On the U.S. Department of Homeland Security’s website, a post entitled "Emergency Directive 19-01" that raised an alert about an influx of DNS hijacking and described countermeasures for federal agencies to take against it. According to the emergency directive, which relies on 44 U.S.C. § 3553(h)(1)–(2)to formulate its legal basis for action against the threat, the DHS has detected a “series of incidents” that are indicative of DNS infrastructure tampering.
The DHS post gives the following information as evidence of the threat:
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
- The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
- Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
- Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
What the emergency directive does is force all federal agencies to comply with any and all required actions that the DHS deems necessary to mitigate the DNS hijacking threat.
The enforceable actions include the following (all of which need to be completed within 10 days or risk being reported to CISA):
• All .gov or other agency-managed domains must audit their public DNS records.
• Any account that is able to alter DNS records must change their passwords.
• Accounts with the ability to change DNS records have to institute multi-factor authentication.
• Federal agencies are required to monitor “CT log data for certificates issued that they did not request” and report any unauthorized certificate to CISA.
According to the post, the DHS emergency directive will remain in effect indefinitely until “replaced by a subsequent Binding Operational Directive or terminated through other appropriate action.” What irks me as a cybersecurity professional is how the US government was not already practicing better security with regards to its DNS accounts. It always seems to be a major incident that causes changes when it comes to governmental InfoSec practices, leaving countless attack vectors open for hackers to infiltrate.
I would say that this hopefully causes the government to rethink its policies with regards to InfoSec, but I won’t hold my breath.
Featured image: Wikimedia
When using PowerShell as a tool for monitoring Active Directory health, you are limited only by your imagination. Here’s some…
Microsoft Authentication Libraries, available for Android, iOS, and macOS, help developers integrate authentication into a diverse set of applications.
iPhone users looking for help in jailbreaking their devices will find trouble if they head to a website named checkrain,…
Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…
The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…
Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…