Robert Siciliano Identity Theft Expert
The last decade we have seen technological breakthroughs unlike any other. In response we have seen a tremendous rise in fraud. The reason? The speed of the conveniences technology have far outpaced the security of technology.
Cyberwar: In February 2000, a Canadian teenager named Mafiaboy used automated floods of incomplete Internet traffic to cause several sites–including Amazon, CNN, Dell, eBay, and Yahoo–to grind to a halt, in what is called a distributed denial of attack.
Malware: Viruses and worms have always been around, but in the summer of 2001 one aggressive worm threatened to shut down the official White House Website.
MySpace, Facebook, and Twitter Attacks: At the beginning of the decade, security experts at businesses had to struggle with employees’ use of instant messaging from AOL, Webmail from Yahoo, and peer-to-peer networks. These applications poked holes in corporate firewalls, opening various ports that created new vectors for malware.
Organized Viruses and Organized Crime: After the Melissa virus struck in 1999, e-mail-borne viruses peaked the following year with ILOVEYOU, which clogged e-mail servers worldwide within 5 hours. (See “The World’s Worst Viruses” for more about a clutch of the decade’s early offenders.)
Botnets: With the financial backing of organized crime syndicates came widespread and clever innovations in malware.
Albert Gonzalez: It wasn’t organized crime but rather a confederacy of criminals that caused some of the largest data breaches over the last few years–attacks that victimized Dave & Busters, Hannaford Brothers, Heartland Payment Systems, and TJX, to name just a few.
Gone Phishing: More effective than spam, yet short of a full-blown data breach, is phishing. The idea here is that a creatively designed e-mail can lure you into visiting a believable-looking site designed solely to steal your personal information.
Old Protocol, New Problem: Behind the Internet are protocols, some of which today perform functions far beyond what they were originally designed to do. Perhaps the most well-known of the overextended protocols is the Domain Name System (DNS), which, as IOActive researcher Dan Kaminisky explained in 2008, could be vulnerable to various forms of attack, including DNS cache poisoning.
Microsoft Patch Tuesdays: A decade ago, Microsoft released its patches only as needed. Sometimes that was late on a Friday afternoon, which meant that bad guys had all weekend to reverse-engineer the patch and exploit the vulnerability before system administrators showed up for work on Monday.
Paid Vulnerability Disclosure: Independent researchers have debated for years whether to go public with a newly found flaw or to stay with the vendor until a patch is created.
Protect your identity. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)
Robert Siciliano identity theft speaker discussing credit card fraud on CNBC
1 user commented in " PC Worlds Top 10 Security Nightmares of the Decade "
Follow-up comment rss or Leave a TrackbackRobert Siciliano tells us the “last decade has seen technological breakthroughs unlike any other”. This is true. Siciliano also reminds us our technological success has result in a tremendous rise in fraud. I completely agree with him. The reason he argues in his article is that the “speed of the conveniences technology” provides has “far outpaced the security” measure in place today. Again very bang on.
But this claim could be subject to some interpretation that at one time our security outpaced or was even better then the available technology. The historical truth is that security has alway lagged behind technology. And much of that is due to a lack of education amongst the masses. But the simple truth of it is that much of the insecurity in the Internet is due to a lot of twits who run the Internet and have an interest in maintaining and controlling the status quo.
Mr. Siciliano provides an excellent example of this in his article when he discusses the DNS vulnerability alleged to have been discovered by IOActive researcher Dan Kaminisky. Kaminisky is credited with the identification in 2008 of a DNS vulnerability to various forms of attack including cache poisoning.
This is a false allegation that the press has repeated without any investigation of the facts. Kaminisky never discovered anything he simply repackaged an existing well known problem as his own.
Also the DNS protocol is not vulnerable in itself nor is it a security risk. The security problem is not in the DNS protocol but in the transport protocol used for DNS transactions. In this case fault is in the UDP protocol.
This problem has existed for at least 15 years. I remember it existed in the 1990’s when I was commissioned to investigate vulnerabilities in military DNS servers. So the Kaminisky claim he discovered anything significant is simply untrue. The Kaminisky affair was more a co-ordinated marketing effort to scare business into adopting a protocol that reverse engineers the Internet in a effort to centralize control of the DNS protocol in the root servers operated by the U.S. government through ICANN its contractor.
That protocol DNSSEC has been actively marketed as the solution to the Kaminisky cache poisoning problem. DNSSEC addresses the problem by inserting encryption keys into the DNS that establish a chain of trust from domain names to the root servers operated by the U.S. government. This places a significant amount of control in the hands of one government authority.
DNSSEC will also will cost business a fortune to adopt. It already has cost the U.S. government a pretty penny to adopt the protocol for use in the .GOV top level domain.
Under DNSSEC Internet DNS traffic is expected to increase exponentially as every DNS answer must contain encryption key information.
Furthermore DNSSEC does not actually fix the problem. The issue as mentioned above is a problem with the UDP protocol and verifying that the DNS information your system requested originated from the machine you requested it from. The centralization of DNS encryption keys in the root is a very expensive process that is simply not needed.
To fix the UDP problem one only has to ensure that the answers come from the server we are communicating with. Since UDP unlike the TCP protocol has no handshaking capabilities one simply fixes the problem by incorporating a handshaking protocol within UDP and DNS that confirms the server we are getting answer from is the server we originally communicated with.
A solution to this problem is available and was developed a few years ago by Dr. Bernstein at the University of Illinois at Chicago. It’s called DNSCurve and fixes the problem through a simple key exchange between DNS servers without having to hand over control of the DNS to a central authority like the U.S. government.
For more information on DNSCurve check out the following URL:
http://bit.ly/pJVq4
Leave A Reply