DNS and SSL attacks - further evidence that the internet should not be used for critical applications

The DigiNotar certificate forgeries and NetNames and Asico DNS hosting break-in hacks that resulted in DNS entries for several prominent websites being redirected to malicious and unauthorized sites just reinforces the fact that we are pushing the limits of "security" on the internet. Technical limitations of SSL and DNS (even DNSSEC) aside, this is all about good housekeeping and avoiding any false sense of security that tends to fog the issues when nothing bad has recently occurred. Let's go over the list:

• The lack of network segmentation
• Unpatched applications
• SQL Injection
• Poor password management
• Out of date Anti-Virus

Oh, and a bunch of monkeys in charge of internet critical systems asleep at the wheel (well, tire ring, anyways).

Security is most effective when the data owners understand the concept of accountability, so when there are no regulations/standards to enforce organizations who provide security critical systems such as Certificate Authorities and DNS services what do we expect? These are systems we inherently trust (another issues of the "human element") yet they are dropping like flies due to the same issues we "experts" have been screaming about for at least the past decade.

Either regulate with accountability the security critical services on the internet or stop using the internet for critical applications. It's that simple. You know, aside from the whole unregulatable aspect of the internet we all know and love. Which ergo means stop using the internet for critical applications.

<kudos to Brian Honan for succinctly summarizing some of this in a recent SANS post>