100’000 .ch domain names are secured with DNSSEC!

Imagine you want to visit your online banking website «www.example-bank.ch». Now, instead of getting the correct IP address your computer gets manipulated information and connects you to a website that is owned by a criminal. You wouldn’t notice but disclose your online banking credentials to the attacker.

Luckily, DNSSEC is here to help. The extension of DNS protects you from being misled and helps you reach exactly the address you typed into your browser. A complex cryptographic process makes sure, that you’re always at the right place.

100’000 .ch domain names are signed with DNSSEC

In late December 2019 the .ch zone achieved a milestone with 100’000 DNSSEC secured domains. DNSSEC adds digital signatures to DNS answers and helps to mitigate attacks on DNS name resolution.

The percentage of .ch domain names that are signed is still below 5%, but is rising thanks to a few registrars like Infomaniak, OVH, Firestorm and netzone that sign domain names for their customers by default. The number of DNSSEC signed .ch domain names rose  54% from 1.1.2019 to 1.1.2020.

By January 1st 2020 the .ch zone contained 100’065 domain names that are secured with DNSSEC

Top .ch domain names are just average regarding domain name security

While the number of DNSSEC signed .ch domain names is rising, it is also important that critical domain names are secured with DNSSEC. Unfortunately the rate of DNSSEC signed .ch domain names in the top 1000 .ch domains is also just at 5%, according to the .ch resilience report by hardenize.

DNSSEC Validation is up to 65%

To protect internet users from being directed to the wrong internet address secured DNSSEC domain names are not enough. Users also need to use a DNS resolver that validates the digital signatures of the DNSSEC signed domain name. Switzerland is one of the countries in Europe that has a high DNSSEC validation rate of around 65% according to APNIC measurements from Geoff Houston.

This shows Switzerland green on the APNIC map for DNSSEC validation in Western Europe

This is mainly because Swisscom, that has roughly a 50% share of all Samples, started DNSSEC validation in August last year. But also Salt and smaller ISPs validate DNSSEC on their DNS resolvers and help to improve the security of the Internet in Switzerland. Here is a list of ASNs in Switzerland with more than 1’000 measurements in the last 30 days.

With a rising number of domain names signed with DNSSEC and a validation rate of more than 65% Switzerland is slowly catching up with Scandinavian countries that have a validation rate of over 80% and more than 50% of all domain names being signed with DNSSEC.

If you own a domain name, think about signing it, or ask your hoster if he can provide DNSSEC signing for you.

You can find more information about DNSSEC on the SWITCH website.

DNSSEC Usage in Switzerland is on the rise after widespread attacks on the Domain Name System

Attacks on the DNS System

Cyber attacks on the DNS system are not new. Cache poisoning, Domain Hijacking and BGP injections of routes to public DNS resolvers happen regularly, but they usually don’t get much attention as they target the Internet’s core infrastructure and are not directly visible to end users in most cases. This time it was different. The recent widespread DNS hijacking attacks on several Mid East, North African and European and North American governments and infrastructure providers, published by Ciscos Talos showed that DNS attacks are a real threat to cyber security. Netnode, one of the affected infrastructure providers issued a statement, that called, amongst other domain security mechanisms, for the implementation of the DNS Security Extensions (DNSSEC).

The analysis of these attacks also convinced the Internet Corporation for Assigned Names and Numbers (ICANN) that there is an ongoing and significant risk to key parts of the System (DNS) infrastructure. ICANN issued a call for “Full DNSSEC Deployment to Protect the Internet” across all unsecured domain names.

The question is if  these attacks and the awareness that DNSSEC is an absolute essential base layer protection for domain names had some effects on the Implementation of DNSSEC Switzerland?

More DNSSEC signed domain names

As a ccTLD operator SWITCH publishes the number of DNSSEC signed .ch and .li domain names every month. While the number of signed domain names is still very low at around 3-4% we see a rise in the numbers of signed domain names for two years now.

DNSSEC signed .ch domain names 1.4.2019

One reason is that Infomaniak started signing all newly registered domain names by default. In March 2019 we saw an even sharper rise with more than 10’000 .ch domain names newly DNSSEC signed. In general we saw more DNS hosters and registrars signing their domain names, but the reason for this “jump” was FireStorm, a Swiss webhoster and registrar who signed several thousands of domain names on his DNS server.

FireStorm signed them by publishing Child DS (CDS) record sets in the zones on his autoritative name servers.  This feature was introduced by SWITCH at the end of 2018 and activated in the beginning of 2019 for all .ch and .li domains. We think that CDS makes DNSSEC signing much more easy for DNS hosters, especially if they are not the registrar for some of their domain names.

More Swiss AS are validating

With more are more and more domain names now signed, the question is how many of the DNS recursive resolvers in Switzerland actually validate the DNSSEC Signature of the signed zones? Thanks to from APNIC we can estimate the percentage of all DNS requests that come from validating resolvers. Looking at Switzerland over all, about 13% of all requests are validated, compared to other countries in Europe this is quiet low and places Switzerland on place 30 in Europe.

If we look at the individual AS in Switzerland, we can see that mainly cooperated networks and some smaller ISPs turned on DNSSEC validation on their resolvers recently. Amongst them there are ISPs like green and EWB and GGA Maur, the bank Julius Bär that started validating to protect their users. They joined ISPs like Quickcom  and coorporate networks like Novartis and Swiss Re that are already validating on their resolvers for several years.

A special case is Salt that currently validates about 50% of all DNS Queries but it is most probably due to their usage of the Google public DNS (8.8.8.8) that validates DNS queries, a fact that can also bee estimated by the measurement from APNICLabs.

Federal Administration is leading the public sector with DNSSEC deployment

The main domain used by the Swiss federation admin.ch was signed last year, and it is good to see that the Swiss federation apparently also turned on DNSSEC validation on their resolvers at about the same time.

The DNSSEC Chicken and the Egg problem is solved

So far most ISPs in Switzerland argued that they don’t need to validate DNSSEC because nobody is signing their domain names with DNSSEC. And most DNS hosters argued that, as long as no Swiss ISP is validating, there is no point in signing domain names. Now that we see a strong surge in DNSSEC signed .ch domain names and more ISPs and corporate networks validating, this arguments are no longer valid.

There is no evidence that the rise in adoption of DNSSEC is directly related to the recent attacks, but we think that the public attention for DNS had its impact on the rise of DNSSEC in Switzerland.

The core Internet Infrastructure in Switzerland needs better protection

DNS is a base protocol that is used by almost every service on the internet: web pages, e-banking, e-commerce, email and also most apps on mobile phones rely on this core service and are vulnerable for attacks on the DNS. While we see that the adaption of DNSSEC is growing in Switzerland, Swiss  ISPs and other infrastructure providers like webhosters need to implement technologies that protects the DNS. DNSSEC is a mature protocol, it is supported out of the box from all major DNS servers and easy to deploy. DNSSEC is available for the TLDs .ch and .li  for about 9 years and after the recent attacks there is no reason not to protect your services with DNSSEC.

 

Rogue Mobile App

Rogue mobile apps are counterfeit apps designed to mimic trusted brands or apps with non-advertised malicious features. In both cases, the goal is that unaware users install the app in order to steal sensitive information such as credit card data or login credentials.

The common way to install apps is to use the official app store. By default, neither Android nor Apple’s iPhone allow users to install apps from unknown sources. However, this does not mean we can just trust the official app store. SWITCH-CERT has been monitoring Apple’s App Store and Google Play for some time and noticed that many rogue apps are able to sneak into Google Play especially.

Google Play

Attackers are abusing the weak app testing procedure of Google to sneak their rogue apps into Google Play. One can find counterfeit apps of Swiss brands on a regular basis. Typically, the apps reside on Google Play for some time until it is removed because of take down requests from security researchers. Until that happens, unaware users are likely to install such apps and put their data at risk.

The screenshot below shows apps found when searching for Bluewin. During the last months, Bluewin has been a common target for rogue counterfeit apps. The red circle indicates the rogue app.

Play Store result for the search key word “Bluewin”

It is not always as easy as in the above screenshot to spot the rogue app. However, checking the reviews, looking at the developer address and potentially other apps from the same developer provides a good first indication.

Rogue Bluewin App

The rogue Bluewin app tries to steal the user’s email credentials. It is classical phishing but instead of a fake email it starts with a fake app. Below screenshots show the app icon and the welcome screen of the rogue app.

Entered credentials are sent to an external URL where the attacker has access to this data.

Rogue App Monitoring

As an end user it is important to always check the legitimacy of an app before installing it. Rogue apps are common even for Swiss brands (See also rogue Postfinance app article on inside-it.ch).

For larger companies, we strongly recommend that you monitor official app stores for your brand. Whether you outsource this or do it yourself, the following tasks should be part of the rogue app monitoring service:

  • Monitor your brand in app stores
  • Ability to analyze apps
    • What is it doing?
    • Where is it communicating to?
  • Take down rogue apps from app stores
  • Take down app communication end points

 

IOCs

Recent Bluewin fake apps

31708e597d1cd7f72df63f45c47bc3e3	com.brealmary.bluech
2f8e945c52977f5a33f0afdba01721f7	com.brealmary.devhouba
2ca5a4496c93633ee00e404f364960c8	ch.bluewemail