the .edu zone by the end of March 2010.

This will enable all educational institutions to benefit from deploying DNSSEC via the secure delegation hierarchy starting with IANA's ITAR (a temporary surrogate for the root zone signing), going through .edu, down to schools, and potentially leading all the way down to individual departments! Unlike larger gTLDs like .org, the churn of adding new and deleting old zones in .edu is much lower (due to the fact that there are tight controls on who may register for a delegation). Thus, many of the hassles of adding new DS records and maintenance procedures might be more manageable and help speed DNSSEC's rollout in this branch of the DNS hierarchy!"
Link to Original Source
Spam

Class Action Settlement in Ameritrade Data Breach->

Submitted by
bcrowell
bcrowell writes "Starting in 2005, people like me who used the Ameritrade online stock brokerage received pump-and-dump spam sent to the email addresses we'd supplied to Ameritrade. It was discussed here on Slashdot. Although many of us had used throwaway email addresses from obscure domains, Ameritrade insisted for several years that there was no security breach, and the spammers had found the addresses using "'brute forcing' or dictionary techniques."

Matthew Elvey found a lawyer to file a class action lawsuit in 2007, and posted about it on spamgourmet.com. The settlement was approved in May, and as a member of the class, I got a postcard about it today. Elvey complained that he was kept in the dark about the case, and tells Wired he "was deceived into the terms of the settlement. I don't think it does anything substantial." Members of the class will receive a year's free subscription to Trend Micro Internet Security Pro. The entire $1.9 million cash portion of the settlement will go to Elvey's lawyers. TD Ameritrade now says it was the victim of a network attack (not an inside job), which compromised social security numbers and email addresses. They're going to seed their database with fake user accounts in order to detect any further leaks. Personally, I transferred my stocks from Ameritrade to another brokerage as soon as I saw the problem. I don't want my life's savings being held by a company that's this clueless about security."
Link to Original Source

Comment: Re:Why DNSSEC? (Score 1) 89

by jhutkd (#28211941) Attached to: .ORG Zone Signed With DNSSEC

Rather than start w/ his example, consider the attacks seen after the Kaminsky announcement: MX records were being forged. Now I can poison an ISP's caches w/ the wrong records for email of any site and all of your email will go through me. Do you ever send anything interesting over email? ;) This was seen in the wild.

WRT the video, at Blackhat there was a presentation demoing the creation of forged SSL certs using weak CAs. Now, if DNS hands you an IP for a domain that really belongs to a MitM. Now your browser _thinks_ that it is talking to the real domain and just needs a cert that matches. Poof, wormhole attack.

Really, the problem here is your browser/OS comes bundled w/ a bunch of very poorly maintained root CAs that you should "trust". Who knows who many of them are, but if your browser is happy with a cert from any of them for any website, you get a nice false sense of security. DNSSEC doesn't address this specific problem. Rather, it makes it perfectly clear what DNS data can be verified. If you go to a rogue website, that is a higher level problem, but at least with DNSSEC you _know_ when you're at a rogue web site. SSL conflates too many things and can be dangerous if misunderstood.

Security

ICANN and NIST Announce Plans to Sign the DNS Root->

Submitted by
jhutkd
jhutkd writes "On June 3rd, 2009, ICANN and NIST announced formal plans to use DNSSEC to sign the DNS root zone by the end of 2009. This is a huge step forward for the deployment of DNSSEC. Details are available at:

http://www.icann.org/en/announcements/announcement-2-03jun09-en.htm

— and —

http://www.nist.gov/public_affairs/releases/dnssec_060309.html"
Link to Original Source

Comment: Re:Why DNSSEC? (Score 3, Informative) 89

by jhutkd (#28199885) Attached to: .ORG Zone Signed With DNSSEC

DNSSEC address issues that include the Kaminsky cache poisoning attack from last summer. The idea of DNSSEC is that when you get a DNS record back, you can use crypto to verify that it the actual record (such as the IP address(es) for a web site) served by a domain.

If you're seriously interested in _why_ someone should care about DNSSEC, check out this 4 minute tech-talk:
      http://www.youtube.com/watch?v=Yt-oJTj0j0o

I didn't do it! Nobody saw me do it! Can't prove anything! -- Bart Simpson