Security Now 657: ProtonMail

This week we discuss “DrupalGeddon2”, Cloudflare’s new DNS offering, a reminder about GRC’s DNS Benchmark, Microsoft’s Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at Google’s Chrome store, another “please change your passwords” after another website breach, a bit of miscellany, a heart-warming SpinRite report, some closing the loop feedback from our terrific listeners, and a closer look at the Swiss encrypted ProtonMail service.


In sudden announcement, US to give up control of DNS root zone

In a historic decision on Friday, the United States has decided to give up control of the authoritative root zone file, which contains all names and addresses of all top-level domain names.

The National Telecommunications and Information Administration (NTIA), under the United States Department of Commerce, has retained ultimate control of the domain name system (DNS) since transitioning it from a government project into private hands in 1997. With Commerce’s blessing, the International Corporation for Assigned Names and Numbers (ICANN) acts as the primary essential governing body for Internet policy.

The new change is in advance of the upcoming ICANN meeting to be held in Brazil in April 2014. Brazil and other nations have fumed at revelations of American spying on its political leaders and corporations, which were first revealed in September 2013 as the result of documents distributed by whistleblower Edward Snowden. The South American country also threatened to build its “own cloud,” as a consequence of the NSA’s spying.

Commerce’s contract with ICANN to act as the Internet Assigned Numbers Authority will expire on September 30, 2015—for now, ICANN’s role will not change.

“The timing is right to start the transition process,” wrote Assistant Secretary of Commerce for Communications and Information Lawrence E. Strickling, in a statement published late Friday. “We look forward to ICANN convening stakeholders across the global Internet community to craft an appropriate transition plan.”

Stephen D. Crocker, ICANN’s Board Chair, wrote in another statement, “Even though ICANN will continue to perform these vital technical functions, the US has long envisioned the day when stewardship over them would be transitioned to the global community. In other words, we have all long known the destination. Now it is up to our global stakeholder community to determine the best route to get us there.”

In a late Friday evening conference call, ICANN President and CEO Fadi Chehadé lauded the decision as “historic” and said that ICANN will be moving toward multi-stakeholder control. Chehadé said the US will not permit another country to make an exclusive contract like the US’ when 2015 rolls around, however. “The US will not hand their role to a government, a group of governments, or an inter government group… they are not saying that they’d exclude governments—governments are welcome, all governments are welcome as equal partners with all the other members of our community.”

Naturally, journalists on the call asked whether the sudden and stunning change was brought about by new pressures after the leaks made by former NSA contractor Edward Snowden. But Chehadé and Crocker, who was also on the call, offered evasive answers.

“I think what is important to focus on today is the trust in the global community that is displayed in the US’ decision here,” Chehadé told the press. “There is now full trust in the superiority of the multi-stakeholder model, the open model that enabled the Internet to be what it is today. That’s the news today, really.”

Full Story: In sudden announcement, US to give up control of DNS root zone | Ars Technica.

Possibly related DDoS attacks cause DNS hosting outages

Distributed denial-of-service (DDoS) attacks that could be related have in the past few days slammed the DNS servers of at least three providers of domain name management and DNS hosting services.

DNSimple, easyDNS and TPP Wholesale all reported temporary DNS service outages and degradation on Monday, citing DDoS attacks as the reason. In some cases the attacks started a few days ago and are ongoing.

TPP Wholesale, a subsidiary of Sydney-based Netregistry, one of Australia’s largest providers of Web hosting, domain management and other online services, alerted its customers through its website on Monday that eight of its DNS servers experienced “unscheduled service interruption.”

TPP Wholesale experienced a series of DDoS attacks against its DNS name servers over the past several days, the Netregistry Group Security Team said in a blog post. The company managed to mitigate the DDoS attacks that caused service interruptions throughout Monday by taking “the drastic step” of rate-limiting DNS queries, the team said.

Such aggressive filtering is prone to false positives and might result in some customers being denied DNS service. “In the next few days we will continue to whitelist such false positives as we discover them,” the team said.

Second wave

EasyDNS, a DNS hosting provider based in Toronto, also reported DNS service disruptions caused by a DDoS attack on Monday.

“This looks like a larger version of a smaller DDoS yesterday which was possibly a test run,” the company’s CEO Mark Jeftovic said Monday in a blog post. “This DDoS attack is different from our previous ones in that it looks as if the target is us, easyDNS, not one of our clients.”

Jeftovic said that it was difficult to differentiate the real traffic from the DDoS traffic, but the company managed to partially mitigate the attack and also published workarounds for affected customers. “This is the ‘nightmare scenario’ for DNS providers, because it is not against a specific domain which we can isolate and mitigate, but it’s against easyDNS itself and it is fairly well constructed,” he said.

Full Story: Possibly related DDoS attacks cause DNS hosting outages | PCWorld.