Web developers and service providers are often amassing and daisy chaining an array of applications, protocols, and libraries into their toolchains. Consequently, vulnerabilities, bugs, malwares, and data leakages start creeping in, often in ways one would not have initially imagined. These Achilles heels are ever more critical when precarious infrastructures and safety services depend on them.
An example of these critical services in the U.S. is Alerting Authorities (AAs); jurisdictions with the designated authority to alert and warn the public when there is an impending natural or human-made disaster, threat, or dangerous or missing person. Today, there are more than 1,600 federal, state, local, tribal, and territorial alerting authorities that issue critical public alerts and warnings in their jurisdictions. Like many emergency services, AAs rely on the Internet for communications and operations. Like many public sector services, maintaining security and reliability is important, yet it is not always easy to have a dedicated team able to keep up with the rapid advances in the cybersecurity domain.
For important services like AAs to operate online, one of the initial building blocks and fundamental protocols to configure and securely operate is the Domain Name Service (DNS). Known as one of the most critical protocols of the Internet and Web services, DNS enables various Web services and programs to use familiar names as a destination, which are then resolved to the corresponding IP address of destination servers. DNS security is vital to the operation of the Internet, as nearly every service, app, IoT device, and website relies on it. This includes safety services owned and managed by various government authorities around the world. DNSSEC helps in securing DNS, by associating a cryptographic signature to an existing DNS record, enabling one to verify that a DNS record comes from its authoritative name server. Along with securing DNS, Public Key Infrastructure (PKI) certificates are also used to secure a webpage or encrypt data transfer channels and files using certificates that can be verified using a publicly trusted Certificate Authority
The accompanying paper presents a new study, investigating AAs and their cybersafety measures, including DNS and Web PKIs. Alarmingly, the authors find that most AA services fall short of protections in these critical protocols. The study presented in this paper presents the results of investigating the websites and AA domain names to map the dependencies of services, studying DNSSEC penetration as well as domain-validation Web PKI certificates and use of restricted top-level domains (TLDs). The authors develop Assurance profiles as a technique to assess the adequacy of security implication for users.
One of the interesting, yet alarming, findings of the paper is the low percentage of AAs having sufficient identification through their own namespace using certificates and DNSSEC. Another challenge highlighted is the decreasing lifespan of certificates (due to demands from browser developers to shorten certificate lifespans to boost security or using free providers); hence the need for operators to closely monitor their certificates for validity.
One of the impressive aspects of the paper is the care taken to verify all the collected domains, to gain a valuable ground truth dataset for the domain namespace and Web PKI analyses. Given the large number of entries scattered across various resources, the data validation approach is a major undertaking that leaves the reader assured that care has been taken to provide accurate reporting of these services, along with releasing the data to aid further research. Acting responsibly, the authors have informed the Alerting Authorities about their assurance profiles to raise awareness for improvements.
Why is this paper important? And are the findings relevant for those not using AAs at all? While the paper might seem to be addressing a specific service in a single country, the implications are far beyond this single studied system. Other countries (for example, the U.K.) have recently been implementing similar systems for emergency public alerts. Beyond DNS and Web PKI, the findings in the paper should be used to educate, and prepare, emergency services around the world to perform thorough red team/blue team cybersecurity exercise and audits of their critical infrastructure, from physical hardware and trusted devices, down to network connectivity, encryption, certificates, and importantly, understanding the individuals’ trust in these systems.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment