Weekly podcast: ICANN, DNS and DNSSEC; credential stuffing; passwords managers; and EDPS report

This week, we discuss ICANN’s warning about DNS attacks, the extent of credential stuffing attacks on the retail sector, password managers’ responses to recent research into security flaws, and the European Data Protection Supervisor’s annual report for 2018.

Hello, and welcome to the IT Governance podcast for Thursday, 28 February 2019. Here are this week’s stories.

Last Friday, the Internet’s domain overseer ICANN (the Internet Corporation for Assigned Names and Numbers) warned of “an ongoing and significant risk” to key parts of the DNS (Domain Name System) infrastructure – the mechanism by which domain names are resolved in to IP addresses.

DNS attacks allow miscreants to intercept and redirect web traffic, and ICANN isn’t the first to observe that they have been on the rise in recent months. As regular listeners will remember, last month researchers from FireEye warned of a wave of DNS attacks on “dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America”, which could be associated with Iran. Cisco’s Talos Intelligence Group dubbed the attacks DNSpionage (nice).

The US Department of Homeland Security, meanwhile, issued an Emergency Directive, setting out a series of “Required Actions” for all federal agencies to help prevent DNS hijacking.

According to ICANN, the solution is for domain owners to use DNSSEC (or DNS security extensions), “a technology developed to protect against [unauthorized changes to the delegation structure of domain names] by digitally ‘signing’ data to assure its validity. Although DNSSEC cannot solve all forms of attack against the DNS,” ICANN says, “when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected”.

However, according to an in-depth article about the attacks written by Brian Krebs, DNSSEC uptake remains sluggish, with only about 20% of the world’s major networks and websites having enabled it. Moreover, Mr Krebs says, organisations “tend to take much of their DNS infrastructure for granted”, with relatively few logging their DNS traffic or monitoring changes made to their domain records.

We often talk about the perils of password reuse. This week, Akamai’s newly released 2019 State of the Internet report has highlighted the effect of credential stuffing attacks – in which criminals try to access other services by bombarding them with username and password combinations compromised in other data breaches.

According to the report, the retail sector is the worst hit, suffering nearly 28 billion credential stuffing attempts between May and December last year – equivalent to more than 115 million attempts every day.

Given the fact that the darknet is now awash with massive collections of stolen credentials, it is relatively easy for criminals to successfully use all-in-one bots to automate account takeovers and make unauthorised purchases. According to Akamai, “The only way to stop these types of attacks is to get better at detection and mitigation when it comes to the bots themselves, and to focus on keeping users from sharing credentials between websites. As long as passwords are recycled, credential stuffing and [account takeovers] will continue to be a steady criminal enterprise.”

An easy way to avoid recycling passwords is to use a password manager.

Talking of password managers, in last week’s podcast, I mentioned research into security flaws affecting 1Password, KeePass, LastPass and Dashlane. The companies have since commented on the issue – which turns out to have been rather less of a threat than it first seemed.

1Password’s Chief Defender Against the Dark Arts, Jeffrey Goldberg, told The Register: “This is a well-known issue that’s been publicly discussed many times before, but any plausible cure may be worse than the disease.

“Fixing this particular problem introduces new, greater security risks, and so we have chosen to stick with the security afforded by high-level memory management, even if it means that we cannot clear memory instantly.

“Long term, we may not need to make such a tradeoff. But given the tools and technologies at our disposal, we have had to make a decision as to how best to keep our users secure. I stand by our decision. The realistic threat from this issue is limited. An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer.”

KeePass told ZDNet that the researchers had found “a well-known and documented limitation of the process memory protection”. Indeed, the company’s security guidelines explain that “For some operations, KeePass must make sensitive data available unencryptedly in the process memory.”

ZDNet also reports that LastPass’s CTO Sandor Palfy said that the vulnerability accounted for less than 0.2% of LasPass usage and that it had patched the issue.

And, according to threatpost, Dashlane’s CEO Emmanuel Schalit said: “We respectfully disagree with the researcher’s claim that this can be truly fixed by Dashlane, or anyone for that matter. Once the operating system or device is compromised, an attacker will end up having access to anything on the device and there is no way to effectively prevent it. There are solutions that amount to ‘putting the information under the rug’ but any attacker sufficiently sophisticated enough to remotely take control of the user’s device would go around these solutions very easily.”

Finally, the European Data Protection Supervisor, Giovanni Buttarelli, has released his annual report for 2018, and every indication is that organisations across the EU are struggling to meet the EU GDPR’s requirements. In his foreword, he comments: “So far, rather than adapting their way of working to better protect the interests of those who use their services, companies seem to be treating the GDPR more as a legal puzzle, in order to preserve their own way of doing things.”

The UK’s exit from the European Union is now only four weeks away and the possibility of no deal still hangs over us. If we do leave the EU without a deal – and there is therefore no transition period – then a new data protection regime will apply in the UK from 29 March: the UK GDPR. Its requirements are pretty much the same as those of the EU GDPR – it’s basically just an amended version of the Regulation that will work in a UK context – but there are certain things UK organisations will need to do if they process data on behalf of organisations in the European Economic Area. There isn’t time to go into it all now, but you can find out all about it, and the EU GDPR, the UK Data Protection Act 2018 and other relevant data protection regimes on our website at itgovernance.co.uk/data-protection.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.