If you are having trouble viewing this email, click here to view this online

 

VOLUME 54

   ISSUE 54

29 January  2016

Article of the Month Around the World

How email in transit can be intercepted using DNS hijacking

 

This article looks at how an attacker can intercept and read emails sent from one email provider to another by performing a DNS MX record hijacking attack.

While our research on the state of email delivery security indicates that this attack is less pervasive than the TLS downgrade attack, it is equally effective at defeating email in-transit encryption. This article explains how this attack works, how it can be mitigated and to what extent it also affects the security of a website.

Before delving into how this attack works and countermeasures, I will briefly summarize DNS and DNS MX records for the readers who are not familiar with this aspect of the Internet. If you are familiar with this topic, you can skip the next two sections.

Understanding DNS records

DNS records are used to translate a domain address, let’s say www.elie.net, into an Internet address, which are commonly known as IP addresses. This translation is needed because computers only know how to communicate with an IP address and not a domain address. This translation is also helpful because it allows multiple servers and IP addresses to have the same domain address, which allows redundancy and scalability.

It also helps make the Internet faster by allowing big services and CDNs to host the same content in many different countries on various servers and return the IP address of the closest server to the client when they look up the domain address. This technique is called geoIP load balancing

Understanding DNS MX records

DNS MX records are a specific form of DNS record that allows us to know which IP address to use when sending an email to a given domain. As visible in the diagram above, when Alice wants to send an email to Bob (bob@destination.com), her server (smtp.source.com) needs to resolve the IP address of Bob’s mail provider server. To do this, her mail server asks the DNS server for the MX record for the domain, destination.com. The server will reply with the IP address that Alice’s server will connect to to deliver the email to Bob. In our example, Bob’s server has the IP address 1.2.3.4.

DNS MX record hijacking

DNS hijacking attacks work as follows. The attacker poses as or compromises the DNS server used by Alice’s mail server to find out where to deliver Alice’s email to Bob. Instead of returning the legitimate IP address, the DNS server returns the IP address of a server owned by the attacker, as illustrated in the diagram above. Alice’s server believes this IP address is the legitimate one for Bob’s server and delivers the email to the rogue server. The attacker reads the email and to make the attack invisible, forwards the email to the real server.

This attack is possible because DNS was not designed with security in mind and as a result, there is no default security mechanism baked into it to authenticate that the request was sent by the rightful owner of the domain.

This shortcoming will eventually be fixed with the deployment of DNSSEC and DANE. This deployment and other ways to mitigate this type of attack are discussed at the end of this post.
 

Are websites vulnerable as well?

Can an attacker use DNS hijacking to prevent HTTPS and read or intercept web pages? At the moment (2015), the answer is complicated but hopefully in a few years the answer will be a straightforward no :) Like email until DNSSEC is deployed and enforced, websites are vulnerable to DNS hijacking. However, there are a few mitigations that make such attacks significantly harder than for emails, at least until almost the same mitigations are deployed for emails in transit, which is what Gmail and the other big email providers are working on. Here are the two key differences that make DNS attacks harder against websites.

HTTP vs HTTPS separation: In the web world, the non-encrypted version (HTTP) and the encrypted version of the protocol (HTTPS) use different addresses and are treated differently by browsers (same orgin policy). When you enter a URL starting with https, e.g. https://www.elie.net, you are instructing your browser to establish an encrypted connection. In that context, carrying out a DNS hijacking attack does not help the attacker because they will still need a valid certificate for the domain because the browser will refuse to establish the connection otherwise. So, if you type a URL starting with https or click on a link with the https prefix, you are safe.

HTTP Strict Transport Security (HTST): This specification helps mitigate what happens when you don’t specify whether you want to talk to the server in clear (http) or encrypted (https). Typing the URL directly in a browser is common, for example, www.elie.net instead of https://www.elie.net. In that case, the browser has no idea if you want the encrypted version of the site or not. For backward compatibility reasons, as some sites don’t support HTTPS yet, your browser will default to the unencrypted version. HSTS aims to mitigate this issue by allowing websites to tell the browsers that they should only connect over HTTPS. Technically, a website sets HSTS by sending a HTTP header to the browser. Once this header is received by the browser, every subsequent request to the site (and possibly its subdomains) will be automatically upgraded to HTTPS by the browser. Therefore, this also protects against the set of attacks in which the attackers supply to their victims a link that starts with http:// in an attempt to intercept the communication, since the browser will upgrade it to HTTPS before the request is sent over the network.



Preventing DNS hijacking attacks

The long-term solution to this issue is the deployment and enforcement of DNSSEC, which will hopefully make DNS hijacking an obsolete attack by requiring DNS records to be signed with the domain owner’s private key. This will guarantee that an attacker won’t be able to send a spoofed DNS record to the client because they can’t forge the signature. This will protect every protocol, including SMTP and HTTP, against those attacks.

In the shorter term, mail providers are working on developing a technology similar to HSTS but for SMTP traffic. This “SSTS” protocol (the name is yet to be defined) will allow us to pin a certificate and enforce that all emails are sent encrypted. This will prevent both MX hijacking attacks and TLS downgrades for providers that deploy it. This protocol is still in the early stage of specification but hopefully deployment is not too far in the future.

Today, signing emails with DKIM and enforcing signing with DMARC help alleviate the issue by preventing an attacker from modifying intercepted emails. The attackers don’t have access to the legitimate DKIM private key, so when the receiving server checks for the presence of DKIM and checks the email signature, if the email was modified in any way, the receiving server will reject it. DMARC also helps in detecting attacks against your domain by allowing you to supply an email address where you will receive a statistical report of how many emails have failed the DKIM signature check.

 

By Elie Bursztein - Google anti-fraud and abuse research team lead

 

References

1 Statistics on the Internet growth in Sri Lanka
http://www.trc.gov.lk/images/pdf/
statis_sep_2012.doc
2.The Dragon Research Group (DRG)
http://www.dragonresearchgroup.org/
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
https://www.jpcert.or.jp/english/tsubame/
4.Shadowserver Foundation
http://www.shadowserver.org/wiki/
5. Team Cymru
http://www.team-cymru.com
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
  
 

Unexpected implications arising from the Internet of Things

  

"...More than half of major new business processes and systems will incorporate some element of the Internet of Things (IoT) by 2020, according to Gartner.

The impact of the IoT on consumers' lives and corporate business models is rapidly increasing as the cost of "instrumenting" physical things with sensors and connecting them to other things — devices, systems and people — continues to drop...."

  ARMY TESTING ROBO-PARACHUTES THAT DON'T NEED GPS
   

'...Military cargo-drops to places like forward operating bases in Afghanistan need to go off perfectly. When they don’t, soldiers have to expose themselves to dangerous fire to retrieve the package that missed its target. But there are a lot of things that can get in the way of a precision drop. Increasingly, that includes insecurities in the global positioning system....'

IBM hopes to fill the void with Innovation as a Service

   
  

'....Since retailers - even major ones - tend not to spend money on research and development, many need guidance to keep up with the changes technology is bringing to the industry.....'

CIOS: USE THE CLOUD, OR ELSE?

  

'....If you’re responsible for managing your agency’s IT and you haven’t moved applications to the cloud, one agency chief information officer believes you should get the ax.

“As a business person, not a career government person, I believe that if you’re the CIO of an organization . . . and you’re still writing code and custom developing applications in Java or investing in data centers, you should be fired,” said Joe Paiva, CIO at the International Trade Administration. “Summarily fired.”...'

Flaw allows malicious OpenSSH servers to steal users' private SSH keys

'...Qualys researchers have discovered two vulnerabilities in the popular OpenSSH implementation of the secure shell protocol, one of which (CVE-2016-0777) could be exploited by attackers to extract users' private cryptographic keys.....'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in December  2015
 
  
  Hacked
  Fake
  Other
   
  Statistics - Sri Lanka CERT|CC

Cyber-attack among World Economic Forum's top global risks

'...The World Economic Forum (WEF) has listed cyber-security as one of the greatest threats to business around the world. In the Global Risks Report, the annual study of what the WEF fears and what the forum feels the world should fear, cyber-security has made its third appearance....'

WhatsApp is Now Free For Lifetime

'...The widely popular messaging service is going completely free. And you'll be able to use WhatsApp without paying a penny.
Old WhatsApp users might not be aware of this, but WhatsApp introduced the subscription fees for its service a few years ago, forcing new users to pay an annual 99 cents (~$1) subscription fee after the first year....'

5 biggest cybersecurity concerns facing CIOs, CISOs in 2016

"...Expect digital assaults, -- ranging from standard malware to more sophisticated, clandestine entries -- to continue on leading corporate brands in 2016, according to Raytheon's Websense business. The cybersecurity software maker, which analyzed threat data from 22,000 customers in 155 countries, says hackers will conjure attacks that target emerging technologies, such as mobile payments and top-level domains..."
THE WIKIPEDIA PAGES WE LOOK UP MOST, GLOBALLY

'...Who was mad at whom at the start of World War II? Or right now in Westeros, for that matter?

Questions about TV, news, or history would once require dusty Britannica volumes. Now, we have Wikipedia. The world’s 7th most-used site turns 15 years old today, but even for those who remember the days of print encyclopedias, it’s hard to imagine life without it. (Particularly when you can’t recall what happened in The Phantom Menace.)
Overcoming stubborn execs for security sake


"...Even with the greater awareness for strong security within organizations—and the high-profile hacks that have contributed to that increased awareness—security executives still encounter significant hurdles in doing their jobs to protect data and systems. Password entry Sample password protection policy The password protection policy of a large financial services institution with more than 5,000 employees. READ NOW Clashes with senior business executives as well as those at lower levels of organizations make it more challenging for CSOs and CISOs to create a secure environment, and yet they continue to happen..."

 
Notice Board
  Training and Awareness Programmes - January  2016
  
DateEventVenue
- 12th January 2016 Workshop to Preparation of Modules for NVQ 5 syllabus ICT Branch, Ministry of Education
- 19th January 2016 – 20th January 2016
 
Introduction of School Management Software
Training programme for trainers team (80 persons)
South Asia Centre for Teacher Development Meepe 
29th January 2016 Workshop to test ZICTC & PICTES Database ICT Branch, Ministry of Education
- 29th January 2016 – 30th January 2016 School Management Software Training for National Schools Principals & Teachers (100 persons) South Asia Centre for Teacher Development Meepe

Brought to you by: