Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking
Keith, On Tue, Feb 26, 2019 at 6:00 AM Keith Medcalf wrote: > >https://twofactorauth.org/#domains gives a good view of the domain > >management landscape regarding 2FA. > > Seems to require the unfettered execution of third-party code ... > > Are you offering an indemnity in case that code is malicious? What are the > terms and the amount of the indemnity? What are you talking about?! Are you ... trolling? If you don't trust the various (excellent) closed & open-source implementations of TOTP - you can write one yourself. The algorithm & specification are entirely open and free to use: https://tools.ietf.org/html/rfc6238 Using TOTP as 2FA is an excellent and recommended practice, and I am happy to see so many domain registrars support it. Regards, Job
RE: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking
>https://twofactorauth.org/#domains gives a good view of the domain >management landscape regarding 2FA. Seems to require the unfettered execution of third-party code ... Are you offering an indemnity in case that code is malicious? What are the terms and the amount of the indemnity? --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking
On Tue, Feb 26, 2019 at 12:14 AM John Levine wrote: > In article <24679.1551146...@turing-police.cc.vt.edu> you write: > >So what registries/registrars are supporting 2FA that's better than SMS? > > Opensrs does TOTP. It's certainly not bulletproof, but it's tied to > your actual phone rather than the phone number. (We careful folk put > our TOTP keys on a couple of our devices in case the phone dies or > gets lost.) It's very easy to implement, it's an IETF open > specification, and there are lots of clients that support it. > > FIDO keys (like Yubikey) also seem OK but I haven't looked at how hard > they are to implement. > > https://twofactorauth.org/#domains gives a good view of the domain management landscape regarding 2FA. Rubens
Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking
In article <24679.1551146...@turing-police.cc.vt.edu> you write: >So what registries/registrars are supporting 2FA that's better than SMS? Opensrs does TOTP. It's certainly not bulletproof, but it's tied to your actual phone rather than the phone number. (We careful folk put our TOTP keys on a couple of our devices in case the phone dies or gets lost.) It's very easy to implement, it's an IETF open specification, and there are lots of clients that support it. FIDO keys (like Yubikey) also seem OK but I haven't looked at how hard they are to implement.
Re: A Deep Dive on the Recent Widespread DNS Hijacking
On Mon, Feb 25, 2019 at 8:02 PM wrote: > So what registries/registrars are supporting 2FA that's better than SMS? > Or since 98% of domain names are Bait type, is nobody bothering > to support something for the 2% that could use it? If Joe's Bait and Tackle buys from Namecheap, they can utilize TOTP for their second factor. https://www.namecheap.com/support/knowledgebase/article.aspx/10073/45/how-can-i-use-the-totp-method-for-twofactor-authentication
Re: A Deep Dive on the Recent Widespread DNS Hijacking
Markmonitor runs a registrar popular with fortune 500s that implements additional security steps, and talking to a clued in live human in the loop to modify anything in your domain record. On Mon, Feb 25, 2019, 6:03 PM wrote: > On Mon, 25 Feb 2019 18:23:44 -0700, Paul Ebersman said: > > > Agreed. But this also gets down to the risk vs hassle tradeoff. Joe's > > Bait & Tackle Shop probably isn't getting attacked by nation states who > > can hack SS7, so SMS text might be good enough. And certainly better > > than just an 8 char plain text password. > > So what registries/registrars are supporting 2FA that's better than SMS? > Or since 98% of domain names are Bait type, is nobody bothering > to support something for the 2% that could use it? > > Or is there a business opportunity lurking here? :) >
Re: A Deep Dive on the Recent Widespread DNS Hijacking
On Mon, 25 Feb 2019 18:23:44 -0700, Paul Ebersman said: > Agreed. But this also gets down to the risk vs hassle tradeoff. Joe's > Bait & Tackle Shop probably isn't getting attacked by nation states who > can hack SS7, so SMS text might be good enough. And certainly better > than just an 8 char plain text password. So what registries/registrars are supporting 2FA that's better than SMS? Or since 98% of domain names are Bait type, is nobody bothering to support something for the 2% that could use it? Or is there a business opportunity lurking here? :)
Re: A Deep Dive on the Recent Widespread DNS Hijacking
ebersman> Yup. This is a good example of what I'm advocating. Just ebersman> saying "use 2FA" or "use DNSSEC" or "have a CAA" isn't ebersman> sufficient detail to make informed decisions of ebersman> risk/effort/reward tradeoffs. Simplistic suggestions without ebersman> details or context isn't doing anyone any favors. ebersman> That said, even SMS 2FA is better than no 2FA. Barely. Just ebersman> like forcing lousy passwords is better than no password but ebersman> still not a best practice. valdis> Feel free to suggest a workable 2FA. Personally, I use a valdis> Yubikey where I can. Oath seems to be a reasonable approach for valdis> technically minded people, but I'm not sure that it scales well valdis> to the people who own the long tail domains in the 40 million valdis> .coms. I can get oathtool to behave the way I want, but I'm not valdis> sure the owner of joes-bait-tackle-and-gunshop.com will be able valdis> to deal with it. Agreed. But this also gets down to the risk vs hassle tradeoff. Joe's Bait & Tackle Shop probably isn't getting attacked by nation states who can hack SS7, so SMS text might be good enough. And certainly better than just an 8 char plain text password. Risk/attack surface is part of that context I mention. Folks in sensitive jobs will need better protection and hopefully be more capable of using less "user friendly" tech. Folks protecting less and with less geek background should still have some protection but it doesn't need to be nearly as fancy.
Re: A Deep Dive on the Recent Widespread DNS Hijacking
Speaking of registrars vs registries - I've noticed some companies have become their own registrar to improve their domain security (Cloudflare, Google, etc.). Is that a feasible path for smaller organizations? How much risk does that mitigate? It seems like it gives the organization control over more of the domain registration, which allows them to manage things better than a typical registrar might. But credentials can be compromised in either case. Does anyone have any experience with that setup? On Mon, Feb 25, 2019, 1:49 PM Owen DeLong wrote: > > > > On Feb 25, 2019, at 09:25 , Paul Ebersman > wrote: > > > > ebersman> If someone owns your registry account, you're screwed. And > > ebersman> right now, it tends to be the most neglected part of the > > ebersman> entire zone ownership world. Let's use this opportunity to > > ebersman> help folks lock down their accounts, not muddying the waters > > ebersman> with dubious claims. > > > > Reread this and felt I should clarify that I realize that John and Doug > > are not the ones saying DNSSEC is useless. I just hate to see the knee > > jerk "oh, see, DNSSEC didn't save the day so it's obviously > > useless". Let's give the world a better explanation. > > @Paul — I think you meant “registrar account” rather than “registry > account” > since most domain holders don’t have registry accounts. Registry accounts > are > primarily held by registrars. If someone owns a registrar’s registry > account, then > all of their customers (and potentially many many others) are screwed. > > Owen > >
Re: A Deep Dive on the Recent Widespread DNS Hijacking
On Mon, 25 Feb 2019 12:14:59 -0700, Paul Ebersman said: > ekuhnke> One thing to consider with authentication for domain registrar > ekuhnke> accounts: > > ekuhnke> DO NOT USE 2FA VIA SMS. > > Yup. This is a good example of what I'm advocating. Just saying "use > 2FA" or "use DNSSEC" or "have a CAA" isn't sufficient detail to make > informed decisions of risk/effort/reward tradeoffs. Simplistic > suggestions without details or context isn't doing anyone any favors. > > That said, even SMS 2FA is better than no 2FA. Barely. Just like forcing > lousy passwords is better than no password but still not a best > practice. Feel free to suggest a workable 2FA. Personally, I use a Yubikey where I can. Oath seems to be a reasonable approach for technically minded people, but I'm not sure that it scales well to the people who own the long tail domains in the 40 million .coms. I can get oathtool to behave the way I want, but I'm not sure the owner of joes-bait-tackle-and-gunshop.com will be able to deal with it. Unless you get it down to the SMS "wait for a msg, type in the 6 digit number" level, it's going to be a tough start...
Re: A Deep Dive on the Recent Widespread DNS Hijacking
ekuhnke> One thing to consider with authentication for domain registrar ekuhnke> accounts: ekuhnke> DO NOT USE 2FA VIA SMS. Yup. This is a good example of what I'm advocating. Just saying "use 2FA" or "use DNSSEC" or "have a CAA" isn't sufficient detail to make informed decisions of risk/effort/reward tradeoffs. Simplistic suggestions without details or context isn't doing anyone any favors. That said, even SMS 2FA is better than no 2FA. Barely. Just like forcing lousy passwords is better than no password but still not a best practice.
Re: A Deep Dive on the Recent Widespread DNS Hijacking
ebersman> If someone owns your registry account, you're screwed. And ebersman> right now, it tends to be the most neglected part of the ebersman> entire zone ownership world. Let's use this opportunity to ebersman> help folks lock down their accounts, not muddying the waters ebersman> with dubious claims. owen> Paul, I think you meant "registrar account" rather than "registry owen> account" since most domain holders don't have registry accounts. Yes. I please ICANN jargon dyslexia brought on by excess blood in my caffeine stream. ;)
Re: A Deep Dive on the Recent Widespread DNS Hijacking
One thing to consider with authentication for domain registrar accounts: DO NOT USE 2FA VIA SMS. This is a known attack vector that's been used by SS7 hijacking techniques for several well documented thefts of cryptocurrency, from people who were known to be holding large amounts of (bitcoin, ethereum, whatever) on exchanges which supported 2FA authentication. In some cases there was no SS7 hijacking going on, but rather social engineering of (t-mobile, sprint, verizon, at) customer service representatives to get a new SIM card issued for the attack target's phone. tl;dr: ss7 considered harmful On Mon, Feb 25, 2019 at 10:48 AM Owen DeLong wrote: > > > > On Feb 25, 2019, at 09:25 , Paul Ebersman > wrote: > > > > ebersman> If someone owns your registry account, you're screwed. And > > ebersman> right now, it tends to be the most neglected part of the > > ebersman> entire zone ownership world. Let's use this opportunity to > > ebersman> help folks lock down their accounts, not muddying the waters > > ebersman> with dubious claims. > > > > Reread this and felt I should clarify that I realize that John and Doug > > are not the ones saying DNSSEC is useless. I just hate to see the knee > > jerk "oh, see, DNSSEC didn't save the day so it's obviously > > useless". Let's give the world a better explanation. > > @Paul — I think you meant “registrar account” rather than “registry > account” > since most domain holders don’t have registry accounts. Registry accounts > are > primarily held by registrars. If someone owns a registrar’s registry > account, then > all of their customers (and potentially many many others) are screwed. > > Owen > >
Re: A Deep Dive on the Recent Widespread DNS Hijacking
> On Feb 25, 2019, at 09:25 , Paul Ebersman wrote: > > ebersman> If someone owns your registry account, you're screwed. And > ebersman> right now, it tends to be the most neglected part of the > ebersman> entire zone ownership world. Let's use this opportunity to > ebersman> help folks lock down their accounts, not muddying the waters > ebersman> with dubious claims. > > Reread this and felt I should clarify that I realize that John and Doug > are not the ones saying DNSSEC is useless. I just hate to see the knee > jerk "oh, see, DNSSEC didn't save the day so it's obviously > useless". Let's give the world a better explanation. @Paul — I think you meant “registrar account” rather than “registry account” since most domain holders don’t have registry accounts. Registry accounts are primarily held by registrars. If someone owns a registrar’s registry account, then all of their customers (and potentially many many others) are screwed. Owen
Re: A Deep Dive on the Recent Widespread DNS Hijacking
Hi Paul, > Reread this and felt I should clarify that I realize that John and Doug > are not the ones saying DNSSEC is useless. I just hate to see the knee > jerk "oh, see, DNSSEC didn't save the day so it's obviously > useless". Let's give the world a better explanation. Security is only as strong as its weakest link. No single link can be expected to protect the whole chain on its own. Cheers, Sander signature.asc Description: Message signed with OpenPGP
Re: A Deep Dive on the Recent Widespread DNS Hijacking
ebersman> If someone owns your registry account, you're screwed. And ebersman> right now, it tends to be the most neglected part of the ebersman> entire zone ownership world. Let's use this opportunity to ebersman> help folks lock down their accounts, not muddying the waters ebersman> with dubious claims. Reread this and felt I should clarify that I realize that John and Doug are not the ones saying DNSSEC is useless. I just hate to see the knee jerk "oh, see, DNSSEC didn't save the day so it's obviously useless". Let's give the world a better explanation.
Re: A Deep Dive on the Recent Widespread DNS Hijacking
dougm> You are right, if you can compromise a registrar that permits dougm> DNSSEC to be disabled (without notification/confirmation to POCs dougm> etc), then you only have a limited period (max of DS TTL) of dougm> protection for those resolvers that have already cached the DS. johnl> As far as I can tell, that's roughly all of them. If you have johnl> the credentials to log in and change the NS, you can change or johnl> remove the DS, too. Yes, though with the 1 day TTL most registries put on DS records, you at least have the chance to notice your DS has changed or been deleted and attempt to recover your registry account. That is somewhat a "locking the barn door" approach, and 2FA and other account security is the best solution. However, we are in a world now where every layer of security we can add is probably a good idea and having a day to notice could be handy. DNSSEC isn't useless but it solves one specific problem, end to end data integrity. It also requires operational cleanliness and attention to detail. We shouldn't make claims about what it can't do; we're much better off getting everyone to understand what it does and doesn't do. And underline what other security best practices they should be following. If someone owns your registry account, you're screwed. And right now, it tends to be the most neglected part of the entire zone ownership world. Let's use this opportunity to help folks lock down their accounts, not muddying the waters with dubious claims.
Re: A Deep Dive on the Recent Widespread DNS Hijacking
On 25/02/2019 11:37, Ask Bjørn Hansen wrote: On Feb 24, 2019, at 22:03, Hank Nussbacher wrote: Did you have a CAA record defined and if not, why not? If the attacker got a CA to issue the cert because they changed the DNS server to be their own, a CAA record wouldn’t have helped (or at least been even easier to thwart than DNSSEC). Yes if an attacker pwned the DNS then game over no matter what. I go under the assumption that the attacker was not able to take over the DNS system but rather other things along the way, in which case CAA should be of some assistance. -Hank Ask
Re: A Deep Dive on the Recent Widespread DNS Hijacking
Mark Andrews wrote: > > An organisation can also deploy DLV for their own zones using their own > registry. While the current code DLV validating code is only invoked > when the response validates as insecure, there is nothing preventing a > policy which says that DLV trumps or must also validate for entries in a > registry. At this stage is would be a minor code change to add such > policy knobs. DLV is a just a in-band way of distributing trust > anchors. Yes (as Mark knows) I would like to be able to use DLV in this enterprisey way. It should also help validators to continue working for local domains when external connectivity is funted. Tony. -- f.anthony.n.finchhttp://dotat.at/ East Sole, Lundy, Fastnet, Irish Sea: Southeasterly 4 or 5. Rough or very rough, but slight or moderate in Irish Sea. Mainly fair. Good, occasionally poor.
Re: A Deep Dive on the Recent Widespread DNS Hijacking
> On Feb 24, 2019, at 22:03, Hank Nussbacher wrote: > > Did you have a CAA record defined and if not, why not? If the attacker got a CA to issue the cert because they changed the DNS server to be their own, a CAA record wouldn’t have helped (or at least been even easier to thwart than DNSSEC). Ask
Re: A Deep Dive on the Recent Widespread DNS Hijacking
Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking Date: Mon, Feb 25, 2019 at 05:04:39PM +1100 Quoting Mark Andrews (ma...@isc.org): > I would also note that a organisation can deploy RFC 5011 for their own > zones and have their own equipment use DNSKEYs managed > using RFC 5011 for their own zones. This isolates the organisation’s > equipment from the parent zone’s management practices. > > I would also note that you can configure validating resolvers to expect > secure responses for parts of the namespace and to reject > insecure responses even when they validate as insecure. One thing that immediately struck me upon reading the Krebs post was that people got owned by having to downgrade the end-to-end model of the Internet into Proxy-land. A hotel wifi. Probably only challenged by "Free Wifi" in other spaces in its ability to demolish the Internet as thought out and envisioned. We can conclude in two different directions here; * We need to work on making the Internet more transparent to applications, and thus increasing security. * We're all doomed anyway. DNSSEC is useless. Pick whichever you like. Our children will judge us. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR+46 705 989668 My EARS are GONE!! signature.asc Description: PGP signature