DNSSec Works for Consumers, Almost

Every since I found heard about Dan Kaminsky’s research on flaws in DNS in 2008 I have been looking forward to the industry’s response, DNSSEC (Domain Name System Security Extensions). Unfortunately DNSSEC required an end-to-end solution from the root DNS servers to ISP servers to routers to operating systems to browsers. Parts have been working for awhile like my ISP’s DNS server. Finally this weekend with some beta software from my home router my dream of seeing DNSSEC for consumers has been completed.

My Verizon’s DNS server supports DNSSEC (note that as of today not all of Verizon’s servers are supporting DNSSEC). My Asatro router has implemented DNSSEC. Firefox and Windows 8 support it. With the help of the Firefox DNSSEC validator plug in you can see in the screenshot below the validation that Symantec’s website is the real site and could not have been spoofed by a DNS exploit. Yeah!

Now its time for Cisco/Linksys, Netgear, D-Link, etc. to support DNSSEC.

DNSSec in Action

Tips to Keep You Safe Online

Some tips to keep you and your family safer online.

a)      Use Lastpass.com to keep track of your passwords. With Lastpass I remember only one long, random, secure password and Lastpass remembers over 200 of my passwords which all look like random variations of “C5r$u9cLy#bG”. I also use YubiKey with Lastpass to provide secondary authentication. Yubikey is a small plastic USB device that sends a pseudo-random number to a server to authenticate me. Google Authenticator is an alternative secondary authentication.

b)      Change your password reset questions so that your answers are no longer “Snoopy”, “ice cream,” or “Justin Bieber.” Too easy to guess the name of your first pet or your favorite food. Too easy to find out from your Facebook profile your favorite singer. Use answers like “game73elmo29.” Write them down in a secure place or you can use Lastpass to keep track of tem.

c)       Do not use the same password at multiple sites.

d)      Change the default password on your router. Some of the sophisticated hacks attack widely-available Belkin, D-Link, Linksys, etc., routers. If you are adventurous build your own router like Astaro or PFSense using an old PC.

e)      Check your router’s security using the ShieldsUP! tool at grc.com.

f)       Make sure your wireless router uses WPA2. WEP is too easy to crack.

g)      Check to see that hardware DEP is turned on if you are using a Windows PC.

h)      Use NoScript to prevent malicious scripts from running if you are using Firefox. I think Firefox is the most secure browser but you could also make an argument for Chrome or IE9.

i)        Use SandboxIE to virtualize any browser.

j)        Backup your essential files. Bad things can and will happen. I use the 3-2-1 rule. Three copies, two different media (I use hard drives and cloud drives), and one copy off-site (I use two off-site vendors, Amazon and Rackspace)

k)      Scan your PC occasionally using a LiveCD like Microsoft System Sweeper. The LiveCD does not boot into Windows so difficult to detect malware like rootkits can be detected.

l)        If you want to check to see if the file in an e-mail or you downloaded, check the file at virustotal.com. It will be checked against more than 40 antivirus products. Of course just because the file appears to be virus-free, it may be a zero-day.

For Absolute Internet Security – A Browser & Internet Boot Disk

There is a misconception in the public that you can visually detect malware on your PC because there are popups or strange things happening to their PC. It is true that some malware tries to sell you protection software and it will popup fake security warnings or the latest scam says that your “hard drive is failing.” Much of the most dangerous identity stealing or malware that gives bad guys access to your financial accounts is designed to be absolutely stealth. The bad guys do not want you to know there is a problem with your computer otherwise you might think there is something wrong and try to fix it. Not all malware is detectable by anti-virus tools.

So what is the absolutely must secure protection you can take? A boot CD or USB drive with an operating system, usually Linux ready to operate after a quick boot. When you want to securely access the Internet start one of these malware-free drives. Since they are read-only cookies cannot be stored so they enhance your privacy (of course you can still be tracked by IP address).

My favorite boot disk is from the U.S. military called “Lightweight Portable Security.” http://spi.dod.mil/lipose.htm You can carry it with you on a USB flash drive. It installs quickly. Once running you can use Firefox to access your secure sites. It is free.


My Favorite Firefox Security Add-On, NoScript

Security pro’s have been advising people to “stay away from dangerous websites.” I agree that pornography, game cheat codes, and file sharing sites are probably more dangerous than CNN but you can also get infected from a malicious advertisement appearing on CNN or any “legitimate” site. Turning off scripting, the most likely source of malware, is an important step.  It is simple to do.


Once you install NoScript, view this video which explains how to use it. http://www.youtube.com/watch?v=sAxZS5SKOyA

HTTPS, Firefox, and Certificate Patrol – Know Your Certificate Authority

I expect that within a three or four years all two-way browser conversations will use HTTPS. Firesheep, a Firefox add-on, has shown us how easy it is to hijack a session. HTTPS will prevent that…assuming you are connecting to the correct certificate authority. Unfortunately the Chinese Post Office Certificate authority and Verisign have the same weight. Your browser doesn’t care whether it gets a HTTPS certificate from the legitimate authority or an authority masquerading as the legitimate one.

This problem is rare today but easy to do, especially if you are traveling. “Certificate Patrol” is a Firefox add-on that appears whenever you go to a HTTPS website than you have not been to before. It shows you who the website uses for their certificate authority (Verisign, Thwarte, Comodo, etc.). If you are accessing Facebook and suddenly EBG Elektronik Sertifika Hizmet Saglayicisi shows up as the certificate authority (one of dozens I never heard of), perhaps you should be cautious.

The add-on is free.