When you type a website address into your browser, you expect that it will take you to the site you’re trying to visit. Increasingly, however, criminals and even state-backed hackers are using a technique known as DNS hijacking to trick browsers onto false websites.
Every website has both a name and a number. When we type a website address (domain name) into our browsers, our computers use that domain name to look up the corresponding number (internet protocol, or IP, address) in a series of virtual phonebooks called the domain name system (DNS). When you enter the domain name for your bank into the browser, the DNS points your browser to the unique number assigned to that name. That takes you to your bank’s website, where you can safely log in.
The problem is, hackers have figured out how to (at least temporarily) rewrite the DNS phonebook, or use a different phonebook altogether, fooling browsers into visiting the wrong number. And that means the attackers can send you anywhere they like—including to a website which looks just like your bank’s website, so that they can get your credentials (user name, password and other personal data) when you log in.
The DNS is being maliciously manipulated to fool, cheat or steal from us. It can be an enabler for surveillance, and it can be turned into a weapon against us.
In January 2019, reports were published by technology security companies, such as FireEye and CrowdStrike, detailing widespread malicious manipulation of the DNS to enable criminal activities. Cisco’s Talos research organisation has identified manipulation of the DNS in a widespread cyber espionage campaign, known as DNSpionage. According to Brian Krebs at Kerbsonsecurity.com, in the last few months of 2018 over 50 Middle Eastern companies and government agencies were compromised during the DNSpionage attacks, including some associated with the Egyptian Ministry of Defense and the National Security Advisory of Iraq.
In an emergency directive posted on 22 January, the US Department of Homeland Security told federal agencies to ‘mitigate DNS infrastructure tampering’ within 10 days to ‘address the significant and imminent risks to agency information and information systems’.
A month later, on 22 February, in light of what it described as ‘a pattern of multifaceted attacks,’ one of the key global governing bodies for the internet, ICANN (the Internet Corporation for Assigned Names and Numbers), called for immediate action to secure the DNS on a global scale: ‘The organization believes that all members of the domain name system ecosystem must work together to produce better tools and policies to secure the DNS and other critical operations of the Internet.’ ICANN is asking network infrastructure administrators to deploy DNS security standards with urgency. The standard that ICANN calls for is a technology that protects against unauthorised changes to the DNS, referred to as DNSSEC. Although DNSSEC won’t mitigate all threats, it will raise the overall level of defence.
Worldwide adoption of DNSSEC has, in the words of Techcrunch, been ‘glacial’: statistics from various sources indicate that less than 20% of the world’s major networks or websites have this standard enabled. However, DNSSEC is a standard that works best when it’s deployed at scale.
The trouble with deploying DNSSEC is not so much technical complexity or cost implications—rather, it’s that most of us are not aware of or concerned enough about the situation to demand its protection.
Even those who are concerned about this online criminal activity aren’t marching in the streets to insist it be stopped—but perhaps they should be.
Countries that seem to be leading the way with DNS security have deployed a government strategy of ‘lead by example’, circumventing the need to drum up public concern. In its 2012 information security action plan, Sweden stated that it aimed to introduce DNSSEC into the majority of public organisations by the end of 2014. Sweden now reports one of the highest levels of DNSSEC deployment overall. Earlier this month, the Australian Signals Directorate issued a tender for ‘Protective DNS for the Australian Cyber Security Centre’. While this indicates an awareness of the urgency of protecting the DNS, there remains no government-sponsored drive to increase DNSSEC adoption in Australia.
It’s time for government agencies to take the lead to advocate, support and encourage adoption of secure internet standards in Australia. The DNS needs to be secured before our trusted online destinations become the victims of hijack—or, worse still, fall foul of a weaponised attack on the heart of the internet infrastructure.