DHS issues emergency directive about DNS hijacking attacks

On the U.S. Department of Homeland Security’s website, a post entitled "Emergency Directive 19-01" that raised an alert about an influx of DNS hijacking and described countermeasures for federal agencies to take against it. According to the emergency directive, which relies on 44 U.S.C. § 3553(h)(1)–(2)to formulate its legal basis for action against the threat, the DHS has detected a “series of incidents” that are indicative of DNS infrastructure tampering.

The DHS post gives the following information as evidence of the threat:

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

What the emergency directive does is force all federal agencies to comply with any and all required actions that the DHS deems necessary to mitigate the DNS hijacking threat.

The enforceable actions include the following (all of which need to be completed within 10 days or risk being reported to CISA):

• All .gov or other agency-managed domains must audit their public DNS records.

• Any account that is able to alter DNS records must change their passwords.

• Accounts with the ability to change DNS records have to institute multi-factor authentication.

• Federal agencies are required to monitor “CT log data for certificates issued that they did not request” and report any unauthorized certificate to CISA.

According to the post, the DHS emergency directive will remain in effect indefinitely until “replaced by a subsequent Binding Operational Directive or terminated through other appropriate action.” What irks me as a cybersecurity professional is how the US government was not already practicing better security with regards to its DNS accounts. It always seems to be a major incident that causes changes when it comes to governmental InfoSec practices, leaving countless attack vectors open for hackers to infiltrate.

I would say that this hopefully causes the government to rethink its policies with regards to InfoSec, but I won’t hold my breath.

Featured image: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Using PowerShell to assess Active Directory health

When using PowerShell as a tool for monitoring Active Directory health, you are limited only by your imagination. Here’s some…

2 days ago

Microsoft Authentication Libraries now generally available

Microsoft Authentication Libraries, available for Android, iOS, and macOS, help developers integrate authentication into a diverse set of applications.

2 days ago

Checkrain fake iOS jailbreak site a menace to iPhone users

iPhone users looking for help in jailbreaking their devices will find trouble if they head to a website named checkrain,…

2 days ago

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

3 days ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

3 days ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

3 days ago