Details of internet bug revealed
A fundamental design flaw on how the internet works, the most destructive discovered in 10 years, revealed.
A security researcher recently revealed more details on a basic design flaw in the way the internet works, ComputerWeekly.com reported.
Dan Kaminsky, director of penetration testing at security firm IOActive, disclosed the flaw, which he said was the most destructive discovered in 10 years, could lead to emails being intercepted and altered without the sender or receiver being aware.
Speaking before the recent Black Hat USA 2008 security conference held in Las Vegas early this month, Kaminsky told the conference of the extent of a vulnerability in the Domain Name System (DNS).
According to Kaminsky, all versions of the software that translates domain names into IP addresses, because of a basic mistake in the way the system operates, can be poisoned using a man-in-the-middle attack that would force computers to visit any server an attacker offered instead of the one they had asked for.
Kaminsky, who announced the vulnerability in July, worked with a collection of vendors and ISPs to help fix the problem at major sites before details got out. Many large companies have fixed the problem, but a lot have still not patched the flaw, ComputerWeekly.com reported.
An attack was identified recently at an AT&T;DNS server in Houston, Texas, where businesses found scammers redirecting their Google queries to new websites containing advertising, the report added.
The report also said anything calling to unpatched DNS servers is vulnerable, including FTP and IRC clients, VoIP software and some auto-update services. Even mail servers could be hacked, so attackers could harvest the content of emails and alter them to contain malware links before passing them on, it added.
Warning that more defects would probably surface, “This bug has been there since 1983,” Kaminsky said, adding that the IT community must be ready with quick fixes. “What if there was a discovery and we had no time to patch? We need to start choosing the products we buy based on how serviceable they are.”
