Red means danger. And orange offers plenty of risk, too. (Click for a larger view of the map.)
(Credit: McAfee)You may want to think twice if you hit a site with a .cm extension. That belongs to Cameroon, pegged by McAfee as the world's riskiest domain.
McAfee's third annual "Mapping the Mal Web" report, released Wednesday, looks at riskiest and safest domains across the globe. The small nation on the west coast of Africa reached the top spot this year with 36.7 percent of its sites posing a security risk. Because .cm is often a typo for .com, McAfee said, cybercrooks like to use that domain to set up typo-squatted sites to hit you with malware.
The generic and widely used .com domain itself isn't much safer, according to McAfee, jumping from ninth last year to second this year in riskiness, with 32.2 percent of its sites potentially hazardous to your PC's health.
(Credit:
McAfee)
Romania (.ro) is tagged as the riskiest domain for malicious downloads, with 21 percent of its sites delivering payloads of viruses, spyware, and adware. The information (.info) domain is seen by McAfee as the most "spammy," with 17.2 percent of its sites generating junk mail.
On the positive side, the government (.gov) is the safest generic domain with essentially 0 percent risk, while Japan (.jp) proved the safest country domain with a rating of only 0.1 percent. Last year's riskiest domain, Hong Kong (.hk) dropped to 34th place with a risk rating of only 1.1 percent, which McAfee attributed to the country's aggressive steps to stop scam-related domain registrations.
(Credit:
McAfee)
"This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught. Last year, Hong Kong was the riskiest domain and this year it is dramatically safer," Mike Gallagher, chief technology officer for McAfee Labs, said in a statement. "Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught."
Overall, looking at 27 million Web sites and 104 top-level domains, McAfee found that 1.5 million sites, or 5.8 percent, were risky. That's up from 4.1 percent from the past two years, although the comparison is not direct since McAfee said it changed its rating methodology since then.
McAfee noted that cybercriminals who create domains to scam people prefer registrars with cheap prices, volume discounts, and hefty refund policies. Crooks also like registrars with a "no questions asked" policy and that act slowly or not at all when informed of malicious domains.
VeriSign, which runs the master database for such domains as .com and .net, says a significant Internet security vulnerability will be closed by 2011, after delays caused by technical aspects of the implementation.
The problem is that DNS, the Domain Name System that translates Internet addresses into numerical values, can be seeded with false values and used to misdirect users. VeriSign told ZDNet on Friday that it will put in place DNSSEC, a protocol that will guarantee the origin and integrity of DNS data for the .com and .net domains, by the first quarter of 2011.
Read more of "VeriSign: Major internet security update by 2011" at ZDNet UK.
In 2003, the federal government released a report titled "The National Strategy to Secure Cyberspace," offering numerous recommendations to improve overall security. One suggestion was to replace insecure Domain Name System (DNS) servers with DNS Security Extensions, or DNSSEC. Simply stated, standard DNS has a relatively open method for updating information, making it vulnerable to an attack. DNSSEC, on the other hand, marries DNS with a public key infrastructure (PKI) for authentication and digital signatures addressing this particular vulnerability.
Since the original call to arms in 2003, DNSSEC implementation remained on the backburner--that is until recently. Now federal officials are poised to implement DNSSEC across the .gov domain by the end of 2009.
Of course, I'm all for additional security and I'm a firm believer in PKI as a way to guarantee trust and reduce DNS threats. That said, I am a bit worried that the federal government may be in over its collective head here. In theory, DNSSEC is a big improvement, but I'm concerned about:
Implementation. From what I've learned, implementing DNSSEC is difficult to configure and deploy. Given the size of the federal network, this may be the biggest implementation of DNSSEC to date. Will DNSSEC scale? I'm sure it will but it may be a painful process requiring new software development and lots of trial-and-error on the taxpayers' dime.
PKI. The federal government is probably as good at PKI management as anyone, but PKI is notoriously difficult and DNSSEC is a different type of implementation. Will DNSSEC be integrated into the federal PKI architecture or remain separate? Will there be a master PKI implementation for DNSSEC and another independent PKI for an additional federal initiative to secure the Border Gateway Protocol (BGP)? My fear is a complex web of unconnected expensive federal PKI architectures throughout Washington.
Security. Implemented incorrectly, DNSSEC can expose DNS Zone data, which is normally kept confidential. And DNSSEC is not immune to its own vulnerabilities. Recently, the Internet System Consortium released a number of security patches specifically for DNSSEC. My point here is the DNSSEC is not a security panacea; it too can be configured incorrectly or be prone to software vulnerabilities.
No doubt, DNS is vulnerable, but the best way I've seen to address this is with dedicated DNS appliances built on a hardened operating system along with extremely good processes around emergency patching. DNSSEC does introduce additional safeguards but they seem overly costly and cumbersome to me. Ultimately, I am sure that the federal government will persevere and get DNSSEC right, but is this effort really worth it? My guess is that this project will cost tens of millions if not hundreds of millions of taxpayer dollars. Great for beltway bandits, but is this really necessary? Let me know what you think.
Customers of CheckFree.com, an online bill paying site, were quietly redirected to servers in Ukraine early Tuesday morning, according to several reports.
Representatives of CheckFree told WashingtonPost.com that customers were redirected to a blank log-in page that attempted to install malware on the visiting PC. The company said it regained control at 5 a.m. EST Tuesday, so only customers using the site overnight were likely affected.
Mike Haro, senior security analyst at Sophos told CNET News, "The fact that they used a blank page to download a Trojan (not exactly subtle) says to me one of two things: a) they fell into these credentials and chose the fastest way to get something done, expecting the breach to be quickly detected; or b) they got more than we're being led to believe."
The Post also said someone was able to steal the user name and password to make account changes at CheckFree's domain registrar. The Domain Name System (DNS) takes the common name CheckFree.com and converts it to an online address; the criminals were able to change that online address to a server hosting malicious content.
CheckFree allows users to pay their utility bills, insurance payments, mortgage and loan payments along with 330 other kinds of bills electronically. The company declined to say how many of its customers may have been affected, according to the Post story.
CheckFree...stressed that the attack occurred during off-peak hours when customer traffic to its Web site is typically low. Still, CheckFree has a huge customer base: The company claims that some 24.7 million consumers initiate payments through its services.
Haro said: "I guess I'm less surprised that someone got access credentials, and more surprised at what they did--or didn't do--with that level of access." For example, he hasn't seen evidence the criminals have tried to extract money directly from the exposed accounts.
As of Thursday afternoon, representatives from CheckFree had not responded to CNET News' request for further comment.
Botnets are proving to more resilient and harder to shut down.
That's largely due to an increased use of methods people use to obscure the domain by constantly mapping to different bots within the network, according to a recently released study (PDF).
The study's authors, Jose Nazario of Arbor Networks and Thorsten Holz of the University of Mannheim, tracked the traffic of 900 fast-flux domain names used by botnets within the first six months of 2008. "Fast-flux" is a term to describe how the botnets use constant changes in the mapping of the hard-coded domain name to different bots within the network. This makes it difficult for law enforcement to identify the main server and shut it down. It also adds a layer of anonymity to those operating the botnet, since the infected computers used can be located worldwide.
The study found that fast-flux botnets were often active for a few hours to a few months. The domains that were used were registered, but sometimes laid dormant for several months. Online fraud and crime most associated with these botnets included phishing sites, pharmacy sites, and malware distribution sites.
The authors also found some botnets to be "promiscuous," harboring hundreds of domain names associated with them.
The information in the report has been shared previously with industry groups such as Forum for Incident Response and Security Teams and Internet Corporation for Assigned Names and Numbers (ICANN). This is the study's first public availability, and it was released to coincide with Malware 2008, which is being held Tuesday and Wednesday in Alexandria, Va.
Thirteen days after Dan Kaminsky asked his fellow security researchers not to speculate on the details of his DNS flaw, a fellow Black Hat researcher published his own speculation, and apparently got it right.
On July 8, IOActive researcher Kaminsky disclosed a flaw in the Domain Name System (DNS), but would not provide the details until all the affected vendors had released patches and all the systems worldwide could be patched. He figured it would take about 30 days for that to happen. The 30-day mark also just happened to coincide with his speaking engagement at Black Hat in Las Vegas on August 6.
Kaminsky has worked for about 6 months with major vendors, coordinating a massive synchronized release of patches. It was an effort at responsible disclosure. However, in an interview with CNET News, Kaminsky suggested, in retrospect, he should have been more candid with more of his peers.
Those he did confide in appeared to be won over.
Writing on Monday in his blog, Halvar Flake first attacks the very idea that a security flaw such as this could be kept a secret, then proceeds to lay out what he thinks the flaw is:
"Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244.
"Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com ... to ns.polya.com."
Flake's entire speculation can be found here.
In response, Dan Kaminsky wrote Monday afternoon on his blog "Patch. Today. Now. Yes, stay late," suggesting that Flake has either guessed correctly or is very close.
- prev
- 1
- next
