Today the world woke up to DNS changing and something called DNSChanger. First we had the excellent news of a major FBI bust, taking down a cyber-ring that had infected about four million computers in 100 countries. The operators of this fraud had used malware called DNSChanger to redirect infected computers to rogue websites. For example, Mr. Consumer would type itunes.com into his web browser but end up somewhere other than itunes.com, namely a website chosen by the crooks who had altered the way Mr. Consumer's computer found its way from site to site. (There are plenty of details in the FBI announcement.)
The crooks generated at least $14 million in ill-gotten gains by redirecting traffic to manipulate online advertising schemes. And Mr. Consumer was not the only person affected. Systems within some large enterprises were affected as well as some government agencies, including NASA. Busting this operation was a big win for the feds: 6 arrests made, a huge botnet taken over by the good guys, numerous bank accounts frozen, and hard drives from more than 100 rogue servers seized. If this action can be followed by a successful prosecution and stiff penalties for those convicted then the risk/reward ratio for cybercrime will be nudged a little closer to "not worth it."
The sheer scale of this DNSChanger scam is likely to increase the momentum for technology that makes it harder to subvert DNS for illegal purposes namely DNSSEC, short for DNS Security Extensions. The goal of DNSSEC is to protect the Internet from certain attacks, such as DNS cache poisoning, man-the-middle attacks, and the kind of DNS changing the FBI has so dramatically brought to light.
How disappointing then, to get an email later the same day, also about DNS changing, but this time the DNS changer is the U.S. government itself, acting at the behest of a coalition of interests looking for ways to defeat online piracy of music, movies, and other intellectual property. This state-sponsored DNSChanger is part of the PROTECT IP bill in the Senate, and it's House counterpart, the "Stop Online Piracy Act (SOPA)." These bills would require DNS server operators in the US to replace the correct IP address for a website with an alternate address provided by the Attorney General's office, if the website was "infringing". The definition of infringing is distributing illegal copies, counterfeit goods or anti-DRM technology,
While we are all in favor of stopping piracy, messing about with DNS and legalizing state-controlled DNS changing seems like overkill. Furthermore, it is fundamentally incompatible with DNSSEC, a technology that will, if it is allowed to proceed, make many parts of the Internet more resistant to abuse, and expand the possibilities for lawful and profitable business in cyberspace. While the FBI and other law enforcement are working hard to stop the bad guys making millions by infecting our computers and subverting DNS it seems unwise to give private companies the ability to go ahead and change DNS armed only with court orders.
To learn more about this issue read the whitepaper by Paul Vixie and other Internet lunimaries "Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill" (pdf file). You can read news coverage on CNET and Public Knowledge. Other issues with the legislation are discussed on TechDirt. There is even a video.
Author Stephen Cobb, We Live Security