Sifting through legislative literature can be arduous, and since we’ve already done the work we wanted to share a quick summary of what the White House is proposing around cybersecurity and how it might affect you. Please note: we are not taking a stance, but rather just aiming to help inform.

In the most recent session of Congress collectively both parties introduced 50 new bills related to cybersecurity. An indication a more cohesive plan and policy is needed, the President decided to draft a cybersecurity bill that addresses protecting the American people, America’s critical infrastructure and Federal Government computers and networks.

From the White House:

“It has become clear that our Nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated [...] We have developed a pragmatic and focused cybersecurity legislative proposal for Congress to consider. This legislative proposal is the latest achievement in the steady stream of progress we are making in securing cyberspace and completes another near-term action item identified in the Cyberspace Policy Review.”

As for the “protecting the American people” part, the new Bill will standardize laws about notifying consumers in the event of a data breach. Today there are 47 different state laws in this area. It will also clarify laws around computer crimes. One of the key tools law enforcement uses today against organized crime is the Racketeering Influenced and Corrupt Organizations Act (RICO). But today RICO doesn’t apply to computer criminals. The Bill aims to change that and also sets mandatory minimums for cyber intrusions into critical infrastructure.

The “protecting America’s critical infrastructure” part is less clear. The new Bill will “enable” DHS to quickly help a private-sector company, state, or local government when that organization asks for its help. And it grants companies and governments immunity when sharing cybersecurity information with DHS and mandates “robust privacy oversight” to guarantee that the voluntarily shared information doesn’t hurt individual privacy and civil liberties. We look forward to understanding more in that area.

The Bill proposes a three-step process around protecting critical infrastructure like the electricity grid and financial sector:

1. Critical infrastructure operators would develop their own frameworks for addressing cyber threats.

2. Then, each critical-infrastructure operator would have a third-party auditor assess its cybersecurity risk mitigation plan.

3. A summary of the plan would be accessible, in order to facilitate transparency and to ensure that the plan is adequate.

According to the Bill, in the event the process fails to produce strong frameworks, DHS, working with the National Institute of Standards and Technology (NIST), could modify a framework. And DHS can also work with organizations to help them fix plans that are deemed insufficient by auditors.

As for “protecting Federal Government computers and networks,” the Bill will do a lot of different things. For one, it will formalize the responsibility of DHS to manage security for the Federal Government’s civilian computers. (It’s DHS’s responsibility today technically, but it’s not a formal relationship.) This includes also overseeing intrusion prevention systems for all Federal Executive Branch civilian computers.

Not falling squarely into these three primary buckets but interesting nonetheless, the Bill will also prevent states from requiring technology companies build datacenters in that state, allowing companies a bit more operational flexibility than they have today.

How does this affect you and your privacy directly? The Bill specifically states certain privacy and civil liberty measures:

- DHS would have to develop cybersecurity practices with help from and review by privacy and civil liberties experts and get them approved by the Attorney General.
- All monitoring, collection, use, retention and sharing of information is limited to protecting against cybersecurity threats.
- If a private-sector business, state, or local government wants to share information with DHS, it must first make reasonable efforts to remove identifying information unrelated to cybersecurity threats.

More about the bill from the Wall Street Journal and the LA Times.

It’s hard for me to be sympathetic to the entertainment industry and its frustration with online piracy. For the last decade industry executives have consistently focused on using the legal system to protect their aging business models rather than focusing on the innovations necessary to deliver the products and services consumers want.

The entertainment industry’s newest legal tactic, the “Combating Online Infringements and Counterfeits Act,” (COICA), sponsored by Senator Patrick Leahy, has been approved by the Senate Judiciary Committee. While Senator Ron Wyden exercised his right to place a hold on pending legislation — which will stop the bill from traveling to the Senate floor immediately — proponents of COICA can (and most assuredly will) reintroduce the measure the next time Congress convenes in 2011.

This bill is short but significant. For the first time, it will give the government the power to censor the Domain Name System (DNS), one of the most critical pieces of infrastructure for the Internet.

The DNS is like a global phonebook for the Internet: always running in the background and used anytime you do anything on the Internet, including sending email and browsing websites. It’s been running without government interference for the last 25 years and it has helped enable the tremendous economic growth and innovation the Internet has provided to the U.S. and the World over the last two decades.

My company provides DNS services, and in fact one of the many features of our service gives our customers the ability to block sites on their Internet connections. Parents and school administrators block sites they deem unsafe or inappropriate for their children, and business managers block sites they deem inappropriate for a work environment. Ironically, our existence and our technical innovations in the market helped to spawn the idea for the legislation in the first place by showing that blocking sites through the DNS is technically possible. While the technology being proposed is similar, the implementation couldn’t be more different from ours.
(more…)

The Black Hat conference is taking place this week in Las Vegas, bringing together security researchers and academics from all over the world to discuss the most pressing information security issues. Among the many (overly) hyped vulnerabilities set to be revealed is one the researcher claims threatens the security of “millions” of home routers. And according to the researcher, OpenDNS is not a fix.

Since the vulnerability was first publicized, we’ve made several attempts to contact Craig Heffner, the researcher, and get more detail. We’ve phoned. We’ve emailed. We’ve contacted reporters who’ve spoken to the researcher and had their help connecting to the researcher. I’ve even Facebook messaged his coworkers. I haven’t had a single reply.

Why the aggressive outreach from us? Because we want to be a fix. We work hard to make OpenDNS a solution to the many problems system administrators and security pros face. In fact, our entire service was designed to address the problems you want it to address. The only information we have is that this deals with DNS Rebinding. Fortunately, OpenDNS has secured users from DNS rebinding attacks for a long time. But we don’t know what’s different about Craig’s new rebinding attack.

When Dan Kaminsky and his firm IOActive famously revealed a major DNS flaw at the very same conference a few years ago, OpenDNS by then had worked to ensure that our service was secure and not threatened by the vulnerability. When the Conficker virus gained traction and proved it posed a real threat, security firm Kaspersky Labs and OpenDNS quickly teamed to block the domains from resolving for OpenDNS users. This sort of cooperation by industry leaders, groups and companies is, in my humble opinion, exemplary. It’s absolutely in the best interest of Internet users as it reduces the window of vulnerability. And we’re always to happy to keep details of security issues secret, so the researcher can announce it without the risk of someone else stealing their thunder.

Could OpenDNS be a fix to the vulnerability said to threaten millions of home routers? Probably, but I can’t say since I have no information about how it works. All we know is that it has to do with DNS Rebinding attacks, which is a very old threat and is one we’ve done a great job of protecting users from in the past. Is OpenDNS a fix as-is already? Can’t say that either. It might be. Or we might have to tweak something. What I can say is that we have world-class engineers who are ready and willing to do whatever work possible to make OpenDNS a solution. But we can’t do that, because we don’t have the cooperation of the researcher.

In any event, at OpenDNS we believe in Responsible Disclosure. It’d be nice if Craig Heffner, the researcher in this case, believed in the same.

At last week’s Workshop on the Economics of Information Security — an annual conference held at Harvard — new research (PDF) was presented showing the link between pornography and malicious online practices. When the study’s researchers surveyed adult websites, they found that many were aimed at “manipulating and misleading a visitor to perform actions that result in an economic profit” for the Web site. Free sites used these tactics 34 percent of the time, while paid sites used them 11 percent of the time. What types of tactics are we talking about? According to the study, methods include:

1. Javascript catchers that hijack the user’s browser, making it difficult to leave a site.
2. Blind and hidden links that prevent an address from being displayed in a web browser’s status bar. This can be used to mask malicious activities, like cross site scripting or cross site request forgery attempts.
3. Redirection scripts that redirect users to different websites. This occurs on a server, so there’s no way for a user to know it might happen until they click.
4. Malware that triggers malicious behavior including “code execution, registry changes, or executable downloads.”

In addition to misleading activity, the level of malware found on adult Web sites was surprising to the researchers too; almost 3.5 percent of adult websites had this type of behavior, compared with previous studies that found less than one percent as malicious. Spyware and Trojan downloads were the most popular types of malware.

The good news is, it’s simple to block adult content and pornography with OpenDNS. In a couple of steps, you can nip the issue in the bud by blocking content you know causes issues on your computer and network. To block adult content, navigate to the Settings page and select the network you wish to manage. You’ll then see a Choose Your Filtering Level option under Content Filtering. To block all adult content, make sure to block the following five categories: Adult themes, Nudity, Sexuality, Pornography, and Tasteless.

Since we already block malware for all OpenDNS users (Enterprise users get more comprehensive coverage), blocking pornography is just one more step you can take to protect users on your network from coming in contact with malicious tactics online.

Editor’s note: Below is a fairly technical post from OpenDNS engineer and noted security researcher Matthew Dempsky introducing DNSCurve and sharing some thoughts on DNSSEC. Readers of this blog know Matthew has been credited with finding vulnerabilities in both Adobe Flash Player and djbdns.

Everyone in the DNS community agrees that DNS’s security model is woefully outdated. Conceived at a time when there were fewer computers on the Internet than are housed by even today’s smallest data centers, DNS unfortunately has no strong protection against malicious parties hoping to exploit web users. What little protection it does offer is mostly derived from novel uses of non-security features (e.g., UDP source port and transaction ID randomization).

For more than 15 years, the IETF has been working on DNSSEC, a set of extensions to apply digital signatures to DNS. Millions of dollars in government grants and several reboots from scratch later, DNSSEC is just starting to see real world testing. And that testing is minimal — only about 400 of the more than 85,000,000 .com domains support DNSSEC, fewer than 20% of US government agencies met their mandated December 31, 2009 deadline for DNSSEC deployment, and only two of the thirteen root zone name servers is testing with even dummy DNSSEC data.

Aside from its lack of adoption, DNSSEC isn’t even a very satisfactory solution. It adds tremendous complexity to an already fragile protocol, significantly increases DNS traffic in size, encourages questionable security practices, and hamstrings many modern uses of DNS.

Details

• Complexity: DNSSEC has many options for enabling/disabling DNSSEC validation, with conflicting interpretations of how to handle different bits; considering people still disagree about how to handle features of DNS that have been present since its inception, I foresee these won’t be resolved anytime soon.
• DNS traffic: Responses right now are usually limited to 512 bytes, sometimes a little more. DNSSEC enabled responses regularly exceed 1500 bytes, requiring IP fragmentation or fallback to TCP. IP fragmentation frequently fails with misconfigured firewalls and using TCP is much slower than the default UDP transport.
• Questionable security practices: Most users are encouraged to use 512-bit or 1024-bit RSA keys. A group of hobbyists recently worked together to break all of the 512-bit keys used by Texas Instruments for signing their calculator firmware and they did so quickly and easily. The RSA company and NIST have been recommending users switch to 2048-bit keys since 2003 and 2007, respectively. Again, unfortunately, the DNSSEC standards developers are hesitant because bigger crypto is slower, and it will further push the traffic size issue.
• Hamstrings modern uses: High traffic DNS servers can’t handle signing every response packet, so they need to pre-compute signatures. This limits how companies like Akamai and Google or projects like the NTP Pool can use DNS for global load balancing and routing users to their nearest servers. It also fundamentally hampers services like OpenDNS, which use DNS to provide content filtering and search services.
• Efficiency: RSA is a very slow crypto standard; its only benefit is that everyone knows about it. DNSSEC can theoretically support other crypto standards, but the IETF has largely ignored efforts from interested parties to add support for faster and stronger algorithms.

So while debate about DNSSEC wears on, we’re excited to announce that OpenDNS has fully adopted another proposed DNS security solution: DNSCurve.

DNSCurve is a recent DNS extension proposal that is fully backwards compatible with the existing DNS protocol, uses much stronger cryptography than DNSSEC, and most importantly, is much simpler and much easier to implement and manage. The most significant technical distinction is that DNSSEC uses large and slow per-recordset signatures while DNSCurve uses small and fast per-packet encryption and authentication.

OpenDNS’s DNS resolvers already fully support DNSCurve today and use it whenever possible. Of course, authoritative servers need to be upgraded to support DNSCurve as well, but it’s our hope that this announcement will help to get the ball rolling on DNSCurve adoption. If you’re an authoritative DNS provider and are interested in deploying DNSCurve, we’re interested in hearing from you.

Editor’s note: Our support for DNSCurve doesn’t prevent our adoption of DNSSEC — they are not mutually exclusive. While we have reservations about DNSSEC, we can and will implement it when we see more demand and traction, but in the meantime, when we see a viable technology that can be quickly implemented to improve security for DNS users, that’s a no-brainer in our book.

A few months ago we told you about a major milestone for the Domain Tagging system and the OpenDNS community – an impressive 5 million unique domains submitted into the system. And today I’m excited to tell you about another milestone. We officially now have 1 million domains verified in the system. That means they’ve been submitted, tagged, voted on and confirmed. (This is in addition to the millions of domains in the seven Adult categories from our friends at St. Bernard Software.)

When we introduced you to the Domain Tagging system, which powers our Web content filtering service, we explained it was better than any other filtering system for three reasons:

1. It’s more comprehensive. The system has more than 50,000 people submitting and voting on sites. This is in stark contrast to a mere handful of people employed for this job by security companies offering Web content filtering.

2. It’s faster-moving. New Web sites and changes to existing Web sites are constantly being published to the Internet. Other Web content filtering systems update only once nightly, or even less frequently, and therefore fail to catch and categorize everything right away. The OpenDNS community is always adding and tagging sites, so you benefit from real-time updates.

3. It’s free to use. No longer are you forced to pay top dollar to keep your network safe and secure.

I talk to you, our customers and our community, every day and hear how much you value a Web content filtering system that works reliably and keeps the people on your network safe online. Whether it’s businesses, school districts, Managed Service Providers (MSPs), hospitals or households, everyone appreciates the service our community powers and OpenDNS provides.

In the coming months, we’ll be working be working on improvements to the Domain Tagging System that encourage more voting. Perhaps even some prizes for the most active and accurate voters… But in honor of this milestone, take a few minutes today and vote on some domains.

Here at OpenDNS we’ve spent the past several months working to keep you safe from the Conficker worm. Using the OpenDNS service is widely considered to be one of the easiest and most guaranteed ways to protect your network. And today we roll out a free Conficker detection tool to give you actionable insight into whether or not you have Conficker on your network.

As David mentioned here, we’re in a unique position as your DNS provider of choice to block the worm at the DNS level and prevent it from phoning home. We’re also in a unique position to tell you, based on DNS queries coming from your account, if your network has been infected with Conficker. Log into your OpenDNS account now and you’ll see a banner indicating you either have Conficker or you don’t. This is a tremendously valuable service, and representative of a key innovation on the DNS. If you have friends or colleagues not using OpenDNS yet, we urge you to recommend the service.

Even though we prevent the worm from phoning home, we advise everyone with Conficker to run the disinfection tool. Microsoft offers a great one here.

Also today we’re sharing data about geographic distribution of the worm’s C-varient to date. This information is based on OpenDNS data alone, so is not necessarily representative of overall geographic Conficker distribution.

We’ll continue blocking Conficker for all of our users, through our on-by-default Botnet Protection feature. And we’ll keep you posted with updates about the virus, if/when we have them, on this blog.

Editorial note: OpenDNS now provides comprehensive malware and botnet protection for businesses and schools. Learn more.

By now you’ve likely heard the speculation that April 1, April Fools Day, is the date Conficker kicks into action. And unfortunately this isn’t a joke. The virus, also known as Downadup, leverages a known vulnerability in the Windows OS and has the potential to do some serious damage. Some estimates for number of machines infected so far are as high as 15 million. The Internet is abuzz with news about the virus and predictions about what it will do.

As your DNS provider of choice, we’re in a unique and advantageous position to help keep our users safe. OpenDNS has kept our users safe from Conficker for the past several months by blocking the domains it uses to phone home. (We’ve seen lots of you start using our service to protect your networks from the worm.)

The latest variant of Conficker is now churning through 50,000 domains per day in an attempt to thwart blocking attempts. Consider this: at any given time we have filters that hold well over 1,000,000 domains (when you combine our phishing and domain tagging filters). 50,000 domains a day isn’t going to rock the boat.

So here’s our update: OpenDNS will continue to identify the domains, all 50,000, and block them from resolving for all OpenDNS users. This means even if the virus has penetrated machines on your network, its rendered useless because it cannot connect back to the botnet. If you want to disinfect your computer we recommend you check out the tools from our friends over at Kaspersky Lab.

If you’re already using OpenDNS, you’re all set. We’re protecting you automatically. If you’re not yet, simply set up a free account here and secure your network.