Approximately 40% of US federal government agencies are out of compliance with a regulation that requires them to deploy an extra layer of authentication on their websites to prevent hackers from hijacking web traffic and redirecting it to bogus sites.
It's been more than two years since federal agencies were required to support DNS Security Extensions (DNSSEC) on their websites. However, two recent studies indicate that around 40% of federal websites have not yet deployed this Internet security standard.
Laggards on adopting this Internet security standard include the Department of Defense and the Central Intelligence Agency, experts say.
DNSSEC solves what's called the Kaminsky vulnerability, a fundamental flaw in the DNS that was disclosed in 2008. This flaw makes it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the site operator or end user knowing. The technique also prevents cache poisoning attacks by allowing websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
It prevents man-in-the-middle attacks as long as every aspect of the DNS hierarchy, including the root zone, top-level domain such as .gov and individual website such as www.irs.gov, support the standard. The DNS root zone and the .gov domain are cryptographically signed, so now it is up to individual government sites to deploy DNSSEC in order to bolster end-to-end security of the government's web traffic.
Federal agencies were required to support DNSSEC on their websites under an Office of Management and Budget mandate issued in August 2008. The deadline for compliance was Dec. 31, 2009.
One study, conducted on March 2 by DNS vendor Secure64, indicated that 57% of the 359 federal government websites tested had deployed DNSSEC. This study indicated that the other 43% of websites had not yet added digital signature technology to their DNS servers.
A similar study, conducted by the National Institute of Standards and Technology (NIST), estimated that 59% of federal agencies are running DNSSEC on their Web sites. The NIST study of 1,595 websites shows that of the 41% of federal agencies that don't have DNSSEC deployed, 7% appear to be in the process of deploying it.
Both sets of results indicate slow adoption of DNSSEC.
DNSSEC is "not on anyone's radar screen," says Ray Bjorklund, Chief Knowledge Officer at Deltek, a federal IT market research firm. "I remember hearing of it vaguely a couple years ago, but it's not coming up with the agency CIOs that I talk to."
Bjorklund acknowledges that agencies should be taking DNSSEC more seriously given that hactivist-style attacks are on the rise and that federal agencies are likely targets.
"I don't know whether it's inattention by the government, or the government generally believes that it has enough other security measures in effect that this is not going to cause a problem," Bjorklund says. "But federal CIOs need to understand that government sites can be hijacked. If agencies aren't paying attention to this, they should."
While the Department of Homeland Security and the White House have deployed DNSSEC on their websites, the Defense Department and the CIA appear not to have adopted this extra information security measure yet.
"I find no evidence of any signing going on at the Defense Department with its .mil domain," Beckett says. "The CIA is still not signed either."
The Secure64 survey showed that while most cabinet-level departments like the Commerce Department, the Justice Department and the Department of Health and Human Services are cryptographically signed, smaller sub-agencies such as the Agency for Toxic Substances and Disease Registry are not.
Beckett says that of the 57% of federal websites that have deployed DNSSEC, 81% have established a chain of trust to their parent domain, which is the optimal configuration for the standard. Additionally, of the 81% of federal websites that have established a chain of trust, 98% are validating DNSSEC queries, which is another sign of full compliance with the standard.
"When people have problems with DNSSEC, it's usually with the key rollover process which is somewhat complicated," Beckett explained. "You have to allow the right amount of time to pass or else you'll be in a state where the domain doesn't validate."