Security flaw prompts major Web alert
Internet security specialist discovers major flaw in the Internet’s Domain Name System (DNS); the flaw allows hackers to inject themselves into the URL-typing process, intercepting the name entered by the user and mapping it to a different Internet address than the one intended
A major flaw in the way the Internet works could lead to millions of people being targeted by criminals and has prompted the “largest security update” in Web history, according to a leading security researcher. The bug — described as “cache poisoning” — has led to some of the technology industry’s largest companies scrambling to come up with a solution before hackers discover how to exploit the flaw. Dan Kaminsky, an Internet security specialist who uncovered the bug, has been working with major technology companies including Microsoft and Cisco to issue software patches to prevent attacks from working. “This is the largest synchronised security update in the history of the internet. The severity of this bug is shown by the number of those who are on board with the patches,” Kaminsky said.
The Guardian’s Bobby Johnson writes that the flaw exploits the Internet’s address mechanism, known as the Domain Name System (DNS). This maps the names we associate with Web sites to the true numerical addresses of their Internet servers, in the same way that a mobile phone’s address book associates names with telephone numbers. DNS allows people to visit Web sites simply by typing in words — such as hsdailywire.com or google.com — rather than entering a string of unmemorable numbers. The glitch allows hackers to inject themselves into the process, intercepting the name entered by the user and mapping it to a different Internet address than the one intended. This would potentially allow criminals to redirect Web users to phishing Web sites even if they had entered the correct address in the first place. “If a bad guy had found this before Dan did, it would have been very bad,” said Rich Mogull, a researcher at Securosis. Kaminsky has refused to provide specific details about the flaw, instead offering the Internet industry time to address the issue before he explains more. Even though major technology vendors have released security patches, the U.S. Computer Emergency Readiness Team (CERT) — an agency which deals with major security breaches — said even these would not remove the possibility of hijacking entirely. “It is important to note that without changes to the DNS protocol, these mitigations cannot completely prevent cache poisoning,” said US-CERT on its Web site. “However, if properly implemented, they reduce the chances of success for an attacker by several orders of magnitude and make attacks impractical.”
Kaminsky said he would reveal more detail about the vulnerability at a computer security conference next month
