[Infowarrior] - Kaminsky: DNS bug worse than feared

Richard Forno rforno at infowarrior.org
Thu Aug 7 15:55:31 UTC 2008 

  Net address bug worse than feared
By Maggie Shiels
Technology reporter, BBC News, Silicon Valley

http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/7546557.stm

A recently found flaw in the internet's addressing system is worse  
than first feared, says the man who found it.

Dan Kaminsky made his comments when speaking publicly for the first  
time about his discovery at the Black Hat conference in Las Vegas.

He said fixes for the flaw in the net's Domain Name System (DNS) had  
focused on web browsers but it could be abused by hackers in many  
other ways.

"Every network is at risk," he said. "That's what this flaw has shown."

The DNS acts as the internet's address books and helps computers  
translate the website names people prefer (such as bbc.co.uk) into the  
numbers computers use (212.58.224.131).

Mr Kaminsky discovered a way for malicious hackers to hijack DNS and  
re-direct people to fake pages even if they typed in the correct  
address for a website.

In his talk Mr Kaminsky detailed 15 other ways for the flaw to be  
exploited.

Via the flaw hi-tech criminals or pranksters could target FTP  
services, mail servers, spam filters, Telnet and the Secure Socket  
Layer (SSL) that helps to make web-based transactions more secure.

"There are a ton of different paths that lead to doom," he said.

'Hype'

But the DNS threat was played down by net giant VeriSign which issues  
many of the security certificates used in SSL. It told BBC News its  
system was "not vulnerable".

The Silicon Valley company looks after two of the net's 13 DNS root  
servers. It also controls the computers that contain the master list  
of domain name suffixes such as .com and .net

Ken Silva, chief technology officer at Verisign, said: "We have  
anticipated these flaws in DNS for many years and we have basically  
engineered around them."

He believed there had been "some hype" around how the DNS flaw will  
affect consumers. He added that while it was an interesting way to  
exploit DNS on weak servers, there were other ways to misdirect people  
that remained.

Mr Silva said he was concerned that people would read too much into  
the doom and gloom headlines that have surrounded the discovery of the  
DNS flaw.

"It's been overplayed in a sense. I think it has served to confuse the  
consumer into believing there is somehow now a way to misdirect them  
to a wrong site.

"The fact of the matter is that there have been many ways like  
phishing attacks to misdirect them for a long time and this is just  
yet another of those ways that will be surgically exploited."

Security gap

Mr Kaminsky kept news of the flaw out of the public domain for months  
after its discovery to give companies time to patch servers.

Mr Kaminsky said that 75% of Fortune 500 companies have fixed the  
problem while around 15% have done nothing.

Major vendors like Microsoft, Cisco, Sun Microsystems and others have  
issued patches to close the security hole.

"The industry has rallied like we've never seen the industry rally  
before," said Mr Kaminsky.

DNS attacks are not new but Mr Kaminsky is credited with discovering a  
way to link some widely known weaknesses in the system so that the  
attack now takes seconds instead of days or hours.

"Quite frankly, all the pieces of this have been staring us in the  
face for decades," said Paul Vixie, president of the Internet Systems  
Consortium, a non-profit that makes the software run by many of the  
world's DNS servers.

Mr Silva at VeriSign said even though patches have been put in place,  
this doesn't mean users can sit back and relax.

"The biggest gap in security rests between the keyboard and the back  
of the chair," he said.

"The look and feel of a website is not what a consumer should trust.  
They should trust the security behind that website and do simple  
things like use more secure passwords and change their password  
regularly."

Mr Silva said education is fundamental in making the net a safer place.

"We have been trained since we were young to lock the door to our  
house, our car. We take these sensible security measures in the  
environment we are functioning in.

"Yet when it comes to computer safety we forget to look both ways  
before crossing the internet highway."
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7546557.stm

Published: 2008/08/07 09:00:54 GMT

© BBC MMVIII

More information about the Infowarrior mailing list