04:34 AM

Can this man save the Net? Verisign's chief security officer has his work cut out for him

By Deb Radcliff for SiliconValleyWatcher

Super-Silva.jpgJust a few days before the presses started rolling on the announcement of Ken Silva as VeriSign's first-ever chief security officer, I was dining with the man over filet mignon and crab at the trendy Tonno Rosso's near San Francisco's wharf, barraging him with questions about the very serious issues faced by internet infrastructure and in particular the DNS system.

VeriSign is the world's largest digital certificate authority, and is steward of the A and J root servers (two of the 13 computers representing the top of the Internet's hierarchy). With 40 percent of North American e-commerce payments going through its gateways, 100 percent of .com registrars running 15 billion queries a day through its system, and 50 percent of North American cellular roamings going through its servers, VeriSign has a significant role in seeing that the Internet infrastructure runs securely.

Over the years, the root DNS servers have proven vulnerable to domain name spoofing (through a technique called DNS cache poisoning), and Distributed Denial of Service attacks (the latter of which came to light during a concerted effort to take down the DNS root servers in 2002). Not to mention the search query redirect debacle in 2003, in which VeriSign took advantage of its position as DNS manager, and forcibly rerouted all unresolved search queries to a paid-for advertising site created by a dubious spammer. This forced redirect broke a lot of DNS servers, and raised such a ruckus that VeriSign shut down the service barely a week after it went live.

In the past three years, VeriSign has hardened its own DNS servers, so that they're not vulnerable to the DNS poisoning attacks that phishers are starting to use to reroute legitimate addresses typed into browsers. DNS servers hosted by large ISPs and other busy Internet hubs are increasingly being exploited to send large blocks of users to fake Web addresses, where phishers get them to type in their personal information. The trend was reported in January, when the Anti-Phishing Working Group reported that DNS poisoning was used to redirect Google and Amazon users to a phony pharmacy site.

So I asked Silva how he, as VeriSign's first CSO, would help other DNS owners lock down their servers so that users weren't vulnerable to being sent to a spoofed Web site. At which he crossed his hands patiently, and explained his vision for a safer Internet.

"We can't be responsible for the millions of DNS servers on the Internet; but we can certainly do more in the form of education," he says. "A year and a half ago, VeriSign published a white paper with CERT on how to lock down DNS servers so they're not vulnerable to cache poisoning and hijacking. And we've been actively involved in the DNS SEC standard, which would require DNS servers to validate the routing path. But the standard would require a change be made to all DNS servers; and it's being held up in the IETF."

Education is strong on Silva's agenda, which he describes as taking a more holistic approach to security by working with all of VeriSign's business units and platforms to provide stronger authentication at the browser, through the ISPs and at Web sites, so that users can surf the Web, send secure e-mail, make purchases, and transact businesses seamlessly without having to spend so much time on their own personal security.

"Users are the weakest link in all of this. They can't understand what they need to know about intrusion detection, firewalls, anti-virus, spyware and DNS hijacking. And it's technically difficult for users to look at Web site certificates to validate that they're at a legitimate Web site," he says. "Users should be protected by their ISPs; and those e-commerce companies where they do business should do more to validate their legitimacy to users."

As such, VeriSign is committed to a number of standards groups for open authentication platforms, certificate management and DNS Security. But whether or not Silva can impact such change remains to be seen.

Silva spent 10 years at the National Security Agency working in signals intelligence before becoming a C-level executive in technology. He came to VeriSign in 2000 as its senior VP of internal technology and networking security. He serves on the board of directors for the Information Technology Information Sharing and Analysis Center (IT-ISAC, which is under the auspices of the Department of Homeland Security), and is an adviser/participant in the National Infrastructure Protection Center, the White House ISP Security Panel, the ICANN DNS Security Panel, the Network Reliability and Interoperability Council, and the National Security Telecommunications Advisory.

If pedigree means anything, he certainly stands a fighting chance.