- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC ) to alleviate this threat.
In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.
While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks.
[ SCHOOL DAYS: 10 top colleges for tech CEOs ]
Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is miniscule.
Recent surveys conducted by DNS vendor Secure64 show little deployment of DNSSEC:
"For whatever reason, the importance of securing their DNS has not raised itself up to a high enough level of priority for these organizations," says Mark Beckett, vice president of marketing for Secure64. "Perhaps they don't know there is a hole in the DNS and that if it is attacked, their customers could have their personal or financial information compromised."
A similar survey conducted weekly by the National Institute of Standards and Technology indicates that only 10 out of more than 1,000 U.S. industry websites have fully deployed DNSSEC. DNSSEC pioneers include Comcast, Data Mountain Solutions, Infoblox, PayPal and Sprint. Another nine websites -- including those operated by Dyncorp, Simon Property Group and Juniper Networks -- demonstrated partial deployment of DNSSEC in the NIST survey.
"The tools and other functions are there to do [DNSSEC]," says Chris Griffiths, director of high-speed Internet engineering at Comcast, which deployed DNSSEC a year ago. "I know that other folks are looking at it. ... In general, people are in the planning stages and at this point they probably need to move that along."
Companies that show no signs of deploying DNSSEC read like a Who's Who of American Industry: Fifth Third Bancorp, Bank of America, Cardinal Health, Charles Schwab, Delta Air Lines, Disney, eBay, Target, WellPoint and Wells Fargo. Even high-tech leaders such as Apple, Cisco, Google, IBM and Symantec haven't deployed DNSSEC yet, the NIST survey shows.