April 15th is just around the corner and many will go to IRS.gov to e-file your taxes this year. You see that if you made less than 58,000 dollars in 2010, you can e-file for free from a website of your choice that is listed on the IRS website. You chose one, follow the link, and begin to enter all of you personal information. You complete the form online and submit. Another year of taxes complete, right? As uit turns out, this year you did not really file taxes, what you did was give all of your personal information to a hacker. You were redirected to a fake website during your search on IRS.com, this cache poisoning attack, or Kaminsky-style attack, is not new. In fact, in 2008 it was mandated that by December 31st, 2009 all .gov websites deploy security against just such an attack. DSN Security Extensions, or DSNSEC, prevents the redirecting of web users to other spoof websites. However, as of January 2011, only 51% of government websites have deployed such standards of protection. (Marsan, 2011)
Of the tested .gov websites, the state department leads, being 100% up to date and the department of labor on its heels at 90%. So, kudos to those departments for meeting the new standard, however, the rest of the story does not look good. The Treasury Department only signs one of its sub domains, the good news is there usually isn’t any important information that is entered into the Treasury Department. No one enters important information into the Treasury Department website to see if they qualify for loans, grants or other financial aide. It makes me wonder what the government is doing with the large portion of my paycheck that it keeps each month. You would think that the US government with all of its departments, resources, and officials would at least be able to run a secure website.
The private sector is not ahead of the government on this either. Many .com, .org, and .edu sites are now just starting to support DNSSEC in their domain. VeriSign has signed on to incorporate DNSEC in their operations. This is huge, since VeriSign is the Internet’s largest .com domain. This .com leader is spending $100 Million to support DNSSEC and upgrade to IPv6. Many other domains, do not know of, or are just learning of this DNSSEC. Another issue that goes with this security is that it takes up a lot of resources. It slows the server and can take a lot of financial resources to update. I think that these companies, however, owe it to their clients to ensure that their websites are secure and that client information will be secure and remain at that company’s official site.
I know that many of us who utilize the web for it’s resources and convenience have adopted this sense of security when dealing with the our personal sites. Sites like the one we use for online banking, or the site ran by our educational institution, or even one operated by the government. This is wrong. Nobody is ever 100% safe. These are the same people who encounter several attacks every year. What can a person do to ensure that this does not happen to you, you wonder. I will attempt address that in future blogs. For now, knowing what we got ourselves into is the first step. Thanks for reading.
Reference:
Marsan, Carolyn Duffy. (January, 27, 2011.). Half of federal Web sites fail DSN security test http://www.networkworld.com/news/2011/012711-dns-security-test.html?page=1.
No comments:
Post a Comment