Recently in DNS Category

Brian Krebs from Security Fix at the Washington Post cautions business users to use LIVE CD Operating Systems to to perform online banking. Live CD distributions are generally free, Linux Based operating systems that one can down load and burn to a CD-Rom.

This allows the user to boot the operating system off of the CD everything is just run in memory and when your done with your transactions everything that was performed is now not available on any disk. The advise is just to use the LiveCD for Online Banking transactions and not to visit other sites.

Brian Krebs also points out that this is not only his recommendation but the recommendation of the Financial Services Information Sharing and Analysis Center
(FS-ISAC)

I just want to point out that one needs to be sure where you are acquiring these distributions, simply obtaining one from a download or from an expert does not verify the validity of the distribution make sure that you can verify the distribution before running it.

A response noted by "neversaylie"
"Some Windows malware perform DNS spoofing/ARP poisoning/DHCP spoofing, so even a LiveCD won't help you if you're on a network with some infected Windows machines."

So if you are using Live CD but your DNS or DHCP servers are spoofing IP's your still resolving fake addresses to your on line banking institution and not free of man in the middle attacks.

Avoid Windows Bank on Live CD

The recent distribution of the D-Link Firmware to thwart malicious attacks has additional issues . Read more at:

ZDNet May12th Report on D-Link add CAPTCHA to home routers and

Hack-A-Day D-Link-adds-Captcha-to-Routers

According to SourceSec Security Research , the attack works like this:

1. Malware loads the router's index page and glean the salt generated by the router.
2. The malware uses the salt to generate a login hash for the D-Link User account (blank password by default).
3. The malware sends the hash to the post_login.xml page.
4. The malware sends a request to the wifisc_add_sta.xml page, activating WPS.
5. The attacker uses WPSpy to detect when the victim's router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card.

Additionally, this vulnerability could be triggered by a simple JavaScript snippet using anti-DNS pinning, which removes the requirement for the attacker to have installed malware onto a machine inside the target network; the victim could be exploited by simply browsing to an infected Web page.

See these additional articles:

How DNS Pinning Works and why my router was not effective

DNS Pinning Death by 1000 Cutts

07 BlackHat Presentation on DNS Pinning

May 21st 2009: ICANN published it's 2009‐2012 Strategic Plan.

"Security,stability and resiliency will remain a top priority and ICANN will work
effectively with other Internet stakeholders to enhance and protect the security and stability of the Internet, paying particular attention to ICANN's mission to protect the security, stability and resiliency of the Internet's systems of unique identifiers."

ICANN is moving forward with its commitment to enhance DNS Security through DNSSEC, working with Verisign and the NTIA implementing root level resource public key infrastructure practices in the Top Level Domain (TLD) community. ICANN has been working with the Internet Registry's using DNSSEC to sign the reverse parts of the Internet Tree in an effort to authenticate ip addressing and boarder gateway routes through rPKI.

ICANN is investigating implications for the root server system as a whole, with regard to a series of potential changes within the DNS including the implementation of new gTLDs and IDNs, along with possible implementation of DNSSEC signing of the root zone over the following 18 months. Their report on this study is expected September 2009.

ICANN staff plans to work with the Software Engineering Institute (SEI) at Carnegie Mellon University to leverage the SEI Resiliency Engineering Framework (REF) to ensure its security, continuity and risk management programs incorporate best practices, and to measure improvements to maturity over time.

For the complete Plan Draft view:

Security, Stability and Resiliency Program

The international community is calling for more international control of ICANN. I don't know what will be the international response to ICANN's design plans for 2009-2012. There are a lot of outreach programs listed in this document to international country code top level domain operators and registry's, but I don't know if this design will be enough to satisfy the international community's request for more control.

ICANN is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet's unique identifiers. ICANN also operates the IANA the internet assigned numbers authority which is the global authority for DNS Root, IP addressing, and other internet protocol resources.

Yesterday the EU Commissioner for Information Society and Media said that this fall when the current contractual relationship with ICANN and the US Dept. of Commerce ends that ICANN should now report to a new G-12 Internet Governance group composed of representatives from all the major continents. There has been a speculation that ICANN will end up under the authority of the United Nations although the commissioner feels that decisions on Internet Governance should be more expedient and have a less formal international forum.

EU commissioner for Information Society and Media, Viviane Reding view on ICANN.

Read public comments on the NITA website (The NITA is under the authority of the US Dept. of Commerce) about ICANN privatization from Feb. 2008 and the Midterm Review of the Joint Project between the NITA and ICANN
The JPA ( Joint Project Agreement ) between the NITA and ICANN

Recently there are those who believe that Rockefeller-Snowe Cybersecurity Act would provide for an authoritarian control over Internet connectivity.
Internet Governance Project comments on Internet Authoritarian fears. which may be the reason the EU is calling for ICANN's G-12 Internet authority group.

Notice of Inquiry - Assessment of the Transition of Technical Coordination and Management of the Internet Domain Name and Addressing System. (NTIA) seeks comment regarding the upcoming expiration of the Joint Project Agreement (JPA) with the Internet Corporation for Assigned Names and Numbers (ICANN). This agreement has been in existence since November 25, 1998, and is scheduled to expire on September 30, 2009.

Comments may be submitted electronically to: DNSTransition@ntia.doc.gov
Comments will be posted to NTIA's website at http://www.nitia.doc.gov/comments/2009/dnstransition

Why is DNS broken in Plan Language. ICANN explains why Domain Name System (DNS) is vulnerable to attack, and why that is important, without needing a computer science degree to understand it.

DNS Vulnerability Presentation