Giant online security hole getting fixed, slowly

Francisco, might type http://www.yahoo.com and head straight to the real Yahoo site, while at the same moment, a user in New York — whose traffic is routed through different DNS servers — might type that same Web address and end up on a phony duplicate site.
Scant details have been available about how the vulnerability works. The researcher who discovered it, Dan Kaminsky of Seattle-based computer security consultant IOActive, announced on 8 July that he hadd found a major weakness in DNS (see HS Daily Wire of 9 July 2008), but he kept the rest secret because he wanted to give companies that run vulnerable servers a month to apply patches — software tweaks that cover the security hole. He coordinated with Microsoft, Cisco Systems, Sun Microsystems, and other major vendors to simultaneously issue patches.

He got two weeks before bad guys and good guys alike accurately guessed the basics of what Kaminsky discovered. It is this: By adding bad information to the packets of data zooming in and out of certain DNS servers, hackers can swap out the address of a legitimate Web site and insert the address of their malicious Web site instead. A compromised server believes it’s sending people to the authentic site. If the bogus site is designed well enough, users do not know the difference, unless the site starts behaving weirdly. Some clues might come if a page, like a banking Web site, is usually protected with Secure Sockets Layer, or SSL, which verifies a site’s owner and shows a padlock icon or a green address bar inside the Web browser. The padlocks in particular, however, are not always foolproof, because scammers can spoof them.

Just how widespread the attacks have been is hard to tell. The evidence of tampering can disappear before an Internet provider even learns there’s a problem. The patching of DNS servers has accelerated. Kaminsky said 84 percent of the servers he tested at the beginning of the process were vulnerable. That has dropped to around 31 percent. Still, Kaminsky said some administrators of computer networks might not patch their machines until they come under attack. Others didn’t patch immediately because they had to spend days or weeks testing the repairs. That was the case with AT&T, which said the breach affected just one of its servers, a machine that was scheduled to be taken off line anyway. AT&T says it has fixed the problem.

More details about the vulnerability are expected to emerge today, when Kaminsky speaks at the Black Hat computer security conference in Las Vegas. The conference and its sister event, DefCon, draw researchers, government investigators and corporate executives eager to learn about new vulnerabilities and how to protect against them. “There might be one or two things that haven’t leaked yet,” Kaminsky said with a snicker. “No one should even think they know the subject of the talk.” DNS attacks are not new, but Kaminsky discovered a way to link together some widely known weaknesses in the system, so that an attack that would have taken hours or days can now take only seconds. “Quite frankly, all the pieces of this have been staring us in the face for decades, and none of us saw it until Dan put it all together,” said Paul Vixie, president of the Internet Systems Consortium, a nonprofit that publishes the software inside most of the world’s DNS servers. “This is the mother lode all right, from the point of view of Internet criminals looking for easier access to other people’s money and secrets.”