Don't Rely on Reputation Mr Mockapetris -blacklisting and whitelisting needs to progress to real time analysis-

Published 3rd June 2009

Wednesday 3rd June 2009, Paul Mockapetris, the inventor of the Internet's domain name system (DNS) has published a byline on online security in the Financial Times' Digital Business. http://www.ft.com/cms/s/0/2a452b32-3631-11de-af40-00144feabdc0.html . In his article Mockapetris suggests that current email filtering undertaken by internet service providers can be extended, using reputation data to protect against malware in other network traffic:

“All that is required is that the DNS reputation data-feed be extended the DNS servers that the operator already provides to its users for web queries and other applications.” He concludes his FT piece by stating, “Every device that access the internet supports it [the DNS] and every internet transaction already depends on it [the DNS]. With a few small steps, internet service providers can leverage DNS in the fight against malware and help keep users safer.”

Ed Rowley, EMEA Technical Consultant at email and Web security vendor Marshal8e6 (www.marshal8e6.com) agrees with the malware and spambot issues raised by Mockapetris in his article and adds that companies need to view the opening up of top level domain names as the death knell for traditional email and web filtering products that rely on reputation blacklists of “bad” domain names:

“We have said repeatedly that the increase in new top level domain names will overwhelm Web security filtering products that rely solely on blacklisting ‘bad’ sites. In addition, over the last 12 months our TRACE labs team have identified trends that suggest more than 1.5 million legitimate websites have been compromised by hackers and spammers. Once compromised, cybercriminals use a number of techniques, such as search engine optimisation or ‘blended threat’ email attacks, to drive unsuspecting users to these websites; indeed research conducted using our spam honeypots has shown an alarming increase in spambots sending out messages with links to hacked sites that appear to be bone fide.” says Rowley.

“The combination of Web and email communication streams being employed for blended attacks and the flood of new top level domain names, highlights the need for a layered approach to security, using products that can filter and analyse the behaviour of both email and webmail in real time. This ‘Secure Web Gateway’ approach will protect businesses from inadvertently compromising network security by accessing freshly poisoned web sites.”

Further information on the rise in blended attacks and the incidence of “good” sites being compromised by malware, can be found at the Marshal8e6 Threat Research and Content Engineering site: (http://www.marshal8e6.com/newsimages/trace/Marshal8e6_TRACE_Report_Jan2009.pdf
To download Marshal8e6’s white paper on Today’s Blended Threats, please click here: http://www.marshal8e6.com/resources/white-papers.asp