Waiting for an Internet security fix? Don’t hold your breath

Black Hat founder Jeff Moss opened this year’s Black Hat 2010 conference by telling the world that he’s frustrated with the computer security industry’s inability to fix many problems over the past two decades. In a point that some people probably missed as a mixture of accolades and irony, Moss then gave the lone exception that came to mind: DNSSEC, which is being partially deployed throughout the world.

To put this point in perspective, the main problems that DNS fixed were first discussed in the early 1990s (there’s an excellent DNSSEC primer on Wikipedia), with remediations first codified in 2001. Yet Dan Kaminsky and many other DNS researchers required another decade to convince the major players to strengthen DNS. In effect, it took some 20 years to fix the world’s most used protocol, one without which every other network application remains insecure — but it’s not fixed all the way.

[ Also on InfoWorld: Hackers at Defcon target cell phone security. | Get your systems up to snuff with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

In order for DNS to be truly secure, DNSSEC has to be deployed down to the desktop level. Windows 7 and Windows Server 2008 R2 (and many other Linux, Unix, and BSD platforms) have it built in, but not configured or enabled. I expect only a very few large, highly secure companies to implement DNSSEC to the desktop over the next few years. That is the state of our Internet security today.

Illustrating the weaknesses of DNS, Craig Heffner gave one of the most popular talks, “How to Hack Millions of Routers.” Using a combination of previously known exploits, Heffner demonstrated how easy it was to cause anyone to break into their own router and share the success with a remote hacker. In a nutshell, the hack works by first tricking a user into visiting a bogus site, which then poisons his or her DNS cache with his or her own local IP address (called DNS rebinding). When the user clicks on another link or the browser simply reloads the current page, the remote hacker then has interactive access to the router’s internal administrative interface.

Heffner automated the whole process using a sample malicious website to make it as simple as any “click and you are owned” exploit you’ve ever seen. When he was finished, the audience stood up and applauded in the same way they did for Barnaby Jack’s ATM hacks, which led to money shooting out of the exploited automated teller machines.

DNS isn’t the only highly used technology that’s been sorely neglected. Qualsys’ Ivan Ristic conducted a “State of SSL” session chock-full of interesting statistics. Using an internally developed tool (now public and free), Qualsys did a superaccelerated search on every SSL site it could find on the Internet. The folks at Qualsys found almost 34 million websites responding on port 443 out of the 119 million sites located in the domain-naming system. Only 3 percent of SSL/TLS websites had a subject name in their certificate that matched the website’s name. That means almost all certificates would come up as invalid or throw an error when being perused by common browsers.

In the PKI world, we’re taught to consider flawed certificates to be the same as no certificate. Clearly the Internet would come crawling to a halt if we actually followed that advice. Notably, the 3 percent figure is across all port 443 websites. The larger, more popular websites had a better name validity rate of 28 percent.

I spoke with Jeremiah Grossman, founder and CTO of WhiteHat Security, about what it would take to make the Internet a significantly less toxic environment. I enjoyed his comments and candor, as compared to many of the canned, industrial comments that I got from other company figureheads. His response: “Blood and loss of life, perhaps somebody important and well known.” This sounds like a guy that has been in the trenches for more than a few years.

I mean, it’s hard to disagree when the two of the most popular and underpinning protocols of the Internet, DNS and SSL, are both still horribly implemented after almost three decades of use. Grossman said it even better when I asked him what security technology would have the most impact against malicious hacking. He said, “None of the real challenges are technical.”

The event wasn’t entirely disheartening, though. I spoke to Dov Yoran, partner of MetroSITE Group and one of the founders of the Cloud Security Alliance. I complimented him on all the early work the CSA has done and for what it has accomplished. The CSA is trying to ensure that solid, resilient, consistent, and even more important, verifiable security gets implemented and is measurable by cloud users. This is a pleasant break in what is usually the normal pattern where security is only bolted on after a huge tipping point event, which is the pattern for nearly every other nascent computer technology.

I was also pleased to see the efforts of people such as my new friend Martin McKeay, a security blogger and podcaster at Network Security Podcast. He has devoted a part of his professional life to the blog and podcasts, yet he readily admits that he doesn’t make a dime from it.

Black Hat is a testament to a whole bunch of smart people who have the answers to what it will really take to make the world a safer place to compute — that’s a given. But when will all the good hackers have the necessary support of corporations, governments, and really, society in general, to help move us past the current anemic pace of improvement? And will it really take blood on the ground (or the banking system or stock market system crashing for a week) to get to real change? Right now I’m predicting that we won’t be discussing the partial implementation of IPv6 until Black Hat 2020.

This story, “Waiting for an Internet security fix? Don’t hold your breath,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com.