As Rich announced, we are shaking up the Friday Summary a bit. We will still talk about what we are up to. And we’ll share some of our personal – possibly security related – stories in the Summary. But we will focus on fewer stories with more analysis of interesting news items. Honestly, we’ll likely sneak in security news as well – it just depends on whether we see interesting stuff.
Story of the week: DNSCrypt
The big news this week is the ‘preview’ release of DNSCrypt from the OpenDNS group. As its name implies, DNSCrypt is a tool to encrypt Domain Name Service lookups to avoid evesdropping and deter Man-in-the-Middle (MitM) attacks and tampering. Note that this is not DNSSEC, which was designed to enable users to detect tampering, and to authenticate DNS DNS answers. DNSSEC was not designed to encrypt DNS requests, which leaving requests unprotected from monitoring by ISPs and other parties; DNSCrypt fills this gap by encrypting requests and responses.
I understand from the press release that this is currently a Mac OS X only package, so Windows and Linux users will have to wait. The installer is dead simple and the configurations settings are conveniently placed into the ‘Other’ section of System Preferences. And I can tell you this is one of the few End User Licensing Agreements I have ever read because, in a very Securosis-like style, there is no lawyer BS included. Took about a minute to download and another to install, and no restarts were required. I ran OpenDNS with DNSCrypt enabled, both over SSL on port 443 and without, and did not notice any performance difference. The packets appear to be encrypted as advertised – but they could be using a ROT13 cipher for all I know, given the minute I spent looking at the stream. I have not, and probably will not, review the source code – I assume there are better qualified people with more free time on their hands (i.e., those not filling the Nexus with great new content) who will. And I look forward to hearing what the community thinks about the implementation, as I think this will be a highly sought-after addition for those interested in security and privacy.
The key takeaway here is that DNS requests should be safe from spying and MitM, provided someone cannot impersonate the DNS service. There is a small but real chance of this. For average users this is a very real advance in security and privacy! If you’re an IT manager you should check it out and see how well it performs for you. There may be issues – it is an early release product after all – but this dead-simple tool enhances security.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Mike’s Dark Reading post on Work and Play in Security.
- Adrian’s DR post on DAM.
- Rich quoted on Carrier IQ.
- Don’t tell Rich, but somebody thinks he’s an ‘influencer’.
Favorite Outside Posts
- Mike Rothman: Best Job Description Ever. This is how security folks should think about their jobs. Kudos to Quicken Loans for making their philosophy on security very clear, before applicants start the hiring process. It doesn’t hurt that their ideas are right on the money. (h/t Alex Hutton)
- Adrian Lane: Ask Slashdot: To Hack or Not To Hack. How many times have I said that in the ‘landgrab’ for mobile payments, security is left on the roadside, thumb in the air? You don’t have to guess too hard who this is!
Project Quant Posts
- DB Quant: Index.
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics–Device Health.
- NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics–Deploy and Audit/Validate.
Research Reports and Presentations
- Security Management 2.0: Time to Replace Your SIEM?
- Fact-Based Network Security: Metrics and the Pursuit of Prioritization.
- Tokenization vs. Encryption: Options for Compliance.
- Security Benchmarking: Going Beyond Metrics.
Blog Comment of the Week
I have been a lurker on your blog for a long time now. I am a developer by profession, and security is a small but important part of what I do. Consequently, I do not spend much time on twitter or other ‘new media’ to stay up to date on this field.
Friday Summary and the Incite give me a great perspective and insight on this field. ‘Read these two columns, and you will not miss anything significant’ has been my attitude.
I would definitely miss the random list of articles. Please don’t exclude that.
I know you have been complaining that people don’t leave comments. I am guilty of that. Hopefully, this comment of mine can influence you to not change the Friday summary too much.
Thanks for the great work!
And thank you for the great feedback!