White House Imposes New Security Mandate for Federal Agencies
The Bush administration has ordered all federal agencies to adopt new measures to shore up the security of government Web sites, setting a January 2009 deadline for implementing the changes across all dot-gov domains.
Agencies will be required to roll out domain name system security extensions (DNSSEC), a set of security add-ons for the domain name system. DNS is a fundamental piece of the Internet infrastructure that acts as a kind of distributed Internet phone book used to route messages between computers.
The trouble with the current implementation of DNS is that it was developed and implemented in an era when the Internet was a much smaller and friendlier place, where the handful of researchers who used the system trusted one another. These days, however, cyber crooks are eager to divert Internet traffic to fraudulent or hostile sites by constantly seeking to poison the DNS records on consumer PCs and at the network level.
DNSSEC seeks to protect Internet users against forged or poisoned DNS data by digitally signing DNS requests. By checking a digital signature, the end-user (or tools built into the browser) can check to make sure that the DNS information was indeed sent by the authoritative DNS server for that domain.
The mandate, issued Friday, by the White House Office of Management and Budget, comes amid increased attacks against a pervasive security weakness recently uncovered in DNS. In June, dozens of software vendors released security updates to plug a vulnerability that lets attackers hijack large amounts of Web traffic and redirect it to fraudulent or malicious sites. However, many Internet service providers and companies responsible for maintaining portions of the Internet have yet to apply the fixes, and criminals are beginning to take advantage of the weakness. Meanwhile, new research suggests even the fix for the flaw may also be exploitable.
"The Government's reliance on the Internet to disseminate and provide access to information has increased significantly over the years, as have the risks associated with potential unauthorized use, compromise, and loss of the .gov domain space," wrote Karen Evans, administrator of the OMB's Office of E-Government and Information Technology, in a memo to agency chief information officers.
Having DNSSEC in place would make it much harder for hackers to hijack Web traffic destined for dot-gov domains. Marcus Sachs, director of the SANS Internet Storm Center, a Bethesda based group that tracks hacking trends, said DNSSEC would pave the way for more secure e-government services, particularly with private-sector companies that incorporate the government's digital signatures, such as tax preparation companies that help consumers file their returns with the IRS online.
"That way, the software you use could validate through the digital signature process that you're really filing your taxes at www.irs.gov, and not some scammer site" that has hijacked your computer or ISP's DNS records, Sachs said.
Under the timetable, the federal government will need to develop initial planning drafts by Sept. 5, 2008, and deploy DNSSEC to the top level dot-gov domain by next January. Agencies will need to have the system rolled out entirely to all second-level domains beneath dot-gov by Dec. 2009.
August 27, 2008; 11:00 AM ET
Categories: New Patches , U.S. Government
Save & Share: Previous: Web Fraud 2.0: Thwarting Anti-Spam Defenses
Next: Report Slams U.S. Host as Major Source of Badware
Posted by: William | August 27, 2008 11:53 AM | Report abuse
Posted by: J.F. | August 27, 2008 1:15 PM | Report abuse
Posted by: Bk | August 27, 2008 1:25 PM | Report abuse
Posted by: antibozo | August 27, 2008 1:33 PM | Report abuse
Posted by: J.F. | August 27, 2008 2:35 PM | Report abuse
Posted by: rlguenther | August 27, 2008 2:55 PM | Report abuse
Posted by: antibozo | August 27, 2008 3:53 PM | Report abuse
Posted by: J.F. | August 27, 2008 5:15 PM | Report abuse
Posted by: flipflap | August 27, 2008 5:20 PM | Report abuse
Posted by: antibozo | August 27, 2008 5:35 PM | Report abuse
Posted by: jml | August 27, 2008 10:59 PM | Report abuse
Posted by: antibozo | August 27, 2008 11:53 PM | Report abuse
Posted by: J.F. | August 28, 2008 12:34 AM | Report abuse
Posted by: J.F. | August 28, 2008 12:36 AM | Report abuse
Posted by: antibozo | August 28, 2008 12:50 AM | Report abuse
The comments to this entry are closed.