How trustworthy is the on-line world? Some early responses

The idea of a competition on the means of enhancing trust in the on-line world has struck a number  of chords. Some respondents focus on the need for behaviour change and I will blog on this later. Others have questioned of why so many services rely on “trust” products and services which many believe are damaged goods. Thus I have been asked why relies on SSL certificates provided from Utah by Comodo (Usertrust). That reader asked whether these were the cheapest, the only ones that assert they come under UK law (the policy say’s it is Manchester-based), did DigiNotar eclipse the Comodo saga last year, or “is everyone so new they do not remember 2011”. It may be, of course, that CESG has checked the scale and nature of the breach and been reassured. But have they? And how is trust, once lost, regained?

One of the points of leverage in improving the trust of your board, let alone your customers, in the organisations systems is the use of internal or independent audit to see who and what you are actually trusting and whether they really are trustworthy. In the private sector the most common qualifications required by organisations who are serious abour information security are those from ISACA (orginally the Information Systems Audit and Control Association, now extended to cover IT governance as a whole). This has over 100,000 members world wide and six chapters in the UK. The London chapter has over 2,500 members. Below is the response from Professor John Walker, who sits on the ISACA international practice guidance committee. He highlights how just one major weakness in practice (including on the part of some well known brand names) undermines much of the theory of “trusted” internet services. It is chilling – do not let an Internet savvy director read on unless accompanied by ….       

“Trust is implicit to any interim, or routed backbone service, or applications, where there is an expectation that, the provider is serving the best interest of the customer, or client. Agreed Trust is about the end-points, but if the protocols, and backbones over which one-to-one, one-to-many communications pass, are not robust, and vulnerable, and then the theoretical approach to what one-to-one/many ‘Trust’ really is may be flawed.

These observations are based on the information below re DNS hosting, as well as research carried out under the banner of NTU (Nottingham Trent University), in which, ‘Trusted’ companies, and agencies were found to be very insecure in a number of areas, in one particular case, and the worst I have seen, a ‘Global’ Brand was [is] hosting an astonishing number of security exposures. And with a survey conducted some years ago locating 12% of selected Global Brands at that time hosting “Zone Transfer” opportunities on their sites, allowing internal inspection, and in one test case, the pulling out of files containing hard coded user ID and associated Password there is room for concern. In another case, there was a Third Party Site developing applications for some well known ‘US Security Agencies’ – in this case, the servers were named after said agencies, and were again exposed though a Zone Transfer attack (Footprinting) – thus Trust in these environments imply robust assurance is required – after all they are processing public, yours, and my on in-flight, and stored information and data assets there is an exposure implicit to any expectation of ‘Trust’..

And there are a number of cases today of well known, Global bands security providers who are aware there products are vulnerable to certain types of attack, yet they have not made these profiles of potential attack known to their clients, and in some cases, are selling on products that are not fit for purpose – here the implied ‘Trust’ is an element of the relationship between Client, and Application Providers.

Example – using DNS resolvers to facilitate Distributed Denial of Service attacks:

CloudFlare engineers determined that the attackers behind a major assault were abusing the open DNS resolvers belonging to a variety of large network operators. Many of these were well-known brand names: US-based SoftLayer, GoDaddy, AT&T, iWeb, and Amazon. The sustained attack came as several distinct botnets appear to have been updated to enumerate huge lists of open resolvers. That means amplification attacks could become more common.

Given the damage they can have on innocent bystanders [Trusting], such open servers have long been considered a nuisance. It’s the Internet equivalent of a dilapidated crack house in the inner city or a rural front yard filled with old washing machines and rusted car parts. As a result, operators have been admonished repeatedly to make DNS resolvers available only to addresses located on their network, rather than to the Internet as a whole.

The CloudFlare engineers compiled a list of the networks hosting the open DNS servers and ranked them by those responsible for the most damage. With 68,459 unique open resolvers participating in the ongoing attack, there was plenty of blame to go around. The list names networks located on every corner of the globe, including those owned by Amazon, Turk Telekomunikasyon Anonim Sirketi, and Nepal Telecommunications Corporation. Still, CloudFlare CEO Matthew Prince found that the top 10 offenders provided 15,611 of those servers – or almost 23 percent of the firepower behind the attack.

The top 10 network operators named by Prince are: PKTELECOM-AS-PK Pakistan Telecom Company Limited; HINET Data Communication Business Group; CRNET CHINA RAILWAY Internet(CRNET); THEPLANET-AS – Internet Services, Inc.; CHINANET-BACKBONE No.31, Jin-rong Street; SOFTLAYER – SoftLayer Technologies Inc.; OCN NTT Communications Corporation; AS-26496-GO-DADDY-COM-LLC –, LLC; ATT-INTERNET4 – AT&T Services, Inc.; and IWEB-AS – iWeb Technologies Inc.

“Wonder why there’s been an increase in big DDoS attacks?” Prince wrote in a recent blog post . “It’s in large part because the network operators listed above have continued to allow open resolvers to run on their networks and the attackers have begun abusing them.”

In a previous blog post documenting CloudFlare’s work in blocking DDoS attacks that reached an astounding 65Gbps in size, Prince said the company regularly reaches out to the worst open DNS offenders. Frequently, the advisories fall on deaf ears.

“One of the great ironies when we deal with these attacks is we’ll often get an e-mail from the owner of the network where an open resolver is running asking us to shut down the attack our network is launching against them,” he explained. “They’re seeing a large number of UDP packets with one of our IPs as the source coming in to their network and assume we’re the ones launching it. In fact, it is actually their network which is being used to launch an attack against us.”

Thus I feel when the word ‘Trust’ enters the conversation, the catchment area is very wide, and should also include environments were assertions need to be qualified.”