Kaminsky: DNS Insecurity Isn’t Coincidence, it’s Consequence

Dan Kaminsky insisted that there’s a cost to doing security crypto through DNS at Kaspersky Lab’s 2015 Security Analyst Summit Monday.

CANCUN – “2015 got weird… really weird.” Those were some of the first words spoken by Dan Kaminsky in his talk today at the Kaspersky Security Analyst Summit Monday.

He was referring to a few key events from the last several weeks: the Sony hack debacle, or what he called “North Korean or Teenager?”; and President Obama’s stop at Stanford last week to stress further government/technology information sharing, to name a few. However Kaminsky, the co-founder and chief scientist at the security firm White Ops, confessed that it’s going to take more than just a proficient coder to solve today’s cybersecurity woes.

“If there’s a role for the government to play in securing the internet, it’s going to require more than being the biggest, baddest hacker in the room,” he said.

After asking the crowd why he cant email his doctor directly, Kaminsky cited the restraints of HIPAA and how the concept lends itself to the age-old theory that if you can’t communicate securely, don’t communicate at all.

Throughout his presentation, an animated Kaminsky trumpeted the efforts of the Domain Name System Security Extensions (DNSSEC), the task force in charge of adding security and cryptography to the Domain Name System. While he cast a foreboding atmosphere – Kaminsky speculated that the amount of money filtered to groups like the Internet Corporation for Assigned Names and Numbers (ICANN) is trivial, mere nano-pennies compared to money sent to companies such as Google and Amazon – he insisted that there’s a cost to security crypto through DNS.

“Faster, better, cheaper is on the wrong side of the table,” Kaminsky said before joking that DNS is the “talk to customers for effectively no money” layer of the internet.

“Insecurity isn’t coincidence, it’s consequence,” Kaminsky said of the infrastructure’s importance.

But while supporting the notion that DNSSEC may be hard, it doesn’t mean it’s not worth doing and won’t ultimately benefit the greater good, Kaminsky said.

“There are critical things I don’t do everyday because they’re not feasible, but since when did information security care about hard?” Kaminsky asked, stressing that DNSSEC needs to be able to use offline keys but also run online and by default for most deployments. Kaminsky extolled further benefits of DNSSEC, including automated enrollment and end-to-end key delivery.

“Networks are dumb, they’re not stupid,” Kaminsky said, adding that DNSSEC is “shovel-ready” and that despite being perennially under appreciated, it demands more attention, along with encryption methods like PGP, HTTPS, and IPSec.

“CA revocation is a disaster, it’s slow, broken, barely supported, DNSSEC solves that problem with invocation.”

“If government wants to help, help us make it easy to support the internet,” Kaminsky pleaded.

Suggested articles