DNSSEC Error Caused NASA Website To Be Blocked

DNSSEC Error Caused NASA Website To Be Blocked Comcast's new DNSSEC-based service detected improper signing of NASA site Jan 25, 2012 | 03:30 PM By Kelly Jackson Higgins Dark Reading

The hazards of early DNSSEC adoption: A misconfiguration in NASA's Domain Name System Security Extensions (DNSSEC) implementation on its website caused Comcast's network to block users from the site last week.

This is a glaring example of the difficulties in today's mostly manual process of configuring DNS servers to support the new security protocol that prevents attacks that redirect users to malicious websites. The DNSSEC protocol basically ensures DNS entries remain unchanged in transit and are digitally signed to ensure their authenticity.

NASA had incorrectly signed DNSSEC in its implementation of the new security protocol last week, causing Comcast's newly DNSSEC-enabled service to automatically block access to the site. Comcast earlier this month became one of the first major ISPs in North America to fully run the DNSSEC protocol as part of its services.

By pure coincidence, NASA's website woes occurred the day part of the Web went dark in protest of controversial anti-piracy legislation, leading some users and pundits to inaccurately speculate this was Comcast's way of protesting the government-based bills. Far from it: Turns out Comcast's newly deployed DNSSEC service did the right thing by detecting an invalid digital signature on NASA's DNSSEC-signed domain, and then blocking users from accessing what appeared to be a potential security threat.

Jason Livingood, vice president of Internet Systems Engineering for Comcast Cable Communications, says Comcast studied the problem and found it had to do with a domain-signing error. Comcast worked with NASA to quickly remediate it, and it wasn't the first signing error the ISP has seen: "We've seen this same thing a few times before [elsewhere]," he says.

Comcast, with input from NASA, published a detailed report on the issue yesterday (PDF) as a way to help other early DNSSEC adopters.

NASA had failed to conduct a double-signing process. It signed "nasa.gov" with a new key pair, but the upstream chain of the ".gov" domain had an older key pair that the agency didn't use in the signing process. That was all it took for Comcast's DNSSEC to detect a problem with the NASA site when its users tried to visit.

Livingood says his company detected other domains in .gov yesterday with the same problem, but it's unclear so far whether this is related to NASA's issue or these are new cases. "This happens around key rollover time," he says. "This is an area we're focused on, and we will continue to conduct periodic analysis when we observe failures and try to publish them" to help other early DNSSEC adopters, he says.

[Researcher points to fundamental problems in SSL and DNSSEC, and says it's time for users to take control of trust. See Time For A Better Web Of Trust?]

DNSSEC expert Dan Kaminsky says this is an example of the kinds of short-term troubles with the manual processes required in early adoption of the technology. But these manual DNSSEC processes will eventually be fully automated, which will eliminate these types of issues, he says.

Livingood says it's not surprising that these problems are cropping up as organizations roll out DNSSEC. "DNSSEC is relatively new for a lot of domains," he says. "Maybe they're doing their first rollover, and it's probably a process or automation [issue]," he says.

Cricket Liu, vice president of architecture at Infoblox, says it's telling that a scientific organization could err in its DNSSEC cutover. "If even the rocket scientists can't get it right, what about the rest of us?" Liu quips. "To me, this really reinforces the argument that DNSSEC is so complex that it requires automation."

But key-signing key (KSK) rollovers are not easy to automate, he notes. "KSK rollovers are difficult to automate completely because one step in the rollover -- submitting your [delegation signer] record to your parent zone -- isn't standardized. But even providing guidance to the administrator as to what to do and when to do it would have been valuable in this case," Liu says.

As a pioneering adopter of DNSSEC, Comcast basically took the heat here. Liu says that's unfortunate: "It's too bad that Comcast took the blame for this failure. In my opinion, they should be commended for deploying DNSSEC ahead of most ISPs. This sort of failure will happen occasionally as new zones are signed and administrators learn the ins and outs of managing DNSSEC-signed zones," Liu says.

NASA had not responded to press inquiries as of this posting.

This story can be read online here: http://bit.ly/yLqi9Z

Google looks to speed up the Internet

The search giant proposes enhancements for the Web's TCP transport layer to reduce latency

By Paul Krill, InfoWorld

January 24, 2012 06:20 AM ET

Google technicians want an overhaul of the Web's TCP (Transmission Control Protocol) transport layer and are suggesting ways to reduce latency and make the Web faster.

The company's "Make the Web Faster" team is making several recommendations to improve TCP speed, including increasing the TCP initial congestion window. In a blog post on Monday, team member Yuchung Cheng called TCP "the workhorse of the Internet," designed to deliver Web content and operate over a range of network types. Web browsers, he said, typically open up parallel TCP connections ahead of making actual requests." This strategy overcomes inherent TCP limitations but results in high latency in many situations and is not scalable," he said. "Our research shows that the key to reducing latency is saving round trips. We're experimenting with several improvements to TCP."

Recommendations include increasing the TCP initial congestion window. "The amount of data sent at the beginning of a TCP connection is currently three packets, implying three round trips to deliver a tiny, 15K-sized content.

Our experiments indicate that IW10 [initial congestion window of 10 packets] reduces the network latency of Web transfers by over 10 percent," Cheng said. Google also wants the initial timeout reduced from three seconds to one second. "An RTT [round-trip time] of three seconds was appropriate a couple of decades ago, but today's Internet requires a much smaller timeout."

Google's suggestions, said IDC analyst Al Hilwa, "appear to be well-researched recommendations and if implemented broadly will yield significant improvements in practically everyone's network performance and latency. The issue is that the capability has to be broadly implemented to achieve the desired performance gains. Of course new TCP/IP stacks would work with the old ones as they would now, but when two sides of a connection have the improvements, the benefits should surface."

Google also is encouraging use of the Google-developed TCP Fast Open protocol, which reduces application network latency, and proportional rate reduction (PRR) for TCP. "Packet losses indicate the network is in disorder or is congested. PRR, a new loss recovery algorithm, retransmits smoothly to recover losses during network congestion. The algorithm is faster than the current mechanism by adjusting the transmission rate according to the degree of losses. PRR is now part of the Linux kernel and is in the process of becoming part of the TCP standard," Cheng said.

Also, Google is developing algorithms to recover faster on "noisy" mobile networks, said Cheng.

Google's TCP work is open source and disseminated through the Linux kernel, IETF standards proposals, and research publications to encourage industry involvement, Cheng noted.

This article, "Google looks to speed up the Internet," was originally published at InfoWorld.com. 

Read this story online here: http://bit.ly/wugSnS

Obama Signs Global Internet Treaty Worse Than SOPA

White House bypasses Senate to ink agreement that could allow Chinese companies to demand ISPs remove web content in US with no legal oversight

Paul Joseph Watson
Infowars.com
Thursday, January 26, 2012

Months before the debate about Internet censorship raged as SOPA and PIPA dominated the concerns of web users, President Obama signed an international treaty that would allow companies in China or any other country in the world to demand ISPs remove web content in the US with no legal oversight whatsoever.

The Anti-Counterfeiting Trade Agreement was signed by Obama on October 1 2011, yet is currently the subject of a White House petition demanding Senators be forced to ratify the treaty. The White House has circumvented the necessity to have the treaty confirmed by lawmakers by presenting it an as “executive agreement,” although legal scholars have highlighted the dubious nature of this characterization.

The hacktivist group Anonymous attacked and took offline the Federal Trade Commission’s website yesterday in protest against the treaty, which was also the subject of demonstrations across major cities in Poland, a country set to sign the agreement today.

Under the provisions of ACTA, copyright holders will be granted sweeping direct powers to demand ISPs remove material from the Internet on a whim. Whereas ISPs normally are only forced to remove content after a court order, all legal oversight will be abolished, a precedent that will apply globally, rendering the treaty worse in its potential scope for abuse than SOPA or PIPA.

A country known for its enforcement of harsh Internet censorship policies like China could demand under the treaty that an ISP in the United States remove content or terminate a website on its server altogether. As we have seen from the enforcement of similar copyright policies in the US, websites are sometimes targeted for no justifiable reason.

The groups pushing the treaty also want to empower copyright holders with the ability to demand that users who violate intellectual property rights (with no legal process) have their Internet connections terminated, a punishment that could only ever be properly enforced by the creation of an individual Internet ID card for every web user, a system that is already in the works.

“The same industry rightsholder groups that support the creation of ACTA have also called for mandatory network-level filtering by Internet Service Providers and for Internet Service Providers to terminate citizens’ Internet connection on repeat allegation of copyright infringement (the “Three Strikes” /Graduated Response) so there is reason to believe that ACTA will seek to increase intermediary liability and require these things of Internet Service Providers,” reports the Electronic Frontier Foundation.

The treaty will also mandate that ISPs disclose personal user information to the copyright holder, while providing authorities across the globe with broader powers to search laptops and Internet-capable devices at border checkpoints.

In presenting ACTA as an “international agreement” rather than a treaty, the Obama administration managed to circumvent the legislative process and avoid having to get Senate approval, a method questioned by Senator Wyden.

“That said, even if Obama has declared ACTA an executive agreement (while those in Europe insist that it’s a binding treaty), there is a very real Constitutional question here: can it actually be an executive agreement?” asks TechDirt. “The law is clear that the only things that can be covered by executive agreements are things that involve items that are solely under the President’s mandate. That is, you can’t sign an executive agreement that impacts the things Congress has control over. But here’s the thing: intellectual property, in Article 1, Section 8 of the Constitution, is an issue given to Congress, not the President. Thus, there’s a pretty strong argument that the president legally cannot sign any intellectual property agreements as an executive agreement and, instead, must submit them to the Senate.”.

26 European Union member states along with the EU itself are set to sign the treaty at a ceremony today in Tokyo. Other countries wishing to sign the agreement have until May 2013 to do so.

Critics are urging those concerned about Obama’s decision to sign the document with no legislative oversight to demand the Senate be forced to ratify the treaty.

This story can be read online here:  http://bit.ly/yuf7pH

Symantec Advises Users To Update Or Disable PcAnywhere

"I use and recommend  logmein.com," Ken Garen.

Read this article online here:  http://on.wsj.com/z2DMIN

Symantec Advises Users To Update Or Disable PcAnywhere

JANUARY 26, 2012, 1:03 P.M. ET.

--Threat to remote-access software only

--Updates fix vulnerability

--No reports of customer data loss

By Steven D. Jones

DOW JONES NEWSWIRES

Symantec Corp. (SYMC) is advising customers to immediately update or disable its pcAnywhere software following the exposure earlier this month of source code stolen six years ago.

The company is notifying customers of potential problems and advising them to immediately update pcAnywhere software or disable it, said Cris Paden, a company spokesman. The product's roughly 50,000 users, most of which are businesses, haven't reported suspicious activity or penetration of network security, he said.

On Monday, the Cupertino, Calif., company began distributing updates to pcAnywhere version 12.5. The updates will continue through Friday.

"With pcAnywhere there may be some vulnerability," Paden said. "We're erring on the side of caution."

Symantec's efforts come after portions of some of its enterprise security source code were posted to the Web earlier this month. The company said the pilfered code was six years old but determined that it still posed a potential problem to pcAnywhere. The company's updates are designed to address any potential vulnerabilities.

The pcAnywhere product generates about $20 million annually, a sliver of the company's roughly $6 billion in total revenue.

In midday trading Thursday, Symantec shares were down 1% at $16.89.

The threat emerged on Jan. 5, when a group posted the source code on the Internet, claiming it exposed a weaknesses in Symantec's Norton Antivirus software, the leading product in the company's $2 billion consumer software business. It is used by 150 million customers worldwide. Norton Antivirus was never threatened.

Symantec continues to monitor its global networks for suspicious activity connected with the attack, said Paden.

Paden said none of Symantec's other security products have been compromised.

-By Steven D. Jones, Dow Jones Newswires; 360-834-1865; steve-d.jones@dowjones.com

Google announces privacy changes across products; users can't opt out

By Cecilia Kang, Published: January 24

Google will soon know far more about who you are and what you do on the Web.

The Web giant announced Tuesday that it plans to follow the activities of users across nearly all of its ubiquitous sites, including YouTube, Gmail and its leading search engine.

Google has already been collecting some of this information. But for the first time, it is combining data across its Web sites to stitch together a fuller portrait of users.

Consumers who are logged into Google services won't be able to opt out of the changes, which take effect March 1. And experts say the policy shift will invite greater scrutiny from federal regulators of the company's privacy and competitive practices.

The move will help Google better tailor its ads to people's tastes. If someone watches an NBA clip online and lives in Washington, the firm could advertise Washington Wizards tickets in that person's Gmail account.

Consumers could also benefit, the company said. When someone is searching for the word "jaguar," Google would have a better idea of whether the person was interested in the animal or the car. Or the firm might suggest e-mailing contacts in New York when it learns you are planning a trip there.

But consumer advocates say the new policy might upset people who never expected their information would be shared across so many different Web sites.

A user signing up for Gmail, for instance, might never have imagined that the content of his or her messages could affect the experience on seemingly unrelated Web sites such as YouTube.

"Google's new privacy announcement is frustrating and a little frightening," said Common Sense Media chief executive James Steyer. "Even if the company believes that tracking users across all platforms improves their services, consumers should still have the option to opt out - especially the kids and teens who are avid users of YouTube, Gmail and Google Search."

Google can collect information about users when they activate an Android mobile phone, sign into their accounts online or enter search terms. It can also store cookies on people's computers to see which Web sites they visit or use its popular maps program to estimate their location.

The change to its privacy policies come as Google is facing stiff competition for the fickle attention of Web surfers. It recently disappointed investors for the first time in several quarters, failing last week to meet earnings predictions. Apple, in contrast, reported record earnings Tuesday that blew past even the most optimistic expectations.

Some analysts said Google's move is aimed squarely at Apple and Facebook - which have been successful in building unified ecosystems of products that capture people's attention. Google, in contrast, has adopted a more scattered approach, but an executive said in an interview that the company wants to create a much more seamless environment across its various offerings.

"If you're signed in, we may combine information you've provided from one service with information from other services," Alma Whitten, Google's director of privacy for product and engineering, wrote in a blog post.

"In short, we'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience," she said.

Google said it would notify its hundreds of millions of users of the change through an e-mail and a message on its Web sites. It will apply to all of its services except for Google Wallet, the Chrome browser and Google Books.

The company said the change would simplify the company's privacy policy - a move that regulators encouraged.

Still, some consumer advocates and lawmakers remained skeptical.

"There is no way anyone expected this," said Jeffrey Chester, executive director of the Center for Digital Democracy, a privacy advocacy group. 

"There is no way a user can comprehend the implication of Google collecting across platforms for information about your health, political opinions and financial concerns."

Added Rep. Edward J. Markey (D-Mass), co-chair of the Congressional Privacy Caucus: "It is imperative that users will be able to decide whether they want their information shared across the spectrum of Google's offerings."

Google has increasingly been a focus of Washington regulators.

The company recently settled a privacy complaint by the Federal Trade Commission after it allowed users of its now-defunct social-networking tool Google Buzz to see contacts lists from its e-mail program.

And a previous decision to use its social network data in search results has been included in a broad FTC investigation, according to a person familiar with the matter who spoke on the condition of anonymity because the investigation is private.

Federal officials are also looking at whether Google is running afoul of antitrust rules by using its dominance in online searches to favor its other business lines.

Claudia Farrell, a spokeswoman for the FTC, declined to comment on any interaction between Google and regulators on its new privacy changes.

Read this story online here: http://wapo.st/xnLWWX