Back in January, the Cybersecurity and Infrastructure Security Agency, a division of Homeland Security, issued its first emergency directive requiring federal civilian agencies to secure themselves against a global hacking campaign targeting the Domain Name System (DNS) that security firm FireEye claims with “moderate confidence” was sponsored by the Iranian government.
Security firm Farsight has alleged that DNS vulnerabilities played a role in the infamous Democratic National Committee email hack. Motherboard reports that Venezuelan President Nicolás Maduro’s administration appears to have abused DNS vulnerabilities using what’s known as a homograph attack to collect names, email addresses, passwords, and other personal information from anti-Maduro activists.
For five hours on October 22, 2016, anyone who logged into an unnamed Brazilian bank’s website actually gave their login credentials to hackers who utilized weak points in the bank’s DNS infrastructure. Last April, the same thing happened to users of a cryptocurrency exchange, resulting in more than $150,000 being stolen from users of the exchange.
Most of us assume core internet infrastructure like DNS will always work as advertised. Simply type the URL for your bank’s website into your browser, and milliseconds later, you should be looking at your bank’s login page. Punch in your credentials and you’re off to the races, browsing your account activity, transferring money, and bemoaning last weekend’s ill-advised bar tab. Simple, safe, secure. But as the victims of these attacks learned the hard way, that’s not always the case.
The vast majority of DNS traffic is still verified using the honor system.
DNS is the umbrella term for the protocol and series of servers that take a “name” such as “www.medium.com” and turn it into an IP address, which is used to route requests through the internet to their destination. The system’s primary purpose has led many to describe DNS with a metaphor as dry as the source material: DNS is the internet’s yellow pages. But hidden behind its mundane facade is a veritable cornucopia of malicious opportunity.