Internet Explorer 6 has outlived its "good-before"-date for years now and both Web-programmers (living hell to support) and Microsoft (a security-nightmare for them) were keen to put a stake through its heart for the last years.

It finally seem to have worked: Austria is now at < 1% IE6 according to Microsoft's IE6 Countdown page.

That's a good milestone for all of us.

Author: Otmar Lendl

It's not an everyday occurrence that an Austrian Company finds an important security issue. If they then follow responsible disclosure towards the vendor and also inform the local CERT, that's something that should be openly acknowledged.

Thus: A round of applause from CERT.at goes to Johannes Greil of SEC Consult Unternehmensberatung GmbH for finding a bug in the Check Point VPN client.

Author: Otmar Lendl

McAfee published the 2010 "Mapping the Malware Web" report. The explanations and trends in there are worth looking at. More importantly, for us as the CERT, this report is one of the few independent studies which provides us with real numbers on the state of the IT Security game in Austria.

.at is ranked as the 76th most dangerous TLD with an infection-rate of about 0.4%. This is up from 89th and 0.2% of 2009. We should do better here.

We've got work to do. And we've actually prepared a number of internal tools and data-feeds to work on exactly this problem. So be prepared to hear more from us regarding malicious domains in the near future.

Author: Otmar Lendl

This week, Comcast announced that they will enable DNSSEC validation on their production resolvers. One thing one might want to keep in mind if you do that:

People make mistakes. Some domain owners will break their DNSSEC signatures. We've seen a good number of these in 1010, including TLDs like .arpa, .be, and .uk. I asked Comcast if they have a policy on how to deal with such events. According to Jason Livingood, Comcast will inform their users, and notifiy the owners of the broken domain. I aswered:

From a technology PoV that's certainly a valid policy.

There are two issues you might think through before you run into them in real life:

When people break their "normal" DNS, all ISPs are affected more or less equally (disregarding caching-effects for now). But as long as Verizon, AT&T and others don't validate as well, your customer will notice that he can't do online-banking while his neighbor on DSL can. This will be discussed on social media platforms and people will compare which access ISPs "work" and which don't. The fact that the problem is on the other end is kind of hard to explain and will be lost in the outrage.

There will be customers which will need immediate access to the blacked-out domain NOW or they will suffer financial damage, couldn't book their golfing tour, or whatever else will bring them to threaten you with legal action. From their PoV, Comcast is suppressing their communication and hotheads will sue. After all, if you already know that DNSSEC is blocking their IMPORTANT business, why don't you just disable it? Depending on what kinds of domains are affected, this might escalate to the very top faster that you might anticipate.

Be prepared.

Author: Otmar Lendl