80% of Government Websites Deemed Insecure

gov-sites To help ensure the safety and security of government websites, the Office of Management and Budget now requires all government agencies to put up a new security mechanism onto their websites. This mechanism, called DNS Security Extensions, or DNSSEC for short, would prevent hackers from hijacking the traffic from government websites and sending it to their own fake websites, a common hacking problem. The Office of Management and Budget issued a mandate in August 2008 for all of the U.S. government agencies to implement this additional security measure by December 31, 2009. Now that it’s well past the deadline, an independent agency followed up to see if the security measure was actually implemented.  The investigation showed that aside from most of the sites not having this up yet, many of them had not even started working on it yet.

At first, you might not worry much about this, but when you really think of the trust you expect from these sites, it is pretty scary of how easily you can get tricked into a phishing scheme. For example, if you’re filing your taxes online through the IRS.gov website, you might be redirected to a scammer’s website that looks and acts just like the real website. The main difference? The hacker can capture all your information without you being the wiser.

The investigation shows that not only are DNSSEC signatures past their deadline, only about 20% of all the government agencies started using this on their websites compared to most other countries that have had this already installed on all their government websites. Another shocking part of the story is that there were some government agencies that have put up this security mechanism onto their websites in under 3 days, which just shows that the agencies that are falling behind just have been focusing on other things and don’t consider this to be a priority.

“We found about 20% of agencies had signatures as of last week,” says Mark Beckett, vice president of marketing for Secure64. “Eighty percent don’t have any signatures up there. One can speculate about why that is. They may be working on it but haven’t pushed the signatures into production yet. All you can tell from the outside looking in is that there’s no evidence of progress on the DNSSEC mandate.”

At the moment, we’re not sure when all of the government agencies will finally secure their websites and catch up with other nations, but it’s time for these agencies to start taking cyber security more seriously.

(Via NetworkWorld)

About the author  ⁄ BrickHouse Security

BrickHouse Security is the industry's premier supplier of security and surveillance solutions. As a recognized authority in GPS tracking, hidden cameras, employee monitoring and compliance, video surveillance and counter surveillance, we help our customers use technology to get the clarity they need. We proudly serve consumers, businesses of all sizes and the law enforcement community. When you need to know, BrickHouse has the answers.

  • http://www.isc.org/ Alan Clegg

    You’d be more correct if you said “99% of end-users use DNS insecurely” — sure, “only” 20% of the .GOV sites have deployed DNSSEC, but who is doing validation?

    These numbers will change, but to call the non-compliant systems “INSECURE” is like saying that Google, Amazon, eBay, and all of the others are “INSECURE” as well — none of them have DNSSEC deployed….

    BTW, phishing schemes are still going to take place. If you decide to click on a link to “http://www.irs.gov.hostedinromania.com” for whatever reason, DNSSEC won’t help you a bit…

  • http://www.isc.org/ Alan Clegg

    You'd be more correct if you said “99% of end-users use DNS insecurely” — sure, “only” 20% of the .GOV sites have deployed DNSSEC, but who is doing validation?These numbers will change, but to call the non-compliant systems “INSECURE” is like saying that Google, Amazon, eBay, and all of the others are “INSECURE” as well — none of them have DNSSEC deployed….BTW, phishing schemes are still going to take place. If you decide to click on a link to “http://www.irs.gov.hostedinromania.com” for whatever reason, DNSSEC won't help you a bit…